Published: 22 Oct 2012
The consumerization of IT has employees accessing all kinds of apps from various personal devices and locations. IT needs to set strict policies on what employees should and shouldn't do when it comes to choosing their technology.
There's no question consumerization is driving a change in how we share and manage information. For so long, IT dictated the technology we used to complete our work -- everything from the applications used to share data and support the business to the hardware that accessed the data and applications.
One of the biggest changes, as well as the biggest challenge, for IT today is that users have more of a say in which devices they use and IT departments have less influence on those choices. The last few years have brought an onslaught of demand for support of a broader set of technologies and consumer devices, such as tablets, smartphones and Macs.
And it's not uncommon for employees to use a number of these devices (typically three: a laptop, desktop or Mac in combination with a tablet and smartphone) to conduct business at different times and from various places. Employees want and need to share data between devices and each other, and they aren't waiting for IT to provide a solution. Case in point: Many employees sign up for free file-sharing accounts from consumer services such as Dropbox and load them up with corporate data without prior approval from IT, creating a sort of bring-your-own (BYO) file-sharing application environment.
The biggest challenge with a BYO file-sharing application environment is security. Having employees use personal accounts for business data basically creates a black hole in the corporate file-sharing environment. Think about it; if an employee signs up for a personal Dropbox account and uses it for corporate information, only that employee has the log-in information and only they know what data is stored there. That data may be stored on multiple devices, including that employee's home computer, tablet, phone … you name it. At the same time, IT has no idea where the data is. If that employee leaves the company, IT may get the corporate laptop back but the former employee still owns the Dropbox account and any corporate data they stored there still resides on or is accessible through their personal devices. We call this IT's Consumerization Compliance Conundrum because data goes with the account owner, and if an employee leaves, the data goes with them.
To be clear, I'm not picking on Dropbox specifically; it's just the most well-known and widely deployed free service today. No matter which service an employee signs up for, free or otherwise (and there are plenty out there), the problem remains the same.
The horse is out of the gate
Enterprise Strategy Group (ESG) recently surveyed 499 IT organizations to understand this problem. We found 77% of companies either have a formal policy against (40%) or strongly discourage (37%) personal accounts. Only 22% allow the use of these types of personal accounts. That data isn't surprising; some companies don't allow employees to access data the company would need to keep under lock and key. The big issue here is that while more than 75% of the companies surveyed have a policy against or discourage employees from using these services, a whopping 70% of the IT pros surveyed either know (36%) or believe (34%) employees are using non-IT-approved solutions.
Most of our respondent companies take an active role in monitoring the situation. Fifty-five percent use automated tools to monitor traffic going to and from online file-sharing services. This includes using firewalls to filter traffic by IP address, ports and protocols; monitoring the firewall logs using network-based application controls to inventory application traffic; and configuring tools to trigger an alert if employees are downloading or using online file-sharing applications. Other organizations (28%) use less rigorous and fairly time-consuming manual monitoring. This usually involves the IT team taking a manual inventory of the online file-sharing applications installed on employees' mobile devices.
But even with 55% of the companies we spoke with using automated monitoring and filtering, 70% of them are either certain or strongly suspicious of rogue usage. Wi-Fi is an easily obtainable commodity in many areas: an employee can just head to the nearest Starbucks, tether to a smartphone or pick up a portable Wi-Fi hotspot, and then circumvent the corporate network and access any IP address they need.
What can we do?
Aside from going back to the command and control world (which is entirely reasonable in some industries or departments) or inventorying what applications employees have on all their devices (nearly impossible, especially in a large organization) and deleting unapproved file-sharing applications, the best bet is to proactively roll out a company-endorsed solution in combination with training on how to use it and how it can make the organization's life easier.
There are many offerings that provide IT with administration capabilities to monitor what data is being accessed and shared with whom, what devices data can be synced to or stored on, as well as products that remotely wipe corporate data from devices when an employee leaves.
It's important to pay attention to ease of use, training and education for the actual end users, probably more so than the ease of use factor for IT. Almost one-third of our respondent companies report an ongoing challenge with employees using unauthorized accounts despite being provided with a corporate-endorsed solution. That makes training incredibly important. At first blush, many solutions designed for business use aren't quite as simple as consumer products, but they have richer functionality, are more flexible, and could in all likelihood improve sharing and collaboration -- it will just take your end users some time to get past the learning curve. You need to address this issue now because there's a good chance data is already leaking (or even gushing) out a big black file-sharing hole in your organization.
About the author:
Terri McClure is a senior storage analyst at Enterprise Strategy Group, Milford, Mass.