RSA 2008: Enterprise users are actively evading IT security controls

At the RSA Conference today, Palo Alto Networks announced the inaugural report that will track trends and risks in today’s enterprise applications landscape. The Application Usage and Risk Report examines the major shifts required in enterprise risk management as end user empowerment and next-generation application technology drastically reduce corporate visibility and control of employee computing activities.

Based on actual traffic from 350,000 users in 20 organizations including financial services, manufacturing, retail, healthcare, and state/local government, some major findings of the report include:

• The Big – Peer-to-peer applications (e.g., BitTorrent, eMule), a poster child for data loss, were found in 90% of accounts. And only a year after launch of the business edition, Google Applications, (Google Docs, Google Desktop and Calendar) exist in 60% of the sample, including some organizations that thought they had removed it from their desktops until it was business proven
• The Bad – In most organizations, (80%) end users are actively skirting IT security controls – with anonymous, external proxies and tunneling applications (e.g., CGIPoxy, TOR), enabling risky and unauthorized activities. Recently, web-based file uploaders (e.g., Megaupload, Yousendit) grew rapidly in 30% of the sample – representing a huge channel for wholesale data loss
• The Ugly – Web video and streaming audio are ubiquitous on networks at levels of 100% and 95% of the sample respectively, resulting in huge bandwidth drain even before considering security and productivity risks.

CIO/CSOs face a changed application landscape. Social networking, software-as-a-service (SaaS), personal messaging, and streaming media are merely a handful of the applications that can be found en masse on today’s enterprise networks. On one hand, corporate IT is asked to enable business expansion and help maintain a competitive edge by embracing these new applications and technologies. On the other hand, doing so in a controlled and secure manner is a challenge. Users are more savvy than ever at getting around IT.

Additionally, many new applications have evasive traits like port hopping, encryption, or tunneling built-into the product. In fact, some application providers encourage users to circumvent IT. These factors make it extremely difficult to manage risk coherently on enterprise networks with existing port-centric security tools.