Consumerization – the use of consumer products within the corporate environment, is one of the more challenging issues for security teams to deal with. While a standard, well-defined, and well-protected infrastrucutre is a nice idea, there is more and more pressure to open up the network to allow users to bring in their own laptops, smartphones, USB storage devices and pretty much anything else that lights up, runs on a battery, or has a product name starting with "i".
In fact, the prevalence of the likes of Android-based phones, iPhones, iPads, Terrabyte-sized USB drives, and so on, in the corporate world would suggest that any debates over how to control this are rather akin to arguing over what type of lock is preferable for the barn door while the horses are merrily galloping away over the horizon.
Bruce Schneier talked yesterday about consumerization, and the need for security organizations to adapt. Based on the folks I know in enterprise security departments, I think maybe Bruce is doing them a slight disservice – I believe most security professionals are looking for the best way to say "yes" to these demands rather than trying to say no. Other than that, he's right on the money:
Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.
I noticed an interesting contrast in John Pescatore's blog on Gartner. Among other things, John says:
The Apple app store continues to amaze me. It is a whitelist that dictates what applications iPhone users can run and what hardware they can run on – and NO ONE COMPLAINS! Imagine how easy PC security would have been if the original IBM PC approach was so restrictive…
So what's happening is that while Apple is tackling the problem of application security by locking down the system and preventing any unauthorized apps from running on it (Flash, anyone?) those same hardware systems are presenting enterprise IT folks with the very problem Apple is avoiding – a sudden loss of control over the endpoint.
It's a very one-sided explosion of freedom in computing, and the security implications – if we get it wrong – could be significant. On the other hand, if properly planned for, and executed with the goal of better business enablement kept firmly in sight, it may represent the very type of event that will cement the role of security at the heart of the business. Enablement, secure enablement, could, and should be (and in many cases is already) the rallying cry for the next generation of enterprise security. Elegant loss of control may well be the order of the day.