Application security, Breach, Compliance Management, Data Security, Incident Response, Privacy, TDR

The next generation

In the not too distant future, businesses will experience an influx of employees who have never taken a breath of air without being able to Google.

Generation Z's arrival in the workforce – set to occur next decade – certainly will be notable, if for nothing else than it marks a major milestone for an age group that has lived all its life with the internet.

But many IT security professionals are already feeling the business impact that this advent of young workers will cause. Though they may be a bit older, the so-called millennials – the first generation to grow up with web – are not far down on the technological totem pole.

And many are already on the payroll.

A healthy chunk of today's 20-something workers, for instance, prefer IM to email, Skype to the traditional telephone, and file-sharing networks to photo albums. For data storage, they might choose the iPod over the flash drive; for meetings, Second Life over in-person encounters; and for computing, smart phones and laptops over desktops.

They are demanding in their desire for Web 2.0 applications and mobile devices because they grew up with them. Call them addicts, and they likely would not protest. At the same time, they have the propensity to trust and be open with the spread of data, while less likely to value security and privacy.

“We've got a generation with different expectations of what everyday life is like,” says Sam Curry, director of product management for identity and access assurance at Bedford, Mass.-based RSA. “They expect no barriers. They expect information to flow freely. And they may find things like censorship and stemming the flow of information offensive.”

Security professionals are grappling to understand what this mindset means to company risk and how to properly accommodate this inundation of Generation Y. Among the concerns: productivity declines, lack of visibility, data leakage, malware and operational costs due to bandwidth consumption and message archiving – not to mention the potential compliance shortfalls that could result.

It is no wonder Paul DeGraaff is nervous. The 47-year-old chief security officer of insurance powerhouse American International Group (AIG) knows the company's long relied-on approach to controlling these new technologies – block, block, block – will not be a viable solution for much longer.

Fear of the unknown cannot be an excuse for prohibiting, for example, connectivity to instant messaging applications and social networking sites. Lifestyles are converging and expectations are changing, leading to more people performing personal tasks at work and business functions at home.

Consumer technology, meanwhile, is now firmly entrenched in the business world. Restricting access to it could mean waving goodbye to potential hires, in addition to limiting the possibility for economic growth, DeGraaff admits.

“We're a global company,” he says. “Communicating with people globally is not just about picking up the phone.”

The topic has reached such a crescendo at AIG that DeGraaff is now participating in a major initiative led by the human relations department. The discussions are exploring ways to attract elite talent and improve how AIG is perceived by job seekers. Key among those talks is how technology should be distributed to employees.

“I think if we don't adapt quickly enough, in the next two to three years, we'll lose talent,” DeGraaff says. “Perhaps it's happening now and we're just not measuring it.”

AIG, founded in 1919 when an American entrepreneur named C.V. Starr opened a small insurance firm in Shanghai, China, is far from alone in dealing with this 21st century challenge.

Many other long established companies, which historically have shrugged off these consumer devices and applications as hindrance not enabler, are now in the beginning stages of learning how to strike a delicate balance: offering employees what they want and need, while trying to protect precious assets.

Corporate “consumerization”

The notion of consumerization of IT began, really, with the fall of thin client computing and the resulting meteoric rise of the PC. No longer were machines solely reliant on a central server for functionality. In the mid- to late-1990s, the internet emerged, shifting forever the way in which technologies are delivered to employees.

Gartner calls consumerization of IT “the single most impactive trend affecting the technology sector in the coming decade.” According to the research firm, by 2012, nearly all new information technologies introduced in the business environment will have their roots in the consumer market. The drivers are communications, lower costs and faster deployments.

“Employees are also consumers,” former Gartner analyst Rich Mogull wrote in a research report last year. “As they rely on more technology to manage their personal lives, this technology will find its way to the enterprise – approved or not. Simply banning and blocking consumer technologies…is not a realistic long-term strategy for most organizations.”

Last summer, The Wall Street Journal published a controversial and much-talked-about report titled, “Ten Things Your IT Department Won't Tell You.” The article, which offers tips for getting around IT bans on certain websites and software, clearly speaks to a changing culture.

That was not always the case, say experts.

“If you look at the trend of applications and how they are now delivered or how they are accessed by users, it has dramatically changed,” says Steve Mullaney, vice president of marketing for Alviso, Calif.-based Palo Alto Networks, makers of application classification technology.

“Ten years ago,” he adds, “companies had complete control over the applications people accessed. These apps ran over very well defined TCP ports. You could classify the traffic just by looking at the port number in the protocol. Everything was great. Then comes the internet.”

FaceTime Communications, a Belmont, Calif.-based provider of application control solutions, now tracks more than 600 “greynets.” The terms refers to any consumer application -- such as IM, peer-to-peer, VoIP and social networking -- that may have some value to the user but, without proper controls, can open an organization up the risk of malware and data loss.

What makes these applications particularly worrisome to security pros is that they are “architected to plow through existing infrastructure,” says Frank Cabri, vice president of marketing and product development at FaceTime.

