I recently gave a presentation at the Consumerization of IT in the Enterprise conference in San Francisco. It was a lot fun and generated a ton of comments and questions at the end – which was part of the point. The last slide of my deck I issued a challenge to the audience. I wanted them to change their way of thinking. I spent the whole presentation on Securing the Mobile Enterprise building up to the the fact that most businesses were approaching mobile strategy using legacy thinking and now was the time to get out of the habit.
We have spent the last 20 years in the enterprise doing one thing. We track assets. We label every machine that goes out with some sort of asset tag, we stick in it our CMDB (Change Management Data Base) and only worry about it once a year when it is time to do the annual audit. We manage devices. We look to secure every device and every endpoint. We have two goals in mind. To keep the nasties out while keeping our data in. What has that brought us to? Security makes sure we encrypt our laptops. We run anti-virus and anti-malware suites. We surf the Internet through locked down proxy servers. We essentially use everything in our arsenal to lock down corporate devices. What is the net effect of this? Your machine slows down and you have such a bad user experience that you spend every second of your time figuring out how to get around these standard protections. You ask around IT to see if there’s a way around the proxy servers, you bring in a MiFi to get around the proxy server. You figure out if there is a way to turn everything off and, in the end, all you end up doing is an end run around security and exposing everything under the skirt.
These are those little dirty secrets that every enterprise has. We know that we have already lost data outside our perimeters, not because someone stole it, but because people are trying to get their work done. You have the executive who emails a document to his home email address so they can work on it at night. You have some who have found a way to put their data in Dropbox, Box, or Sugar Sync. Let’s not forget the USB drives that everyone has and, of course, some phones act just like a USB stick these days, allowing you to put it in disk mode and move data to it. The issue is that security just takes this as a sign to find new ways to lock devices down and control the endpoints.
The challenge is to use the Consumerization of IT to go with a whole new approach. It’s time to let the data flow free and give it the opportunity to live everywhere. Build APIs that allow people to access the data that they need on whatever device they want to use. Work on moving away from managing the devices by completely locking them down and move towards securing the data. Work on ways to encrypt the data while it lies on site. When it moves out of its repository and through the intertubes that we call the web it flows through secure tunnels (notice I didn’t say VPN) and when it arrives at its final destination, whether it be desktop, laptop, smartphone or tablet, the data is encrypted while at rest. Build the keys into the apps that you design to use that data. Use 2-factor authentication by using certificates to enable access to the data. What happens if one loses the device? Revoke the keys. Render the data unusable. Instead of using everything in your arsenal to essentially make many peoples’ jobs harder, help them to embrace the Consumerization of IT by changing the way you think about your assets. You have two important assets, your data and your people. Stop focusing on devices, endpoints and ways that data can be stolen, instead, look to enable your people to use use your data to affect the progress of moving your organization forward.