Gartner warns of enterprise IT 'consumerisation'

Staff increasingly dictating the corporate IT agenda.

One of the most significant and growing threats to enterprise security is the 'consumerisation' of IT, and security managers must prepare to meet the risks as more consumer technologies enter the enterprise.

The warning comes from industry analyst Gartner which envisions that, as employees expect to use more personal equipment and services at work, enterprises are simultaneously adopting more consumer technologies in business operations.

"Although consumer technologies create new risks for the enterprise, eliminating their use is increasingly difficult and impractical," said Rich Mogull, a research vice president at Gartner.

"By taking security precautions and investing in foundational security technologies now, enterprises can prepare for the increasing use of consumer devices, services and networks with their organisation and manage these risks."

Tools exist to manage the risks of consumerisation, the analyst said, and many of these, such as Network Access Control or Content Management Framework/Data Link Protocol (CMF/DLP), are being adopted by enterprises to manage other threats and can be configured for consumerisation threats.

While in some cases it may be too early or costly to invest in less mature tools, enterprises can start with policies and procedures to help guide future technology deployments.

Gartner has identified four consumerisation issues for which IT managers must prepare:

• Consumer email and communications services, such as instant messaging and voice over IP which are often accessed from work
• Blogs, social networks and other web 2.0 services, which offer potential new channels for malicious software
• Smartphones and media-centric devices, which offer large amounts of storage and can run increasingly robust applications
• Broadband penetration and use of wireless networks, which prompt employees to connect to enterprise resources through unmanaged networks and remote devices

"Most organisations will find themselves unable to completely block these services for cultural, if not technical, reasons but security options are available to limit the risks that consumer communications services create," said Mogull.

"Enterprises can look at vectors for malicious software or violations of corporate communications policies.

"Current acceptable use policies often do not cover these areas, and traditional email security or firewalls and URL filtering do not deal with them effectively."

Gartner advises enterprises to define clear policies about what is, and what is not, allowed with regard to these services.

Enterprises should also configure web security gateways to block any services unapproved for use in the workplace, and configure CMF/DLP solutions to monitor and enforce policies on HTTP traffic.