I've sat there thinking about operating systems on a perfect Sunday afternoon. We spend a lot of time in information security worrying about how we're going to secure the endpoint, but whether we're talking about the hipster Mac OS, or Windows, or Android on your mobile handset - the divergence of the security model, in my opinion, is becoming obvious.
When Microsoft converged their kernel and made a single version of Windows most people were relieved, especially Microsoft developers and security types. It was now going to be easier to maintain the code base - but was that the right call? I think the jury may still be out... or maybe it's just not that simple.
Should there be a fundamentally different operating system for the consumer market versus the enterprise market?
The basis for my question comes from the way that 'security' is thought about and enforced in the two use cases. On the consumer end you don't want to have your grandmother thinking about whether she needs to update her windows or flash her Android phone to the latest version fixing the various security bugs and adding new features. You'd rather have to not think about 'security' at all ...and let's face it most consumers don't. You don't necessarily need to have all those remote management and "enterprise" hooks into the OS that you want for your enterprise user. On the consumer end you want simplicity and less opportunity for the user to "make the wrong security decision" (ie - do you want to update Windows?). On the enterprise end you absolutely need deeper capability of remote management, policy capabilities, and account separation... things that are pointless on the consumer end unless you're talking about remote malware. Enterprises need to inventory their assets, push applications, push certificates or credentials, tokens and the like. Basically you want the enterprise end to be more highly security-configurable, manageable, and deeply defensible from the central nerve center of your enterprise.
On the consumer end you want simple. You want the security-based decisions to be abstracted from the user experience. You want the vendor to set policy and push updates, and want to have security 'behind the curtain' where the user can't opt-out of a Patch Tuesday, or choose to disable UAC or the sake of convenience. You want the consumer OS to protect the user... often from themselves.
On the enterprise end you want control. You need the ability to set policy for a mass of users, and control the experience, peripheral attachment, and properties of that endpoint. You don't want the user to be able to un-do the enterprise controls (ie - central policy disables USB devices) to circumvent your security posture.
What About BYOD?
Thinking about what this means for BYOD - it could be argued that it would be counter-productive to remove enterprise control from a consumer OS (even if it's features that are removed or disabled) because it makes MDM more difficult - but aren't we saying that the endpoint is essentially not the place you want to worry about security in today's modern security landscape? Who really thinks MDM is the salvation of the consumer endpoint ...really? If your enterprise BYOD security policy relies on pushing MDM to your clients you'll end up with your users doing what I did on my personal iDevice - you'll simply remove access to corporate email rather than have the intrusive, invasive, snooping technology installed on your personal device. You'll have lots of opt-out, or privacy battles.
The applications, on the endpoint and backend, the network and user management is what makes sense in BYOD (as we've said over and over) rather than the endpoint OS or device.
Recipe for Separation
I think when it comes to this discussion it makes logical sense to separate out the security models. On the use case of the 'consumer' we want simplicity. You know the vast majority of consumer users don't have their own "IT person" at their beck and call so they need to be spared from having to make those tough decisions they don't understand. When that certificate warning pops up, it shouldn't give you the option to "go to the site anyway" ... it should (in plain English) say "This website is not good for you, therefore, you can't go to it" - and end it there. No confusing jargon, no questions asked. On the consumer end of things we want simplicity and the ability to "just use it" without all the complex security overhead the enterprise systems have. Each consumer edition of an OS comes pre-configured with the things that you need to "keep you safe" (to an agreeable degree for the consumer) with simple-to-use interfaces and a no-nonsense feedback.
When you're talking enterprise systems, you want central management, and (in the absence of central management) enable the 'power user' to control their own destiny and tweak controls, configurations and security levels by editing configuration files, making their own choices, etc. You can dump the technical details behind why a certificate error has occurred, and allow the user to continue or quit - knowing they are more likely to have knowledge to make the choice correctly.
When it all comes down to it, I'm starting to believe having a unified consumer and commercial OS just doesn't make sense. We fundamentally have (at least) two tiers of users, and we can't continue to do a "one size fits all" solution for them. The big question is ...now what?