CoIT: balancing risk and reward

By Elevate posted 12-17-2013 04:22


In Juniper’s Consumerisation Study 2013, three out of four companies consider that when users pull data into consumer apps, it’s a security threat. The same proportion was concerned about data control.risk and reward.jpg


It’s understandable to be concerned, even wise. But there’s a difference between taking the appropriate action and locking security down. My concern when I saw the survey results is that to be competitive, organisations considered that they should be more data risk averse (73 percent skewed to “data control,” rather than “data agile”) and an even bigger proportion (80 percent) skewed to “control” as the way to exploit the benefits of Consumerisation of IT (CoIT).


I can’t tell you that’s wrong for your organisation, as every company needs to think carefully about its appetite for risk. But if CoIT results in data lockdown, it will be a failure: the gains in cost or task productivity will be outweighed by the problems of getting access to the data we need. The empowerment of the workforce evaporates in red tape, the cost savings are wasted on the time and expense of administering policy.


Meanwhile users cast envious glances at other organisations that allow them to use their own hardware and software. Why, they ask, are we “punished” for using their chosen applications and devices?


So, how to balance risk and reward? The key is the granularity of your risk management, which can then be mapped to equivalent granularity of data access.


Not all data is created equal. Some data needs few restrictions, but valuable or confidential data needs appropriate protection. That’s not the same as saying that it can’t be accessed on any consumer device. It might be that your policy states that it can only be accessed on devices with encryption, if it is prevented from being mingled with user data, or accessed only in a VPN during certain times.


Many organisations carry out the process of assigning levels of security to data, but they struggle to translate this to data access rules.


The first problem is that business security rules – for example, access to secure areas out of hours - are often more granular than data access policy, and better understood.


The second is that we struggle to create IT security policy that is consistent between fixed and mobile networks, from desktop to laptop to phone, and from premises to cloud. A typical – and responsible – reaction is to create restrictions that reflect a blanket risk aversion, but reduce productivity by imposing a “lowest common denominator.” This may be what we see in the survey.


A more productive response is for the business and IT to agree on principles: types of device, types of user and types of network. If they can be implemented by using granular and portable network security, then data will be available when it is appropriate. Ideally, the security policy management should allow you to create rules, based on permissions and attributes of devices and apps, for groups of users - which you then “publish” to the devices they use and at the same time making the end user experience ridiculously easy.


This must, by definition, be more efficient for the business, yet without compromising security. The result is that consumerisation finds the balance between access and control not by device management, but by building network security based on business rules.


To find out more on Juniper Networks' vision for an Empowered Enterprise and the solutions available to an organisation, then please visit this site.