“Most of these applications can operate over a number of ports (namely ports 80 and 443) in the network, and in most organizations, a number of those ports are open,” he says. “It's like water. It follows the path of least resistance.”

According to a 2007 FaceTime study of more than 700 employees and IT managers, organizations spent an average of $289,000 to repair PCs after malware-related damage was caused by greynets. Conversely, 57 percent of users did not find such applications risky.

Similarly, employees are increasingly being drawn toward flashy new mobile devices, such as the Apple iPhone, Palm Treo and RIM BlackBerry. In many cases, individuals are purchasing the devices themselves and placing corporate data, such as email, on them.

“As these smaller computing devices become more powerful, you'll have a whole set of people who will travel who will actually be able to be effective in their jobs without having to lug a laptop around,” says Amrit Williams, chief technology officer of Emeryville, Calif.-based BigFix, which makes policy enforcement solutions.

The problem for businesses, though, is that the IT department will have a difficult time controlling the security on these devices, Williams says. Plus, if the number of lost laptops containing personal information is any indication, the amount of breaches resulting from misplaced or stolen mobile devices could reach epic proportions.

To block or not to block

When it comes to access to questionable applications, websites and devices, the rule of thumb in corporate America traditionally has been to block or allow – a binary approach that is quickly become outdated in the face of the modern business model.

With a younger generation entering the workforce and demand among all ages of employees to utilize the latest technology for both personal and business needs, organizations must adjust, say experts.

At AIG, employees currently are blocked from using almost all consumer-based technologies, such as instant messenger, social networking sites, file-sharing networks and even web mail, such as Hotmail or Gmail.

But compromise is coming.

“Traditionally we have been focused on – I hate to say the word ‘no' – but security has been perceived as the disabler, not necessarily the enabler,” DeGraaff says. “It's yea or nay. I think we're foolish if we think that's going to work.”

He says the security department is driven in its draconian ways by compliance mandates, a significant hurdle for a 120,000-employee public company that earned an estimated annual revenue of $113 billion in 2006.

But, as DeGraaff is quick to point out, meeting compliance does not necessarily guarantee security. And the risks are plenty when it comes to consumer technologies – most notably the possibility of data leakage.

Some analysts have predicted this year will mark a tipping point for data leaks caused by the accidental sharing of customer information or intellectual property through peer-to-peer (P2P) networks, such as LimeWire. Last year, Citigroup's ABN Amro Mortgage Group and Pfizer admitted to two incidents in which either customer or employee data was inadvertently exposed through file-sharing networks.

DeGraaff says AIG, later this year, plans to study P2P networks to determine if any technology can be successfully implemented that will alert IT when sensitive data is exiting the company. Tiversa, headquartered near Pittsburgh, is one of only a few firms specializing in P2P monitoring solutions.

Meanwhile, other technologies, such as instant messenger and those used on social networking sites, also provide ample vectors for information to either accidentally or maliciously slip out of the organization's walls. On the device side, flash drives and gadgets, such as the iPod, offer many gigabytes of memory space.

So what security solutions can be implemented to protect companies from the risks presented by the consumerization of IT? So far, SSL VPNs, data-leak prevention and network access control (NAC) technologies appear to be the first solutions on the scene tailored to respond to some of these concerns.

DeGraaff says he is also waiting for the right software to come along that will enable his company to integrate personal and business applications and devices in a portal, whereby security cannot be compromised.

“I think we should be able to separate that out – the personal side from the business side,” he says. “We need to find a way to say, ‘OK, here I'm talking business, here I'm just chatting with my friend.”

Along the same lines, AIG is considering WorkBook, an enterprise-ready secure overlay of popular social networking website Facebook, DeGraaff says. The product, created by Israel-based firm WorkLight, allows workers to use Facebook to communicate and collaborate with colleagues – and fulfill their addiction – without the risk of information leakage, a major concern on community websites.

Other companies, such as Palo Alto Networks and FaceTime Communications, are attempting to offer IT departments the ever-important visibility into their application infrastructure, while easing management challenges.

FaceTime solutions sit at the network and monitor IM and other real-time communications applications. “Some companies are trying to realize how to innovate around these applications,” Cabri says. “In this decade, it's not simply for fooling around. There are practical uses and businesses uses for this stuff.”

Curry of RSA says businesses must realize that blocking access to well-respected programs may cause a backlash.

“To some degree, applications that are perfectly harmless are going to have to be allowed and enabled,” Curry says. “What do you do when [employees'] quality of life drops and they decide not to come [work for] you?”

Meanwhile, Palo Alto's next-generation firewall classifies applications and users, providing enterprises with a granular way to offer access to employees.

Monitoring employees' web usage may sound like an invasion of privacy, but in a sense, it is a way for organizations to fight fire with fire.

“The most effective [security pros] are the ones who are allowing their employees [to surf], but are using tools to find out who is abusing it,” says Rich Sutton, director of 8e6 Labs at 8e6 Technologies in Orange, Calif., which produces content filtering solutions. “I think that younger people are more willing to be monitored. Their concept of privacy is very different than an older worker's. Remember, this is a generation that is posting things on MySpace for full-on public consumption.”

