Up to Our Ears in Technical Debt - Mobile Data, Devices, and Applications in the Enterprise

My friend Brian Katz has a propensity for stirring the proverbial pot, and I love that about him. As the head of a mobility department for one of the global giants, Brian has a unique viewpoint on what he and his users want ... it's just not the typical 'security viewpoint' but then again, that's alright.

 

On his blog today (appropriately named) "A Screw's Loose" he wrote a very interesting piece on herding kangaroos which actually discusses the rise and fall of the mobile device management (MDM) market and it's many, many, many offshoots. Brian declares (again?) that "MDM as a product is dead". Now, it so happens there are people on Twitter who have opinions on these types of things, and when provoked the conversation gets ... well ... interesting.

 

I'm going to quote Brian's piece here, because after you've read the entire thing these words will stick with you

 

"What one has to remember is that MDM became another symptom of the sickness that IT has fallen into and vendors have capitalized upon which is characterized by legacy thinking. IT has always wanted to own the device. The data and the apps were always less important than protecting the device." -Brian Katz

 

So here we have MDM as a symptom of the sickness that ails IT, and not a cure as many in enterprise information security see it. Odd, wouldn't you say? I mean to point out here that while IT people seem to be turning to MDM more and more (I know internally we're doing this and it makes me nuts!) to secure their endpoints, this is causing more pain than it could ever solve. Why, you ask? Simple Watson - because MDM feeds ITs need to own the endpoint, and this approach is just plain wrong, and doesn't translate into the future desired state.

 

Let me explain, before my security brethren come knocking on my door with pitchforks and torches.

 

Frustration.jpgI've said it time and again, security has defaulted to the perimeter since we could never quite get the 3 main things - identity and access, change management, asset management - quite right. This strange obsession with falling back to the perimeter has led us to the desire to control every endpoint where possible corporate critical data could live. We used to lock down the servers and corporate desktops, and it was easy. Then when data went mobile through tablets, laptops and mobile gadgets we started to panic and IT Security departments would mandate that every device "on the network" and that could house corporate data was under the control of IT. This is strict control, as Brian points out in his post, from the cumbersome full-disk encryption, to multiple layers of 'agents' which protect us from the bogeyman, keep viruses at bay, and federate our identities to disparate systems.

 

How's all this working? Be honest with yourself and the answer is simple - "it's NOT".

 

Naturally, when we start talking about BYOD (Bring Your Own Device) the conversation goes wonky. I won't debate whether BYOD is a good idea or not, because it's happening. This is sort of like debating whether sunrise is a good idea for the population or not ...meanwhile the sun will rise and you're wasting time when you could be mitigating. Now you're staring down the wrong end of a pointy stick called BYOD, and you're going to push MDM to it? LOL - that stands for "laughing out loud" as in I'm laughing at you if that's your strategy. Think about your strategy from the customer perspective. I, the owner of the device, bring in my device to work on corporate 'stuff' and you think you're going to push some agent to my device that controls and monitors? No thank you sir. Those personal family photos, music, texts, tweets and web browsing (hey, it's my device, right?) are off limits ... so MDM is a non-starter and we're back to disliking IT. 

 

From the other perspective, the security perspective that is, what options do we have?! It's not like you can actually depend on applications to secure the data and developers to secure the application. Look at the statistics from any application security report and you'll understand why that starts to sound Loony Tunes ...at least in the short term. Knowing that you have to protect the organization, and that any options to 'secure the applications and data' is at very least off in the distance - what else can we do? On Twitter we discussed MAM (Mobile Applications Management) and other options, but at best these are in the process of maturing ...at least that's my limited view on things from experience with the mess.

 

We have some work to do ahead of us folks in Enterprise Information Security, or IT Security ... there is both a short-term problem and a long-term problem - tactical and strategic. On the tactical side we need to figure out where the bleeding is coming from and do something to stop it. MDM may very well be your short-term salvation ...or MAM may be the way to go. Long-term (strategically) you need to ensure that your focus is on identity & access management, risk-averse (secure) application development, change management and asset management.

 

This isn't an easy problem to solve, and to be honest it's our own **bleep** fault. IT and enterprise security has spent years misunderstanding (and in some case ignoring) the big-picture problems and instead slapping band-aids and duct tape on everything - well ... the revolution is here and the chickens are coming home to roost.

 

I still don't feel comfortable with where this ended up... because I'm not comfortable with it being an either/or situation. Taking over the customer's device is a no-go, and trusting the customer is just as dangerous in equal amounts.

 

I can't help but point out again, we did this to ourselves.

 

Comments
Brian Katz(anon) | ‎12-10-2012 06:00 PM

Raf,

 

Nice post but I think you left out the most important piece in your conclusion. It's the data stupid...if we do all those other things but don't also focus on the data we forget that although we built an awesome brick wall with doors that require identity, and we build apps that are good and secure, we forgot that we had kangaroos behind the wall that just hopped over and spread throughout the world, with no one the wiser.

 

Data has to be part of the equation, which is why I brought up the future which will hopefully be MIM, where the policy and security follows the data and the endpoint and apps have basic controls and APIs that can understand that policy and security (identity is part of those 2 pieces). There really is hope here, if you can see through the legacy fog.

Bitzer_Walt(anon) | ‎12-13-2012 09:46 PM

Key take-away is the bottom line on MDM... 

 

"MDM feeds ITs need to own the endpoint, and this approach is just plain wrong"

Bingo.  I agree with Brian regularly that MDM features are useful, but it's the beginning, not the end.  Mobility has brought the fight to our door, with so many endpoints and devices that it's finally becoming obvious to IT - the data is what must be secured, not the device.  The device is quite literally disposable.

Dastake(anon) | ‎12-19-2012 06:07 PM

Rafal,

 

I enjoyed reading your write-up. I'm involved in several conversations every week with our customers trying to get them to see the scenario from the business process point. I tell them the key here is to protect the system, i.e. applications and the data. Not the mobile devices. One can lose a device, break a device or change a device what remains constant is the user identity, the company's access policies and the business process that they are trying to conduct. Read my blog on this http://goo.gl/XvX5P 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation