It’s the data stupid!

by Brian Katz on June 6, 2012 · 7 comments

My good friend Ben Goodman echoed something in his post from Monday that I have seen in a bunch of other posts recently. It aims to tackle the fact that in BYOD (Bring your own device) you will have corporate and personal data on your individual device. “However, the more important trend, at least when it comes to security and regulatory compliance – is happening under the surface of the device. It’s how employees are choosing the cloud-based applications they want to use. These impulse application selections means, too often, that proprietary data or data that should be protected actually ends up scattered through many online services and accessed on devices the enterprise doesn’t manage.” There a couple of things wrong with this statement and then the thesis that stands behind it. None of this reflects on the rest of Ben’s very good post, I’m just picking on this idea.

The first fallacy that must be tackled here is that most employees don’t choose their cloud and in many cases don’t even know what a cloud means in this context. They choose apps that are aligned with clouds but not necessarily the cloud behind it. People choose to use Evernote because it allows notes that they take on one device to automagically appear on another one of their devices. People pick Notesy or SimpleNote because it allows them to type notes and get them somewhere else. They don’t usually understand the Dropbox and Box are clouds. They may understand that iCloud is a cloud but only because someone put it in the name. I actually had a conversation today where we said we shutting down access to a specific cloud and the person had no idea what it meant to them or their users.

The second fallacy of this statement is that these selections are impulse buys. People choose apps because it allows them to get something done easily. They prefer free apps but if the app is simple enough and saves them from some arduous task they will consider paying for it. When it comes to work and employees, they choose their apps one of two ways, they were provided an app to do the job that has a great UI and UX, or they were provided a crapplication that causes them to want to tear their hair out. When that happens they start to look in their device’s marketplace for an app that provides an easier way to do the same tasks that won’t involve doing bodily harm to themselves.

The last issue is that people are putting corporate data at risk and it wasn’t until mobile devices came around that the data was ever at risk.  Most of the applications that people are choosing to use are for creating their own data. While it might involve some corporate data, they took notes in Evernote during a meeting; in most cases it’s not these app choices that are putting corporate data into arbitrary clouds. That’s not to say that employees won’t use Box, SugarSync, or Dropbox to move a work file home so they can use it on their own time. Employees have been doing that for a few years, long before they could even use their mobile devices for editing. They would email their word doc home or put it on a thumb drive. As soon as Dropbox appeared it became the preferred method for moving data around because it was easy. To think that it is an impulse app selection that causes enterprise data to be spread around just doesn’t pass the smell test. Years ago people use to bring paper documents home in their briefcase; it isn’t something that just started happening out of the blue.

This doesn’t mean that the enterprise should throw their hands up and give in. On the contrary, they should see this as an opportunity to engage their employees and discover with the employees, how to make them the most productive possible. They should work with the employees to make those solutions that avoid the crapplication classification and let people be more efficient and productive. When they discover what those apps are, they should like at some sort of MAM (Mobile Application Management) system that will allow them to wrap or containerize the app so they can protect enterprise data. The issue with these systems is that they will only help those whom are using mobile devices and won’t affect those that are using laptops and desktops.

Enterprises have to start looking at what’s important here and it’s the data that is their asset. They need to look for way to protect the data, which will eventually lead them to look into a MIM (Mobile Information Management) System. If they look at ways to protect the data no matter where it lies, they begin to understand that the endpoints become abstracted. They no longer have to worry about their employees emailing the data home or putting it on a USB stick, they have built their protection scheme around the information that is valuable to them.

The thesis behind all of these protectionist statements revolves around the fear, uncertainty, and doubt (FUD) surrounding CoIT, that users always want to go around IT and CoIT encourages them to do that. Enterprises feel they must control this consumerization and their users or they will make bad choices if they haven’t already. While this can and does happen sometimes, it is most often due to the inability of IT to embrace a strategy that incorporates and enables mobile computing so people can work from anywhere at anytime with the data that they need. It is a matter of moving away from the legacy strategy that says you must control the endpoints to be safe, people be damned, to a strategy of protecting your most strategic asset, your data, and yet allowing your employees to be able to use it in an easy and productive manner.

