Employee Experience

Reining The Risks of Consumerization

By Ben Goodman, Lead Evangelist, VMware Horizon Application Manager

This is the 2nd blog in the series on the Consumerization of IT, it's effect and how it can be managed successfully. It will be followed by a whitepaper on this topic. Read the 1st blog here.

As we noted in our last post, for many reasons, the consumerization of IT is a force in IT that can’t be stopped. It can be managed, but not stopped (nor should it). Increasingly employees are choosing the devices and the services they want to use to get their jobs done. The people you really want to work for you no longer want to be forced to work on dull corporate issued notebooks or mobile devices. They want to use the same phones and tablets at work as they and their friends do at home.

Let’s face it, when it comes to devices – they’re no longer viewed as just something to get work done with. They’ve grown to become a statement, or extension of oneself, or self-image. That is: they’re now viewed by many as fashion. Who wants to be seen with a stodgy black notebook when they can have the latest flashy netbook or tablet?

However, the more important trend, at least when it comes to security and regulatory compliance – is happening under the surface of the device. It’s how employees are choosing the cloud-based applications they want to use. These impulse application selections means, too often, that proprietary data or data that should be protected actually ends up scattered through many online services and accessed on devices the enterprise doesn’t manage.

To date, there has been a lot of discussion about how cloud and Software-as-a-Service providers are more secure than the data center or infrastructure managed by most businesses. And, at times, this may be true. However, it entirely misses the point of the issues created by the Consumerization of IT, or what’s now commonly known as CoIT.

The fact is that the business risks associated with the CoIT are high… Very high. It means regulated and protected information is much more likely to end up on multiple cloud services, greatly increasing the risks of a nasty data breach, as do the risks of regulatory audit findings – as IT loses its ability to govern corporate data.

First, as more regulated and highly confidential data finds its way onto services that aren’t appropriate for that category of data the risk (often without IT’s knowledge)  – and the implications – of a data breach grows proportionally. Moreover, as more employees turn to rogue services, it’s no longer even possible for the IT team to perform many of its most basic functions that fall under its responsibility: such as the implementation of an effective disaster recovery program, IT Audit responsibilities, the tracking of the true cost of IT services, or even helping departments to gain the most value from the services they are using. A business example of this in action would be how a larger enterprise loses its collective price and SLA bargaining power as services are bought piecemeal by many different business units.

Yet, perhaps the biggest risk here is that data and applications that are being used and accessed outside the eye of the IT and IT security departments. That makes the already very difficult task of securing data next to impossible to attain. There is no way to govern data that isn’t or can’t even be watched. No one knows who is accessing it, when they’re accessing it, or why. So what to do about it? What can enterprises do to regain control?

It certainly isn’t simply relying on policy. Study after study has shown that employees are rarely compliant with most policies – especially those that they view as counterproductive. And traditional security tools won’t work because they can’t be deployed and maintained in a way to be effective on rogue IT services and devices. And the truth is that most of the action that is happening on an employee’s device or on a mobile network the enterprise simply doesn’t and can’t control.

What enterprises need to do is provide users with a viable alternative – not policies that attempt to roadblock the inevitable and the business value that comes with it, nor try draconian controls over devices. It’s become apparent these tactics aren’t working. 

However, a viable alternative – such as IT managed Application catalogs and workspaces that can be used by employees to access their desired applications, and which can segment work and personal data can work. And in this way make it possible for IT to maintain proper access controls to corporate apps, while also monitoring access so that user actions can be audited. And this can be done in a way so that the employee has privacy and security in their personal applications and data.

All of this is possible (and we would argue necessary), and in the weeks ahead we’ll be providing more insight and details as to how you can get there.