The consumerization of IT means that unmanaged devices are being brought into your environment and accessing your data. It's a new paradigm, and like most new paradigms, it's taking hold whether we like it or not.
The first question to ask: Does it matter whether devices are managed or unmanaged? That answer is a big fat yes. The whole reason we security pros dedicate our careers -- and our company's resources -- to securing organizations is to protect sensitive data. Managing a computer allows the data owners and stewards to lower risk of malicious access to protected data.
[ InfoWorld's Galen Gruman assures IT there's nothing to fear in endpoint diversity. | Understand how to both manage and benefit from the consumerization of IT trend with InfoWorld's "Consumerization Digital Spotlight" PDF special report. | Learn how to secure your systems with InfoWorld's Malware Deep Dive PDF special report and Security Central newsletter. ]
Managed computers can be assured to have:
- Hardened security settings
- Secure log-on methods
- Strong authentication protocols
- Appropriate access controls
- Enabled host-based firewalls
- Up-to-date antimalware software
- Securely configured software
- Up-to-date, patched software
- Appropriate local and network security boundaries
- Configured and enabled auditing policies
This is all on top of whatever other security measures your particular environment dictates.
We manage computers because we want to decrease the chance of malicious events. The consumerization of IT thwarts those good intentions. Some people argue that unmanaged computers aren't that much riskier than managed computers because, after all, managed computers haven't done a particularly good job of stopping computer crime. True, giving up on endpoint security is hardly the answer. Unmanaged computers, bereft of the controls listed above, are going to increase security risk -- full stop.
So how do you keep data secure in an unmanaged scenario?
The easiest solution is to deny unmanaged computers to access protected data. This was the most common response over the last few years. But in nearly every business environment I've visited, with that rule in place, unmanaged devices were still accessing company data, regardless of company policies. Like I said, new paradigms have a life of their own.