back to the AppSense blog
Posted by on May 01, 2013 | Executive Insights | 9 comments

I had the idea for this post for a while but, this article from finally kicked me into writing it.

With Gartner’s research showing that 38% of CIOs expect to stop providing devices to users by 2016, it is clear that the trend of consumerization (and BYOD in particular) has taken hold. Decentralized management of devices is only part of the picture – the shift from on-premise applications to SaaS, and the ease of internet access are also rendering the traditional security perimeter redundant.

It used to look like this:

security will all devices on a closed network

… and then lots of devices appeared inside the organization that had their own high-speed internet connections, and the servers that delivered applications on-premise were gradually replaced by cloud services, outside the firewall.

Even the concept of the user directory is under threat. The idea of that every user and computer needs to be registered in an explicit on-premise directory is also weakening, since the identities for accessing cloud services are only sometimes integrated and the likely future of identity is for authentication to be claims-based, where users are authenticated based on criteria certified by a trusted third party. For example, I might want to allow access to parts of my sales database to selected partners. At one time I would have had to create user accounts for each of them in a directory. If I was more advanced I might have federated my directory to theirs so that they can be authenticated with their usual network logons. However, it would be a whole lot simpler if I could simply provide access to anyone that comes from those partner orgs, as long as they have been certified by a secure third party. It’s like going to a party with a friend – the host might not know you, but he trusts your friend not to bring troublemakers or losers to his party, so you’re invited in!

By the way, when talking about the increasing redundancy of the firewall I am of course not referring to the firewalls that run directly on almost every desktop, laptop and server, and protect the individual network connections from attacks targeted at OS weaknesses. In fact, those are increasingly important as more and more devices are directly exposed to the Internet.

So putting this together what does security look like in our consumerized world? I’m a fan of placing protection directly around the apps and data that belong to a corporation, and doing it in such a way that leaves the user experience on the rest of the device unaltered.

resource-level security around corporat apps and data

It feels like a move to this model is inevitable – it’s just too easy to get direct internet access, and users will do it without even realizing they are breaching security rules. Trying to lock down every device, and secure all network access is impossible today.

So how would this work in practice? Essentially it’s an “opt-in” model of security. That might sound insane, but consider how comfortable with “opt in” this generation of workers is already:

  • Facebook (and other social media types) are essentially “opt-in privacy”. If you want to share your photos and network with your friends then you need to accept their rules and trust them with your privacy, and 1 billion people do!
  • Location Services – every phone offers you all kinds of clever apps if you will let the vendor use your location data. “Oh, and while we’re doing that do you mind if we gather info about the WiFi networks near you so we can build a map?” The majority clicks “yes”, if they are even given the option.
  • Gmail, Google Docs – millions voluntarily choose to benefit from free applications and email, knowing that their data is being mined for ways to advertise products to you
  • Instagram – everyone got upset when Instagram threatened to actually use the photos everyone voluntarily stored on their site. I can’t say it better than xkcd.

So, if you want to use that device to work you have to “opt in” to the employer’s security policies, but if it could be done in a way which doesn’t affect your regular user experience or compromise privacy then, following the examples above, resistance should be minimal. So, you’re asking, “what products provide this amazing capability?”, and the answer is that this is still an emerging market and I’ll write more about the options and competing technologies another day, but today I’ll leave you with a shameless plug for MobileNow, which achieves this on iOS already, with Android and other devices coming soon.

About Jon Rolls

As the Vice President of Product Management Jon Rolls drives the strategy for AppSense solutions. Leveraging over 15 years of software industry and Windows management experience, Jon has worked with several industry pioneers including Citrix, Quest Software and Dell. Jon often blogs about key industry observations, desktop management, and IT consumerization.


  • Simon Rust May 3rd, 2013

    Thought provoking post Jon, totally agree with you around the use case for on premise directories weakening -what are your thoughts around using something like PayPal as a secure auth provider? Authentiication as a service :-) Minimising number of “logins” required and keeping things simple at the UX end – enterprises to hook into the auth system and provide access to enterprise resources via that mechanism. Obv there are the usual trust challenges / issues but are we really so far away from something like this…..?

    • Jon Rolls May 3rd, 2013

      Thanks for the comments Simon. Part 2 of this post is nearly done and will be out next week.

      Auth as a service from the likes of PayPal or Google or Microsoft, or even Facebook is quite doable. The protocols exist but it’s a question of who you choose to trust. Just because Facebook says you are Simon Rust and you work for XYZ Inc., am I going to provide you with access for people from XYZ Inc. or do I want more proof? I’m more likely to trust PayPal, but they don’t gather enough identity info for claims-based security yet.

      For now, companies like Ping, Okta, Symplified et al will do well, joining-up today’s silos of identity

  • Rufus Tuesday May 3rd, 2013

    Logical conclusion of the argument isn’t ‘no firewall’, its ‘no infrastructure’ where the clients are. Effectively everyone’s a stand alone ‘remote’ worker with a 4G connection, even when they’re in the office.

    The firewall’s generally there to protect not just client devices, but also the infrastructure that has to be put in place to enable a shared client network (Network Address Translation, DHCP, AAA services, wired and WIFI switches etc).

    Of course, the firewall’s moved on a bit these days too, many are looking for infected client behaviours, and data leakage, which might still make it valid to have a concentrated point of egress for client connections.

    • Jon Rolls May 3rd, 2013

      Great points Rufus. Clearly the corporate firewall still has a big role to play in protecting on-prem infrastructure, but as more and more of that infrastructure moves to the cloud there is less and less to protect.

      I like your point that firewall is likely to be replaced by a data gateway, which is the vision behind DataNow and products like it.

Post a Comment

Your email address will not be published.