While it may not yet have reached fever pitch, there is a steady and growing awareness of the risks of a new trend in business computing: consumerization.
Consumerization has evolved into two different aspects – the first being the use of personal equipment for work purposes, and the second is the use of consumer services for work.
Both can potentially create issues in the corporate environment, though I will focus on only one side of consumerization: the use of personal equipment in the corporate environment, and the potential security issues this practice raises. Consumerization raises three primary questions:
1. What does acceptable use mean with respect to corporate policies and how does one enforce those policies?
2. What is the impact of privacy laws from the perspective of the corporate customer the individual device owner, and the corporation?
3. What are the implications of employee attrition with respect to the security of corporate information residing on personal computers?
Acceptable Use Policies have traditionally precluded the use of corporate equipment for non-business activities. They also often explicitly prohibited activities such as playing of games, use of file sharing technology, or personal web surfing. There were also often additional policies that defined what software could be installed as well as acceptable email content. Most significantly, these policies were ultimately enforced by the corporation's ability to access the machines for review and enforcement based on corporate ownership of equipment. However, when employees use their own computers, such access is far less clear cut. As a result, acceptable use policies as they are currently understood must be approached differently.
What to do? For now you might want to review the acceptable use policy and rethink several aspects of it. For example, the acceptable use policy might relax some of the rules such as non-work related (licensed programs) on the machine. The policy might also take a stronger stance on items such as file sharing (and especially bit torrents that can eat system bandwidth and or have questionable legal ramifications) or the use of third-party software in business due to licensing issues.
Privacy Laws typically require that care be taken to not expose customer information and to report the leakage (potential and actual) of information to the customers. However, a non-corporate owned system will clearly introduce complexities when it comes to security measures and restrictions that would be different at home versus in the workplace. An example of this is filtering software, which might not be acceptable on a user's personal machine.
Two scenarios need to be considered when addressing consistency in security infrastructure:
1. The employee goes home and gets an email from a company for a new widget. They click on the link, and get speared. While the corporate address book goes out, does it mean that the customer data was also exposed?
2. The employee is surfing the web at home and becomes the victim of a drive-by attack. Does the employee now need to report the incident to the corporate security team that must then notify customers of a potential breach?
Not all issues will be as hard to resolve. For example, the issue of what to do in the event of a stolen computer can be mitigated by requiring employees to use encryption for corporate data.
What to do? Look at your current security enforcement technology. Perhaps you could replace filtering software with web page analysis software that pre-scans web pages for malware. Another solution might be to provide virtual machine tools for surfing so that the user's web environment is sandboxed.
Employee Attrition is a potential issue when an employee with a personal notebook computer containing 500 gigs of storage resigns. The notebook contains corporate and employee purchased software as well as corporate data (email, memos, customer data, etc.) and employee data (pictures, movies, personal email, letters, etc.).
The company does not want to (or can't) leave the employee with corporate materials (customer information, corporate secrets, software licenses, etc). In addition, asking the employee to delete the corporate materials is not realistic. On the other hand, the company might not be able to remove its intellectual property with a clean restore or system wipe.
What to do? There are many solutions to this problem. One simple solution may be to provide an external drive for users to boot from when at work or doing work activities, while another solution might be to enable virtual compartmentalization.
In the end, none of these issues are real show stoppers, but as always in the realm of security, the key is planning ahead to avoid the worst of the problems, and being pragmatic about solving the ones that you didn't see coming.