The consumerization of IT within the financial services industry: Ready or not here it is

Q1:  What is the consumerization of IT?

The division between end-user devices being supplied by corporate IT, and consumer electronics that employees feel they need to conduct business, has blurred. Users are finding that the laptops, tablets, and smartphones they purchase for personal use, are generally more powerful, capable, and all around "sexier" than what is supplied by their employers.

The needs of today's users have evolved past traditional computers and PDAs. Users require more versatile devices such as those offered by application-ready tablets and smartphones, as well as the cloud-based services those devices are designed with in mind. These devices and the services they use overlap personal and business use.

Q2:  What are the business benefits?

There are several business advantages to the consumerization of IT such as enhanced productivity, lower organizational procurement costs brought upon by BYOC or bring your own computer, and less demand on IT for endpoint support. These advantages can be realized across three areas commonly associated with the consumerization of IT:  mobile devices, laptops and desktops, and virtual desktops.

Many financial services organizations have developed custom applications that are optimized for mobile devices, giving employees a competitive edge:  first to get back to a client with an answer, first to update the database, first to solve the problem. From collaboration tools like email and calendaring to line of business applications such as CRM and enterprise databases, designing solutions that give employees access regardless of their device or location makes business sense.

In addition to custom applications for employees, many public applications also yield value. The sales force many live and die by contacts in the cloud such as those offered by LinkedIn. Human resources likely uses Facebook as part of the recruiting process, and marketing no doubt leverages services such as YouTube and SlideShare.

Q3:  What are the security risks intrinsic to the financial services industry?

The last few years however have introduced new challenges. From the mortgage collapse to diminishing customer loyalty, financial services organizations are searching for ways to address these issues by achieving greater profitability and better serving their customers. The consumerization of IT is one logical solution, but this embrace is not without risks.

The consumerization of IT challenge isn't enabling email delivery to mobile phones. The challenges are rooted in two key areas: protecting how data is being manipulated and controlling network access across mobile devices, laptops and desktops, and virtual desktops.

Tasks that have been rudimentary for traditional corporate-owned, end-user devices such as provisioning and revocation, are now opaque because it's not always clear who owns the device, and further who owns the data on that device. 

Q4:  How can risk be mitigated?

There are three areas across the consumerization of IT that need to be looked at in order to address the primary issues:  mobile devices, laptops and desktops, and virtual desktops.

Mobile devices require scalable solutions that help IT secure and manage the entire device and the data.  IT needs a centralized way to enable easy, self-service provisioning to included access mechanisms like VPN and Wi-Fi,  set and enforce policies independent of the ever-growing end-point types, and do so in a way that is persistent and can't be undone by users through careless or intentional acts.  There also has to be accountability for the employee device. During the initial authentication process when accessing the corporate network each device needs a unique ID that is associated with a particular user, and as such, that user's groups, roles, and permissions. With these dots connected, determining network access, and access to enterprise and line of business applications, risk can be mitigated.

Other capabilities should allow IT to perform full or partial data wipes. Partial wipes are critical for employee-owned devices where only corporate data should be removed and thus preserve photos, music, applications, and other non-corporate resources. Remotely tracking the phone's location, locking it, and performing backups and restoration are also important mobile device security capabilities.

Laptops and desktops can be controlled by leveraging network access control or NAC with multiple zones based on access criteria. For example, a visitor with an un-managed device may get Internet access via an un-trusted guest network but no internal access. Old anti-virus .DATs or and un-patched OS may get a device on the trusted network, but deny access to sensitive business assets. Only when full system interrogation evaluated against policies is preformed, is full, trusted access provided, and even then, only within the limits of the user's identity and role. Thus regardless of managed or un-managed laptops or desktops, or end-point types, access can be controlled.

Virtual desktops are a common mechanism for mitigating risks surrounding the consumerization of IT. A virtual image can be installed atop a smartphone, tablet, laptop, etc. A user leveraging a virtual image can interact with the corporate network and sensitive data based on policies and permissions that might limit the ability to download data, take screen captures, access certain applications, etc. While a powerful control, the virtualization promise of any device anywhere has historically been limited by traditional security controls. For example, installing anti-virus on every virtual image is a network, system, and virtual image density drain. Virtual images should be used in conjunction with specialized security solutions designed to optimize virtual environments.

The consumerization of IT should be embraced. Saying "no" won't scale, and could lead to missed business opportunities. By focusing on mobile devices, laptops and desktops, and virtual desktops it is possible to mount an effective risk mitigation strategy built atop mobile device management, NAC and security for virtual images that also yields operational efficiencies. Users need easy and secure solutions. IT needs centralized, scalable, and integrated solutions that address security and compliance across networks, end-points, and content security controls.