The recent craze for tablet computers and the proliferation of smartphones cannot be ignored by the enterprise because whether IT supports them or not they will find their way into the office. However, consumerisation of IT can cause a number of headaches for businesses. Steve Evans looks at the risks and what companies should do to protect themselves
When Steve Jobs walked out on to the stage recently at San Francisco's Yerba Buena Center for the Arts to announce the launch of Apple's iPad 2 tablet, alongside the cheers (Jobs is currently on medical leave and was not expected to attend the event) you could just about make out the sound of IT admins across the world sighing in unison.
Apple sold 15 million iPads during 2010, turning its tablet device into the must-have gadget of the year. Its successor is thinner, lighter, more powerful (twice as fast on CPU performance and nine times faster on graphics) and costs the same amount, so it doesn't take an expert to guess that sales of the iPad 2 will be equally impressive.
Why is this an issue for IT admins? Where the consumer space goes, businesses follow. And if businesses don't... well, workers will just use the devices anyway, whether they are authorised by IT or not.
To coincide with those back-to-work post-Christmas blues, Virgin Media Business put out a survey that suggested 8.5 million UK staff planned to plug Christmas gadgets into the corporate network on their return from the holidays. The survey of 5,000 workers found that 74% said they could not wait to show off their new iPad, iPhone, netbook or any other Yuletide gadget when they got back to work, and so would fire it up in the office. Some 40% said they had done the same thing in the past and bypassed the company's IT department.
"The boundaries between what is a 'work' gadget and what is not have been blurring for quite some time. The research clearly shows that ignoring the prolific rise of personal consumer gadgets in the workplace simply isn't an option any more," Andrew McGrath, executive director, commercial at Virgin Media Business, said at the time.
"There are two key concerns for business," continued McGrath. "Firstly, that this is yet another channel via which corporate data can be stolen or misused, and secondly, that the network will be flooded with yet more traffic that is unaccounted for."
Let's focus on that first point. Analysts reckon we're now hitting the start of the non-PC era, with market watchers Deloitte claiming that 2011 will see sales of mobile devices - smartphones, tablets and non-PC netbooks - topping 50%. "2011 will mark the tipping point as the growth of applications for non-PC items outstrips traditional software sales and consumers embrace a wider variety of devices," says Peter O'Donoghue, head of Deloitte's technology industry practice.
This means companies will be under pressure to support the devices already in use by their employees, not necessarily the devices they have standardised on and support. A recent survey of 100 UK-based businesses with more than 3,000 employees by Good Technology and Vanson Bourne found that employees no longer want to have two devices - they would much rather just use their own.
IT departments are fully aware that this is an issue, but so far they are not really doing much about it. More than half (56%) of the IT managers quizzed by Good Technology and Vanson Bourne claim to be under pressure to support personal devices at work, but just 10% do so in a comprehensive way. Security (36%) and lack of control over devices (32%) are the main reasons IT departments have yet to begin supporting personal devices in a big way. Notably, 27% said they had suffered a security breach due to an unauthorised device being brought into the work place.
No point banning personal devices
Despite the potential dangers of personal devices being used at work, there seems to be universal agreement that simply banning them from the workplace is not an option. The best way for organisations to control the consumerisation of IT is to accept it is happening and embrace it, according to Bob Tarzey, analyst at Quocirca.
"You can't ban the use of personal devices at work," he says. "People will use personal devices whether or not you ban them. If you try and control what employees can do at work they are more likely to use personal devices they bring in. Unless you confiscate them at the door, you can't stop it.
"What you can do is control what access they have to corporate resources on their personal device. But if, for example, you ban access to Facebook, workers will access it on their personal devices. These services on the Internet and the devices used to access them is the reality, by embracing it and accepting it you can bring some control over what employees can do," Tarzey adds.
Data residing behind a company's firewall is relatively easy to protect; the trouble arises when that data moves beyond the firewall, particularly if the device it's held on is not subject to the same security controls and policies a corporate device would be.
Among the many companies looking to secure data that resides on mobile devices is Fortinet. The firm's regional director for UK and Ireland, Paul Judd, tells CBR that the use of personal devices at work is fast becoming a major issue.
