Tim Rains, Director of Trustworthy Computing Communications at Microsoft, has published an interesting post on TechNet pertaining to the IT consumerization wave that is hitting enterprises at full force and the difficulties these companies face to deal with it.
Tim refers the 14th annual Global Information Security survey from E&Y.
The following excerpt, cited by Tim, is a telltale sign of enterprises groping for answers on how to address these consumer-grade devices in the corporate network (emphasis added):
our survey shows that the adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge.
The vast majority of respondents try to tackle the issue from a security policy and awareness perspectives. 3rd comes encryption as many CISOs and CSOs try to concentrate on the data rather than on the equipment.
By approaching the problem from a data-centric point of view, they aim to isolate and protect corporate data stored on BYO devices. Sadly a well-known fact of information security is that whoever controls the device controls the data. Building a castle in uncharted territory is an ill-advised strategy.
I am not saying that data-centric approaches are useless. I am saying that they are not sufficient and must be complemented by a threat-centric approach as championed by Richard Beijtlich.
We should be monitoring what goes in and out of these devices and beef up our incident response capability to act swiftly in case of data exfiltration and other significant threats to brand image, business data and intellectual property etc.