Standards, policies and education

Still, security software will only take organizations so far as they come to terms with a new type of worker who is clamoring for access to consumer technologies that few could have ever predicted would make their way into the business world.

Experts say applying standardization, the proper policy and governance controls and increasing employee awareness can effectively complement technological implementations.

Samir Kapuria, managing director of Cupertino, Calif.-based Symantec Advisory Services, says companies must learn ways to leverage new technologies to attract and maintain employees by offering company-approved versions. “This is choice versus control,” he says.

At AIG, where much of the network is locked down, employees are permitted to use either of two approved encrypted USB devices, which are distributed by the IT department.

Williams of BigFix says companies must rethink their attitudes. Applications can be configured in such a way that they can still satiate employees while enabling business. For example, he says, quality of service should be deployed for VoIP to help control bandwidth and network traffic, while IM can be customized to only permit communications, not data transfer.

At Mercy Medical Center, an approximately 250-bed facility in Baltimore, the hospital has made some concessions to accommodate workers, without compromising security, to avoid the withdrawal effect some young hires would feel from quitting technology “cold turkey,” says Mark Rein, senior director of information technology.

The key is that the technology needs to have a business purpose, he says.

For example, medical personnel can use an internal IM system to chat with colleagues, and sites such as Facebook are permitted because of their potential research benefits. For strictly personal use, employees are encouraged to access the hospital's guest wireless network, which offers a more open internet experience.

“Our chief information officer is adamant that end-users are happy, but also about making sure we have a secure environment,” Rein says, adding that many employees simply cannot be trusted to place the company's best interests first when it comes to security.

“The worker of today is quite different than yesteryear,” he says. “There's not much loyalty to the company, not as much integrity.”

A key component to this debate could be employee training, experts say.

“In the old days, people often entered the workforce and were trained on how to use a computer or an application,” Kapuria says. “This new generation are quick studies because they are very proficient in technology. Some of the training they might need is actually coaching in the form of risk and how to manage it.”

Meanwhile, experts encourage companies to adopt strong policies regarding access and use of these Web 2.0 gadgets. Mogull, the former Gartner analyst and founder of Arizona-based security consultancy Securosis, recommends IT personnel work with executive management to establish acceptable-use guidelines. In some cases, employees may need to sign an agreement, pledging to not, say, write any blog posts discussing the company.

But perhaps the best advice for corporations is to harness this new breed of employee, experts say. The potential business benefits from consumer technologies – collaboration, cost reductions, increased morale – might make them worth investing in.

“They're very technically savvy,” Kapuria says of the younger generation. “That can work to your advantage. It's really about balancing the ramifications of potential risks versus the benefits of such an intelligent workforce.”

Jon Oltsik, senior analyst with Milford, Mass.-based Enterprise Strategy Group, says catering to this demographic will pay off if its members become integral to company success.

“Arguably, what we need to do is measure productivity,” Oltsik says. “And if productivity increases, then we ought to be willing to live with some of these nuances of technology.”

[sidebar 1]

Consumer technology:

Pros vs. cons

Data leakage. Myriad consumer applications and devices have opened up enterprises to the risk of sensitive information exposure, usually accidental.

Malware. Social engineering techniques and shoddily coded Web 2.0 applications have raised the risk of malicious software spread.

Productivity. Employees' work rate suffers through distractions. Some experts, though, believe workers will be more willing to stay late and work at home in exchange for having these technologies at the job.

Companies could feel the financial pinch that consumer technologies cause through bandwidth consumption and the need to store communications for requirements such as e-discovery.

Collaboration. Web 2.0 technologies are able to quickly and conveniently bring together workers and customers to communicate and achieve business objectives, regardless of geography.

Cost. Consumer technologies are mostly web-based, easier to install and cost less than solutions rooted in the enterprise space.

Talent. Employees who know they can perform personal functions while at work may be more likely to join that company.

 -- Dan Kaplan

[sidebar 2]

The future of IT:

Handing the buying to the employee

Imagine starting a job, and on the first day, your boss hands you $1,500 to buy a new laptop and a mobile device – any kind you want.

It is a scene sure to start playing out more and more in companies across the world as the IT department seeks to accommodate a new generation of workers while easing the burden of provisioning and managing.

Paul DeGraaff, chief security officer at American International Group (AIG), says he knows of at least one major firm – Air France-KLM – that has launched a pilot program to allow employees to procure their own assets using a monetary allowance.

“It's an interesting perspective,” DeGraaff says. “It challenges the predominant perception that it always has to be a company asset. If you think about it, that's sort of what the younger generation would want.”

End-users would be responsible to deploy such security as anti-virus software and the latest patches – or else the machines would be prohibited access to the network, he says. And if employees were to download a rogue application, for example, a health check would deny them connectivity.

“There's no more company-controlled assets per-se,” DeGraaff says. “It boils down to how that person is going to use that asset effectively in the business environment.” -- Dan Kaplan

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.