"Five years ago it simply didn't happen. Either you used a corporate device, or you didn't use one at all," he says. "IT cannot say no to these devices now, but at the same time it needs to do something."
Technologies such as remote locking and wiping are an option. But isn't the issue that these are personal devices and therefore not controlled by the IT department? Well, yes, but if workers are adamant they want to use their gadgets for work purposes, they have to give a little back to the IT department, says Judd. Referring to Fortinet's mobile protection app, he says: "Simply, if you don't have the client on the device, you don't get let on to the corporate network."
Protecting the data
It also makes sense to consider authentication or/and identity verification technology from the likes of GrIDsure and ActivIdentity, ensuring that whoever uses the device and connects to the corporate network is who they claim to be. ActivIdentity is another company that reckons security on the device is one way to improve protection. One of its government clients uses its technology to enable smart card credentials to be placed on a secure microSD inside a BlackBerry device, meaning all inbound and outbound emails are encrypted.
So that can handle data that leaves the company firewall. What about the other way? "When a device is connected to the corporate network you need to know what it is, where it is, whether it's authorised or not and whether it is infected with a virus or something similar," says Judd. Native apps dropped on to a mobile device can offer the same functionality as a mobile or even a desktop security platform, with features such as antivirus/ antispyware, a personal firewall and web-content filtering helping to protect the corporate data from threats posed by personal devices.
There has been a lot of press coverage over the past year or so around mobile security, particularly whether malware is a genuine threat. "Cybercriminals are seeing it as more viable now, although in the UK it's still a trickle and patchy at the moment," David Emm, senior security researcher at Kaspersky Labs tells CBR. "The issue is with the multiple platforms on mobile - Android, Apple, Windows - who do the criminals target? Something like a Java-based attack is possible, as that is cross-platform."
Despite Emm's insistence that mobile malware is not a big worry - at least not yet - there is evidence that its influence is growing. In March 2011 Google had to release an update to its Android Market app store after it was infiltrated by around 50 malicious apps. It deleted the rogue apps from the store and eventually remotely wiped the applications on infected devices.
Lookout, the firm that discovered the malicious apps, said on its blog: "[The apps] were found to contain malware which could compromise a significant amount of personal data. A blogger at Android Police took a closer look at the malicious applications and verified that they do indeed contain exploit code that can root a user's device as well code that can send sensitive information (IMEI and IMSI) from the phone to a remote server. Android Police also found that there is another APK hidden inside the code, which can steal additional sensitive data."
With smartphones now shipping with up to 32GB of memory and tablets and laptops many times more than that, there is a lot of space for sensitive data. If that sensitive data includes corporate information a user has downloaded so they can work from home you could be looking at a disastrous data leak. As Emm points out, if a non-smartphone gets lost or otherwise compromised you'd lose a few text messages and some contact details, but the stakes are significantly higher with a smartphone, tablet or laptop.
Recently, both Trend Micro and AVG released security platforms designed specifically to counter threats on Google's Android platform. The Trend Micro suite scans hardware and software (including applications) for threats, while AVG's offering includes the ability to lock an app, so only an authorised user can access it. It also features tracking and remote wipe features.
That's one approach that doesn't sit well with Check Point. Speaking alongside Quocirca's Bob Tarzey at a roundtable, Nick Lowe, head of Western Europe sales at Check Point Software, said that his company does not try to control the device itself. "It's futile to do that," he said. "You have to take control of the session, so it can't be compromised and there is no footprint on the device when the session is finished. That creates a safe working environment."
The importance of securing the mobile workforce - either through the devices themselves or protecting the network - can be seen in what the big IT guys are doing in that space, particularly when it comes to endpoint security and management. IBM acquired Big Fix to slot into its Tivoli service management division, German software giant SAP snapped up Sybase, and Altiris was bought by Symantec.
The message is clear: consumerisation of IT is unstoppable. It is vital that IT departments get on top of the situation as quickly as possible. Don't completely ban the use of personal devices; it's detrimental and will result in workers bypassing IT security anyway. Ensure users are fully aware of the risks and of company policy and you will reap the benefits of a happier and more productive workforce.