Consumer technology is making its way into the enterprise, and IT managers need to get on board by planning for...
"It's terrifying," said Bruce D. Boyce, IT director at residential and commercial property manager Legum & Norman Inc. in Alexandria, Va.
Of all the security concerns he has, Boyce said no other can raise the hair on the back of his neck quite like mobile devices such as PDA's, BlackBerry's and even iPods. Although dealing with these new tech gadgets can be a headache, new research shows that IT managers need to come up with a game plan to include consumer technology in the enterprise.
Between 2007 and 2012, the majority of new technologies adopted by enterprises will have roots in consumer applications, according to a study released last month by Stamford, Con.-based analyst firm Gartner Inc. A big reason for this trend is vendors' growing practice of introducing leading-edge technology to consumer markets before commercial ones, said Gartner.
Some companies use the latest tech toys to reward their employees. That was the case last year at Costello & Sons Insurance Brokers in San Rafael, Calif., when every employee received a new iPod as a Christmas present.
Although these types of giveaways might be popular with the rank and file, it isn't as popular with IT managers who have to deal with the proliferation of a new technology running amok through the enterprise.
"No one asked me about it, but when it happened, it was inevitable that [iPods] were going to be brought in house," said Steve Perry, IT director at Costello & Sons. "They didn't know that iPods are not just a music player but are formatted as a disk that can download information."
Although Perry could set Microsoft's Group Policy for removing or adding USB storage devices, the prevalence of iPods at his company makes it difficult to do that, he said.
Portable info takeaways posing as iPods
Other IT managers are also feeling the pain. "The biggest problem I have is thumb drives and iPods," said Tom Olzak, director of IS Security for HCR Manor Care Inc., a healthcare provider headquartered in Toledo, Ohio. "They can just plug into the USB port, and it becomes a full-blown hard drive."
With an iPod, a user has the ability to download 25 gigs worth of information, Olzak said.
"When you pull up Windows, [the thumb drive or iPod], it looks like a storage device, and you can read and write to it just like a local hard drive," he said. "And this is just one example. Any USB storage device is a potential threat to business data, and that data can be taken out and brought in."
Although there are plenty of products available that can block the use of USB's, Olzak used a technique described in a Microsoft white paper on Windows Servers 2003 titled "Guide to preventing information leaks." It tells how to create code for a Group Policy Object that blocks USB usage as well as writing to a CD-ROM or floppy.
Legum & Norman's IT department is in the process of setting up policy guidelines for mobile devices like thumb drives, PDA and iPods in response to growing security concerns, Boyce said. "We're looking at ways to quarantine mobile devices before they make a connection and also at authentication," he said.
Boyce said he is looking at possible ways to address mobile devices with Vista or Windows Server. "Right now we're pretty reliant on training of users on what to do, and they are very compliant," he said. "But [they] are often in a hurry and can make mistakes."
Duncan McAlynn, an independent security and enterprise management consultant in Austin, Texas, said "consumerization" of the enterprise is already happening. He has seen some corporations adopt iPods to deliver corporate training, for example.
"This scares the living hell out of me as a security professional," said McAlynn. "This is mass storage that can hold a company's sensitive information, and no one is going to question someone syncing up an iPod to the desktop."