I had the idea for this post for a while but, this article from brianmadden.com finally kicked me into writing it.
With Gartner’s research showing that 38% of CIOs expect to stop providing devices to users by 2016, it is clear that the trend of consumerization (and BYOD in particular) has taken hold. Decentralized management of devices is only part of the picture – the shift from on-premise applications to SaaS, and the ease of internet access are also rendering the traditional security perimeter redundant.
It used to look like this:
… and then lots of devices appeared inside the organization that had their own high-speed internet connections, and the servers that delivered applications on-premise were gradually replaced by cloud services, outside the firewall.
Even the concept of the user directory is under threat. The idea of that every user and computer needs to be registered in an explicit on-premise directory is also weakening, since the identities for accessing cloud services are only sometimes integrated and the likely future of identity is for authentication to be claims-based, where users are authenticated based on criteria certified by a trusted third party. For example, I might want to allow access to parts of my sales database to selected partners. At one time I would have had to create user accounts for each of them in a directory. If I was more advanced I might have federated my directory to theirs so that they can be authenticated with their usual network logons. However, it would be a whole lot simpler if I could simply provide access to anyone that comes from those partner orgs, as long as they have been certified by a secure third party. It’s like going to a party with a friend – the host might not know you, but he trusts your friend not to bring troublemakers or losers to his party, so you’re invited in!
By the way, when talking about the increasing redundancy of the firewall I am of course not referring to the firewalls that run directly on almost every desktop, laptop and server, and protect the individual network connections from attacks targeted at OS weaknesses. In fact, those are increasingly important as more and more devices are directly exposed to the Internet.
So putting this together what does security look like in our consumerized world? I’m a fan of placing protection directly around the apps and data that belong to a corporation, and doing it in such a way that leaves the user experience on the rest of the device unaltered.
It feels like a move to this model is inevitable – it’s just too easy to get direct internet access, and users will do it without even realizing they are breaching security rules. Trying to lock down every device, and secure all network access is impossible today.
So how would this work in practice? Essentially it’s an “opt-in” model of security. That might sound insane, but consider how comfortable with “opt in” this generation of workers is already:
- Facebook (and other social media types) are essentially “opt-in privacy”. If you want to share your photos and network with your friends then you need to accept their rules and trust them with your privacy, and 1 billion people do!
- Location Services – every phone offers you all kinds of clever apps if you will let the vendor use your location data. “Oh, and while we’re doing that do you mind if we gather info about the WiFi networks near you so we can build a map?” The majority clicks “yes”, if they are even given the option.
- Gmail, Google Docs – millions voluntarily choose to benefit from free applications and email, knowing that their data is being mined for ways to advertise products to you
- Instagram – everyone got upset when Instagram threatened to actually use the photos everyone voluntarily stored on their site. I can’t say it better than xkcd.
So, if you want to use that device to work you have to “opt in” to the employer’s security policies, but if it could be done in a way which doesn’t affect your regular user experience or compromise privacy then, following the examples above, resistance should be minimal. So, you’re asking, “what products provide this amazing capability?”, and the answer is that this is still an emerging market and I’ll write more about the options and competing technologies another day, but today I’ll leave you with a shameless plug for MobileNow, which achieves this on iOS already, with Android and other devices coming soon.