Consumerization of Enterprise IAM: Friend or Foe? – Part 2 of 2

Tweet

 

Part 1 provided context for the Enterprise IAM consumerization trend and talked about the positive and negative implications of the trend. In this article, I will discuss additional considerations and recommendations about this trends and how organizations may choose to approach it.

…And the Ugly

This trend is here to stay and forever change the Enterprise IAM landscape.  Accept it.  Learn to live with this reality.  Here is a metaphor: as a good civil engineer, you should look to channel the water flow, rather than try to stop it, in order to preserve the structural integrity of the building.

Consumerization of Enterprise IT is, by definition placing the Enterprise on the defensive.  CISOs are not talking to Steve Jobs about how to make the iPhone or iPad more secure for Enterprise IT use, or are they?  Apple developers think about these devices as consumer gadgets not as Enterprise IT computing assets.

My recommendation is to take a proactive posture here. While it feels like a doctor-prescribed diet: following it will prove better and cheaper in the long run, possibly avoiding emergency surgery.  From my viewpoint, the cutting edge, fast-changing nature of consumer technology, requires a disciplined and consistent approach by the organization.  Rather than waiting to be blindsided by end users, spend upfront time and effort in assessing risk on new technologies and systems on an ongoing basis, as well as reviewing the sensitivity of the information available via these systems, then apply the right amount of risk mitigation (i.e. security) as appropriate and feasible for the level of risk.

An ugly fact is that when it comes to mobile computing devices such as smart phones, we are all beta testing these technologies on an ongoing basis.  The time-to-market and the competitive pressures of the consumer market force manufacturers to keep a fast pace of releases, each with significant new features.  This to me, means there is just not enough time to properly test and QA these releases, and my gut feeling is that security is not at the top of the priority list in the QA tests being done.  This further emphasizes the need to keep a disciplined approach to assessing risks, relatively nimble of technology changes, such that you can make decisions on what to allow or not for Enterprise use.

This situation also means that a new plethora of security risks are incrementally introduced to the Enterprise, and the massive and ubiquitous nature of most consumer technology also means that the bad guys also have access to it, and have a greater advantage in exploiting vulnerabilities in consumer technology that in Enterprise IT technology.

Another relevant dimension of this trend is the fact that there is, and there will always be legacy considerations.  This means, particularly in IAM, the integration challenges in being able to automate provisioning and account reconciliation increase.  Enterprise IAM technologies have been historically designed and engineered with a much different paradigm than that of consumer facing technologies.  Therefore, in many cases, integration between traditional Enterprise IAM technologies and consumer technologies is difficult at best; if feasible at all.

Other Recommendations

Given this trend is going to have a profound impact on the overall Enterprise IT security and IAM landscape, organizations will need to take a posture of embracing it.  Ignoring this trend or “burying your head in the sand” will not prove to be an effective strategy.

So, start by articulating a posture accepting various aspects of this consumerization trend: use of personal [mobile] computing devices for Enterprise purposes, authentication policies for applications internally or externally hosted, data encryption and retention, application development for smart phones, etc. Define and adopt guiding principles, such as:

• Provide practical guidance on how the Enterprise is to approach new application development that complies with the state policy, particularly for applications that will be delivered to mobile devices.
• Define criteria for the adoption of SaaS applications that adheres to the organization’s policies, namely authentication, authorization and access governance
• Define and instate security practices and possibly accepted technologies for allowing personal computing devices, particularly mobile devices to be used for Enterprise purposes, be that email, address books, calendaring, etc.
• Establish a framework (a team and a process) by which stakeholders within the Enterprise can consult and get guidance about various technologies in the consumerization area. Ensure this framework is lean and effective, such that it does not become a drag on the process, and instead turns into a viable vehicle for business initiatives to align with the security and IAM direction.  Remember that the consumerization trend is like water flow: it will always find a way through, what you want to do is channel it in the desired direction.
• Revise periodically. This is inevitable. You are far from done; and most likely things will be obsolete within six months.
• Engage with your users; be proactive in learning about their computing needs and preferences, such that you can avoid being blindsided. I really need to stress the timeliness and the need for this process to be lean and efficient.  It cannot be heavy, simply because the pace of change is so frenetic that anything that takes over six months to instate is already obsolete.
• Get feedback on the effect and reaction that your IAM controls (i.e. processes and services) are eliciting from your user base.  Are they using it?  Are they happy?  Do they like it?  While you can always use corporate governance to “force” adoption, you will be much better off if your user base actually adopts and utilizes the solutions that you have worked so hard on and spent so much building to allow them to self-service their accounts or delegate tasks to non-IT folks.

Predictions

I believe that there will be more consumerization in coming years, this stuff is just very addictive and convenient: “why carry a laptop when I can carry my iPad when on the road”.  But at the same time, I speculate security and privacy requirements will start to be factored into many of the consumer technologies, hence creating the “Enterprisation” of the consumer technology space.

Yep, the demarcation lines have crossed and blurred already. Many organizations have created corporate policies that employees need to accept, defining what is/is not allowed when they express their opinions about their organization in social media channels (ala facebook, tweeter, and the like). So, does this mean that I need to check with my company’s InfoSec team before buying my next smart phone? Most likely; particularly if you plan on reviewing financial reports or approving access recertification requests from it.