My friend Brian Katz has a propensity for stirring the proverbial pot, and I love that about him. As the head of a mobility department for one of the global giants, Brian has a unique viewpoint on what he and his users want ... it's just not the typical 'security viewpoint' but then again, that's alright.
On his blog today (appropriately named) "A Screw's Loose" he wrote a very interesting piece on herding kangaroos which actually discusses the rise and fall of the mobile device management (MDM) market and it's many, many, many offshoots. Brian declares (again?) that "MDM as a product is dead". Now, it so happens there are people on Twitter who have opinions on these types of things, and when provoked the conversation gets ... well ... interesting.
I'm going to quote Brian's piece here, because after you've read the entire thing these words will stick with you
"What one has to remember is that MDM became another symptom of the sickness that IT has fallen into and vendors have capitalized upon which is characterized by legacy thinking. IT has always wanted to own the device. The data and the apps were always less important than protecting the device." -Brian Katz
So here we have MDM as a symptom of the sickness that ails IT, and not a cure as many in enterprise information security see it. Odd, wouldn't you say? I mean to point out here that while IT people seem to be turning to MDM more and more (I know internally we're doing this and it makes me nuts!) to secure their endpoints, this is causing more pain than it could ever solve. Why, you ask? Simple Watson - because MDM feeds ITs need to own the endpoint, and this approach is just plain wrong, and doesn't translate into the future desired state.
Let me explain, before my security brethren come knocking on my door with pitchforks and torches.
I've said it time and again, security has defaulted to the perimeter since we could never quite get the 3 main things - identity and access, change management, asset management - quite right. This strange obsession with falling back to the perimeter has led us to the desire to control every endpoint where possible corporate critical data could live. We used to lock down the servers and corporate desktops, and it was easy. Then when data went mobile through tablets, laptops and mobile gadgets we started to panic and IT Security departments would mandate that every device "on the network" and that could house corporate data was under the control of IT. This is strict control, as Brian points out in his post, from the cumbersome full-disk encryption, to multiple layers of 'agents' which protect us from the bogeyman, keep viruses at bay, and federate our identities to disparate systems.
How's all this working? Be honest with yourself and the answer is simple - "it's NOT".
Naturally, when we start talking about BYOD (Bring Your Own Device) the conversation goes wonky. I won't debate whether BYOD is a good idea or not, because it's happening. This is sort of like debating whether sunrise is a good idea for the population or not ...meanwhile the sun will rise and you're wasting time when you could be mitigating. Now you're staring down the wrong end of a pointy stick called BYOD, and you're going to push MDM to it? LOL - that stands for "laughing out loud" as in I'm laughing at you if that's your strategy. Think about your strategy from the customer perspective. I, the owner of the device, bring in my device to work on corporate 'stuff' and you think you're going to push some agent to my device that controls and monitors? No thank you sir. Those personal family photos, music, texts, tweets and web browsing (hey, it's my device, right?) are off limits ... so MDM is a non-starter and we're back to disliking IT.
From the other perspective, the security perspective that is, what options do we have?! It's not like you can actually depend on applications to secure the data and developers to secure the application. Look at the statistics from any application security report and you'll understand why that starts to sound Loony Tunes ...at least in the short term. Knowing that you have to protect the organization, and that any options to 'secure the applications and data' is at very least off in the distance - what else can we do? On Twitter we discussed MAM (Mobile Applications Management) and other options, but at best these are in the process of maturing ...at least that's my limited view on things from experience with the mess.
We have some work to do ahead of us folks in Enterprise Information Security, or IT Security ... there is both a short-term problem and a long-term problem - tactical and strategic. On the tactical side we need to figure out where the bleeding is coming from and do something to stop it. MDM may very well be your short-term salvation ...or MAM may be the way to go. Long-term (strategically) you need to ensure that your focus is on identity & access management, risk-averse (secure) application development, change management and asset management.
This isn't an easy problem to solve, and to be honest it's our own **bleep** fault. IT and enterprise security has spent years misunderstanding (and in some case ignoring) the big-picture problems and instead slapping band-aids and duct tape on everything - well ... the revolution is here and the chickens are coming home to roost.
I still don't feel comfortable with where this ended up... because I'm not comfortable with it being an either/or situation. Taking over the customer's device is a no-go, and trusting the customer is just as dangerous in equal amounts.
I can't help but point out again, we did this to ourselves.