The consumerization of IT within the financial services industry: Ready or not here it is

By Brian Contos

Brian Contos explains why it is imperative for financial institutions to embrace IT consumerization into their overall strategic objectives.

What is the consumerization of IT?

Brian Contos. The division between end-user devices being supplied by corporate IT, and consumer electronics that employees feel they need to conduct business, has blurred. Users are finding that the laptops, tablets, and smartphones they purchase for personal use, are generally more powerful, capable, and all around "sexier" than what is supplied by their employers. From techies to business executives, this has resulted in explosive growth in the use of personal technology for business.

The needs of today's users have evolved past traditional computers and PDAs. Users require more versatile devices such as those offered by application-ready tablets and smartphones, as well as the cloud-based services those devices are designed with in mind. These devices and the services they use overlap personal and business use. The solutions are viral; once a few people find that a certain device and or application makes their life better, or improves business productivity, adoption explodes.

What are the business benefits?

BC. There are several business advantages to the consumerization of IT such as enhanced productivity, lower organizational procurement costs brought upon by BYOC or bring your own computer, and less demand on IT for endpoint support. These advantages can be realized across three areas commonly associated with the consumerization of IT:  mobile devices, laptops and desktops, and virtual desktops.

Many financial services organizations have developed custom applications that are optimized for mobile devices, giving employees a competitive edge:  first to get back to a client with an answer, first to update the database, first to solve the problem. From collaboration tools like email and calendaring to line of business applications such as CRM and enterprise databases, designing solutions that give employees access regardless of their device or location makes business sense.

In addition to custom applications for employees, many public applications also yield value. The sales force many live and die by contacts in the cloud such as those offered by LinkedIn. Human resources likely uses Facebook as part of the recruiting process, and marketing no doubt leverages services such as YouTube and SlideShare.

With the next generation of customers viewing traditional web sites and email like cave paintings and hand written letters, mobile applications are also becoming customer facing.  It was once big news to have customer self-service portals; those are now evolving into sites optimized for mobile devices to check account statuses, receive updates, transfer funds, trade stocks, and more.

While this mobilization of applications and corporate data has a positive impact on productivity and IT resource utilization, it's not without is challenges. A very common, important question is: "How can we protect our assets and sensitive data when personal devices are connecting?"

What are the security risks intrinsic to the financial services industry?

BC. The financial services industry encompasses a wide range of businesses from commercial and private banking to stock brokerages and hedge fund management. Because the nature of the business is complex, highly sensitive, and personal, financial institutions are heavily regulated with national and international mandates, industry regulations, state disclosure requirements, and internal governance. In support of new business initiatives, financial services organizations have been leveraging security controls to protect sensitive information and achieve compliance for years.

The last few years however have introduced new challenges. From the mortgage collapse to diminishing customer loyalty, financial services organizations are searching for ways to address these issues by achieving greater profitability and better serving their customers. The consumerization of IT is one logical solution, but this embrace is not without risks.

The consumerization of IT challenge isn't enabling email delivery to mobile phones. The challenges are rooted in two key areas: protecting how data is being manipulated and controlling network access across mobile devices, laptops and desktops, and virtual desktops.

Tasks that have been rudimentary for traditional corporate-owned, end-user devices such as provisioning and revocation, are now opaque because it's not always clear who owns the device, and further who owns the data on that device. 

How can risk be mitigated?

BC. There are three areas across the consumerization of IT that need to be looked at in order to address the primary issues:  mobile devices, laptops and desktops, and virtual desktops.

Mobile devices require scalable solutions that help IT secure and manage the entire device and the data.  IT needs a centralized way to enable easy, self-service provisioning to included access mechanisms like VPN and Wi-Fi,  set and enforce policies independent of the ever-growing end-point types, and do so in a way that is persistent and can't be undone by users through careless or intentional acts.  There also has to be accountability for the employee device. During the initial authentication process when accessing the corporate network each device needs a unique ID that is associated with a particular user, and as such, that user's groups, roles, and permissions. With these dots connected, determining network access, and access to enterprise and line of business applications, risk can be mitigated. From a compliance perspective consider the Sarbanes-Oxley requirements around tracking changes to financials. Regardless of an employee accessing financials and making changes from a traditional desktop or smartphone, the actions are associated with an individual per the mandate.

Other capabilities should allow IT to perform full or partial data wipes. Partial wipes are critical for employee-owned devices where only corporate data should be removed and thus preserve photos, music, applications, and other non-corporate resources. Remotely tracking the phone's location, locking it, and performing backups and restoration are also important mobile device security capabilities.

Laptops and desktops can be controlled by leveraging network access control or NAC with multiple zones based on access criteria. For example, a visitor with an un-managed device may get Internet access via an un-trusted guest network but no internal access. Old anti-virus .DATs or and un-patched OS may get a device on the trusted network, but deny access to sensitive business assets. Only when full system interrogation evaluated against policies is preformed, is full, trusted access provided, and even then, only within the limits of the user's identity and role. Thus regardless of managed or un-managed laptops or desktops, or end-point types, access can be controlled.

Virtual desktops are a common mechanism for mitigating risks surrounding the consumerization of IT. A virtual image can be installed atop a smartphone, tablet, laptop, etc. A user leveraging a virtual image can interact with the corporate network and sensitive data based on policies and permissions that might limit the ability to download data, take screen captures, access certain applications, etc. While a powerful control, the virtualization promise of any device anywhere has historically been limited by traditional security controls. For example, installing anti-virus on every virtual image is a network, system, and virtual image density drain. Virtual images should be used in conjunction with specialized security solutions designed to optimize virtual environments. Some examples of this optimization are offloading anti-virus from individual virtual images to a dedicated image, intelligently caching so for example when HR sends a PDF to 1,000 employees, it is scanned only once for malware, and the result is distributed to the other images, and standardizing end-point security by moving anti-virus solutions off the end-point and into the data center.

The consumerization of IT should be embraced. Saying "no" won't scale, and could lead to missed business opportunities. By focusing on mobile devices, laptops and desktops, and virtual desktops it is possible to mount an effective risk mitigation strategy built atop mobile device management, NAC and security for virtual images that also yields operational efficiencies. Users need easy and secure solutions. IT needs centralized, scalable, and integrated solutions that address security and compliance across networks, end-points, and content security controls.

About

Brian Contos, CISSP, is director of global security strategy at McAfee. He is a recognized security expert with more than 15 years of security engineering and management expertise. He is a published author, Ponemon Institute Fellow, and graduate of the University of Arizona.