Corporate users increasingly skirt security infrastructures
The assessment included organizations in financial services, manufacturing, healthcare, government, retail and education and was conducted by enterprise firewall vendor Palo Alto Networks from August to December 2008. The finding were compiled in a report titled “Application Usage and Risk Report.”
In the assessment of 60 organizations, a total of 494 different applications were found. The highest number at one organization was 305.
“There are a lot of consumer applications and consumer access going on within enterprises -- it's a growing phenomenon,” David Smith, vice president and Gartner fellow told SCMagazineUS.com Thursday.
Smith, who is the lead analyst on consumerization of IT at Gartner, said that there are benefits as well as dangers to this growing trend. On one hand, some applications are big boosters of productivity, but others can open an organization up to malware, cause data leakage or consume excessive bandwidth.
Every organization could have a different perspective on this, Matt Keil, product marketing manager at Palo Alto Networks told SCMagazineUS.com Thursday. Whereas some organizations -- such as the government -- want a very restrictive culture, others have a more open perspective on what applications are appropriate.
On the positive side, some applications enable users to more easily do their job. It's fairly rare that organizations have rolled out applications that enable users to search their desktop more effectively, for example. But users can download search tools online and they often yield “very significant” increases in productivity, Smith said.
“I think that you typically find a lot of consumer-grade technologies when IT doesn't deliver what people need,” Smith said.
Some of the other applications that can be helpful in business but are often not provided by enterprises include instant messaging systems, consumer-grade email with large amounts of storage and accessibility, and applications that enable simultaneous collaboration such as Google Docs, said Smith. Such applications can have “quite dramatic” benefits to employee job satisfaction, can help attract and retain employees, and enable workers to get things done that would otherwise be difficult or time consuming.
But not all applications are beneficial or have a business purpose. In Palo Alto's assessments, peer-to-peer programs (P2P), file sharing software that enables users to swap music or other files, were found on machines at 92 percent of the organizations, Keil said.
He added that these programs represent “significant risk” to companies. P2P networks have been the cause of rampant medical data leakage, according to a recent study conducted by Dartmouth College. In addition, the blueprints for President Obama's helicopter, Marine One were recently leaked by P2P programs.
“The business value is next to zero and the risk is off the charts,” Chris King, director of product marketing at Palo Alto Networks told SCMagazineUS.com Thursday.
In addition, proxies (including Hopster, CGIProxy or PHProxy), which are typically not endorsed by corporate IT and enable users to bypass security controls, were found at 81 percent of the organizations, Keil said.
Another negative effect of the many applications traversing corporate networks is the impact they have on bandwidth, the assessment found. In some cases, a quarter of the applications were consuming more than half of the organization's bandwidth.
With so many applications, companies are having trouble controlling them. In the assessment, 100 percent of organizations had firewalls and 87 percent had other technologies such URL filtering or intrusion prevention system meant to perform some level of application control. But, despite the fact that companies have a security infrastructure in place, unwanted applications such as P2P were still present.
“There are some applications that nobody wants on the network and despite the security infrastructure that's in place, everybody's got them,” Keil said.