IT's Consumerization Compliance Conundrum

Users are already bringing their own devices onto the network, and IT can no longer control where corporate data resides. What should you do to cope?
By default, endpoints are mobile devices at the fringes of IT's reach, leaving them exposed and difficult to protect, at best. Worse, they contain stuff that competitors and bad guys would love to have.

You can't just talk about backup to protect these devices. You have to talk about security.

You need to deal with encryption. You need to be able to remotely wipe out a device that falls into the wrong hands. You need to ensure that you have Apple-like "find my device" functions for all your devices.

You can't have a billion files on a million devices out there and think that you can only spend your time and money on a search function within the enterprise. There is no more enterprise. The enterprise is everywhere--and it moves. Stop thinking that you can contain any of these problems within four walls. You need to know everyplace a file or object exists--right now. If you don't believe me, go ask your lawyer.

It will get worse long before it gets better. You will need to know who has it, who had it, what they did with it, and when. Can you identify that today? No. But you are going to have to--it's only a matter of time.

You will be responsible for knowing everything about a data object, throughout its lifetime. You will not have the excuse of complexity or difficulty. Consumerization is just a fancy term for the acceleration of bad IT habits, but it is a problem that will rain down upon you.

So forgive my rant of terror. There are solutions beginning to emerge--but they are not your granddad's way of doing things. You should prepare yourself to deal with new ways of thinking. Stop looking to your traditional vendors to solve non-traditional problems. Find integrated solutions that solve real issues--like some of the ones I just raised.

Build a checklist of must-have functions--simple ideas, such as: "I must have the ability to control access to the data." Therefore, it seems logical that IT needs to be the one who sets up a Dropbox account and assigns users their locations. Thus, when the user quits, we shut down their access. Seems entirely logical, yet I don't think I've met anyone in corporate IT that does it yet. More complex ideas are things such as: tag the data and apply policy at the data object, such that I can at least know where it goes, and when. Ideally, I'd be able to kill access to or wipe out a piece of content on a specific device.

The list can get complex quickly, but if you focus on core issues, you will find you can start to get a handle on them. Don't bother trying to mandate (let HR do that), as it doesn't work. Instead, be that happy service bureau your users love--"We're happy to announce that we support Dropbox for those users and groups who want to use it!--Click here to automatically create a workgroup account." But the account is yours, and you control it. User goes, account stays. Permission denied. Conundrum avoided.

Steve Duplessie is the founder and senior analyst at the Enterprise Strategy Group, a leading independent authority on enterprise storage, analytics, and a range of other business technology interests.

The effort to achieve and maintain compliance with Sarbanes-Oxley requirements remains one of the primary drivers behind many IT security initiatives. In our Security Via SOX Compliance report, we share 10 best practices to meet SOX security-related requirements and help ensure you'll pass your next compliance audit. (Free registration required.)

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Terry White, Associate Chief Analyst, Omdia
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer