Corporate users increasingly skirt security infrastructures

Share this article:
In a recent assessment, organizations had an average of 156 applications traversing their networks -- some of which pose a danger to the organization while others provide a benefit, researchers have found. 

The assessment included organizations in financial services, manufacturing, healthcare, government, retail and education and was conducted by enterprise firewall vendor Palo Alto Networks from August to December 2008. The finding were compiled in a report titled “Application Usage and Risk Report.”

In the assessment of 60 organizations, a total of 494 different applications were found. The highest number at one organization was 305.

“There are a lot of consumer applications and consumer access going on within enterprises -- it's a growing phenomenon,” David Smith, vice president and Gartner fellow told Thursday.

Smith, who is the lead analyst on consumerization of IT at Gartner, said that there are benefits as well as dangers to this growing trend. On one hand, some applications are big boosters of productivity, but others can open an organization up to malware, cause data leakage or consume excessive bandwidth.

Every organization could have a different perspective on this, Matt Keil, product marketing manager at Palo Alto Networks told Thursday. Whereas some organizations -- such as the government -- want a very restrictive culture, others have a more open perspective on what applications are appropriate.

On the positive side, some applications enable users to more easily do their job. It's fairly rare that organizations have rolled out applications that enable users to search their desktop more effectively, for example. But users can download search tools online and they often yield “very significant” increases in productivity, Smith said.

“I think that you typically find a lot of consumer-grade technologies when IT doesn't deliver what people need,” Smith said.

Some of the other applications that can be helpful in business but are often not provided by enterprises include instant messaging systems, consumer-grade email with large amounts of storage and accessibility, and applications that enable simultaneous collaboration such as Google Docs, said Smith. Such applications can have “quite dramatic” benefits to employee job satisfaction, can help attract and retain employees, and enable workers to get things done that would otherwise be difficult or time consuming.

But not all applications are beneficial or have a business purpose. In Palo Alto's assessments, peer-to-peer programs (P2P), file sharing software that enables users to swap music or other files, were found on machines at 92 percent of the organizations, Keil said.

He added that these programs represent “significant risk” to companies. P2P networks have been the cause of rampant medical data leakage, according to a recent study conducted by Dartmouth College. In addition, the blueprints for President Obama's helicopter, Marine One were recently leaked by P2P programs.

“The business value is next to zero and the risk is off the charts,” Chris King, director of product marketing at Palo Alto Networks told Thursday.

In addition, proxies (including Hopster, CGIProxy or PHProxy), which are typically not endorsed by corporate IT and enable users to bypass security controls, were found at 81 percent of the organizations, Keil said.

Another negative effect of the many applications traversing corporate networks is the impact they have on bandwidth, the assessment found. In some cases, a quarter of the applications were consuming more than half of the organization's bandwidth.

With so many applications, companies are having trouble controlling them. In the assessment, 100 percent of organizations had firewalls and 87 percent had other technologies such URL filtering or intrusion prevention system meant to perform some level of application control. But, despite the fact that companies have a security infrastructure in place, unwanted applications such as P2P were still present.

“There are some applications that nobody wants on the network and despite the security infrastructure that's in place, everybody's got them,” Keil said.
Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.