Press Release

STAMFORD, Conn., June 14, 2007 View All Press Releases

Gartner Says the Consumerization of IT is a Major Threat to Enterprise Security

Gartner Special Report Examines How Consumerization Will Impact Enterprises During the Next Three Years

One of the most-significant threats to enterprise security is the consumerization of IT, and as more consumer technologies enter the enterprise, security managers must prepare for, and manage, the security risks, according to Gartner, Inc. Employees expect to use more of their personal equipment and services at work, and enterprises are simultaneously adopting more consumer technologies in business operations.

“Although consumer technologies create new risks for the enterprise, eliminating their use is increasingly difficult, and impractical,” said Rich Mogull, research vice president for Gartner. “By taking security precautions and investing in foundational security technologies now, enterprises can prepare themselves for increasing use of consumer devices, services and networks with their organization, and manage these risks.”

The entrance of consumer technologies in the enterprise challenges traditional security models, but, although they may lack maturity and come at a high price, the tools exist to manage the risks of consumerization. Many of these, such as network access control (NAC) or CMF/DLP, are being adopted by enterprises to manage other threats and can be configured for consumerization threats. And while in some cases it may be too early or costly to invest in these less-mature tools, enterprises can start with policies and procedures, and use these to help guide future technology deployments.

Gartner has identified four issues that IT managers must prepare for to secure their organization as consumer technologies penetrate the workplace. They include:

Preparing for Consumer E-Mail and Communications Services
Consumer e-mail, instant messaging (IM), voice over IP (VoIP) and other communications services are becoming intrinsically tied to people’s online personalities. Today, most employees use private e-mail services, such as Gmail, Yahoo, AOL or Hotmail, often from work, and often as a way to exchange work materials with their PCs at home. IM also continues to rise in popularity, and usage may actually exceed e-mail usage with younger generations. New services and technologies, such as Skype, video chat and collaborative workspaces, are becoming more common, even among less-technical employees.

“Most organizations will find themselves unable to completely block these services, for cultural, if not technical reasons, but security options are available to limit the risks that consumer communications services create,” said Mr. Mogull. “Enterprises can look at a vector for malicious software or violations of corporate communications policies. Current acceptable use policies often do not cover these areas, and traditional e-mail security or firewalls and URL filtering do not deal with them effectively.”

Preparing for Blogs, Social Networks and Other Web 2.0 Services
In addition to communications, there is a growing use of blogs, social networks and other Web 2.0 services, both in and out of the workplace. Some of these services create a risk of information leaks, while others offer potential new channels for malicious software. Gartner recommends that enterprises take the following precautions to limit the risks of both threats:

  • Define clear policies about what is allowed, and not allowed, with regard to these services. Pay particular attention to blogging and what the enterprise is comfortable allowing employees to discuss. Company intellectual property and company operational information should be restricted from blogs.
  • Deploy Web security gateway and configure it to block malicious inbound traffic. Make sure the product can detect and block JavaScript exploits.
  • Configure the Web security gateway to block any services (such as social networking) unapproved for use in the workplace.
  • Configure your CMF/DLP solution to monitor and enforce policies on HTTP traffic. CMF/DLP is not restricted to communications channels, and it can monitor and block release of sensitive content over many network protocols, including HTTP and peer-to-peer (P2P).

Preparing for Unmanaged Mobile Devices
While full smartphones tends to be limited to business professionals and technology enthusiasts, new media-centric devices are expected to rise in general popularity. Aside from large amounts of storage, these devices can run increasingly robust applications, and they are a target for malicious code. Future employees may expect to use these devices with, or in lieu of, corporate managed systems.

Enterprises can take precautions today to limit the risks of these devices without resorting to an unenforceable outright ban. Some options include:

  • Deploying a portable device-control solution to restrict the ability for unapproved devices/storage to connect to managed workstations and laptops.
  • Deploy a secure sockets layer (SSL) virtual private network (VPN) to enable thin client remote access to enterprise systems and information.
  • All approved mobile devices with access to sensitive data should be encrypted in case of loss.

Managing Networks and Remote Connectivity
As both broadband penetration and use of wireless networks increase, employees are connecting to enterprise resources through both unmanaged networks and unmanaged remote devices. Allowing employees to work remotely or from home on their own systems can increase productivity, but it does bring some security risk.

Enterprises should protect themselves by implementing some of these actions:

  • Deploy an SSL VPN on-demand security features. Configure to restrict access based on a health check and the security of the endpoint.
  • Reduce use of thick client VPNs. If full VPN access is needed, select one with NAC support to reduce the possibility of unmanaged systems using the VPN client software and/or connection.

Additional information can be found in the report “Gmail, iPhones and Wiis: Preparing Enterprise Security for the Consumerization of IT which can be found on Gartner’s Web site atwww.gartner.com/DisplayDocument?ref=g_search&id=503272&subref=simplesearch.

This research note is part of a Gartner Special Report on the consumerization of IT, which includes 20 research notes examining how consumerization is a catalyst for the growing conflict between the “traditional” enterprise IT function, which has historically maintained sole authority over enterprise IT architecture, and the growing desire and ability of individual employees to increasingly influence their use of IT. The Gartner Special Report “Consumerization Gains Momentum: The IT Civil War” can be accessed on Gartner’s Web site at www.gartner.com/it/products/research/consumerization_it/consumerization.jsp.

 

Contacts
About Gartner

Gartner, Inc. (NYSE: IT), is the world's leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities and build the successful organizations of tomorrow.

Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 15,000 organizations in more than 100 countries—across all major functions, in every industry and enterprise size.

To learn more about how we help decision makers fuel the future of business, visit www.gartner.com.

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.