{ 7 comments… read them below or add one }

Swarna June 6, 2012 at 6:15 pm

Copying my comments from Twitter—
The need for “mobility” of data and apps has existed for almost forever – just think about floppy disks, thumb drives, r/w CDs. The difference now is that “it” is now our smartphone. Securing mobile devices, therefore, has become very important (highly understated) because data loss/leakage can happen in many unforeseen ways by many “innocent” users (who have to be educated first!). And you, with this post, have hit the spot – MIM – protect what matters (as we SymPeople say :) )

Reply

Ben Goodman June 7, 2012 at 8:03 am

Brian

Reply

Ben Goodman June 7, 2012 at 8:36 am

Brian,

You basically spend three paragraphs disputing things I didn’t say…

You say “The first fallacy that must be tackled here is that most employees don’t choose their cloud and in many cases don’t even know what a cloud means in this context.” I never said that employees chooses their cloud, in fact I said “employees are choosing the cloud-based applications” which is consistent with what you say in the rest of your paragraph. So you seem to be implying that I said something which I didn’t say and don’t believe.

The second fallacy of mine you point to is that I said these selections are “impulse buys.” I actually did say that one, but I stand by it. Compared to the way an enterprise chooses vendors and buys applications and services, most end-user app purchases are impulses. How many users will try 3 or 4 different apps that do the same thing before they finally settle on the one they like? The fact that the background is blue, or that the buttons have a cool drop shadow may be something that contributes to picking one app over another for an end-user. That is an impulse compared to the enterprise who instead will want to ensure that data is encrypted and the viability of a vendor and many more such things. So in the context of the enterprise, end-user app purchases may not be uninformed or thoughtless, but compared to the due diligence applied to enterprise software purchases they are impulse buys.

Your third point is that I said “It wasn’t until mobile devices came around that the data was ever at risk” I NEVER SAID THAT! As you point out (and I agree with you) there have been plenty of other way data could walk out the door in the past, but these problems are magnified by the explosion of mobile devices and of cloud services that make it too easy for data to exfiltrate the enterprise. In fact, I would argue that the cloud services are the bigger issue than mobile devices. The consumerization of the back-end via cloud services and the consumerization of the front end via “smart” devices has made this problem exponentially more pervasive and equally as hard to tackle.

I appreciate you referencing and even complementing my post, but the reality is we agree on most of these issues and there is no reason to create psuedo-conflict where little to none exists. I think the only thing which we really disagree on is my comment about impulse buys, but I think that is a matter of semantics as opposed to a real differing of opinions.

So to paraphrase what someone else said. None of this reflects on the rest of your very good post, I’m just picking on this idea that there are really three things that we disagree on here.

Reply

Brian Katz June 7, 2012 at 9:00 am

Ben –

I’ll grant you that you are right and I apologize, when I wrote this post originally at 2am I missed the word application in the quote (I originally only used half of the quote) so my bad. So you are right about calling a fallacy on the quote and I will need to make a change in here due to that.
We can agree to disagree about impulse buys. When people are looking to be productive, unless its free they spend more time looking at apps then you or I give them credit for.
It could be me reading into the quote but there is way too much time spent on personal mobile devices and data at risk when the same risk has been there before people were using mobile devices this way. Anytime we start talking about CoIT and people moving data around it is seen as a new thing, not as a vector that has existed for 50 years…

Thanks for the comment Ben and I will look to fix that one piece later today.

Reply

Ben Goodman June 7, 2012 at 12:09 pm

Thanks Brian and keep up the great work. This content is great for the whole industry.

Reply

Jeff Enderwick June 7, 2012 at 8:53 am

dead on the money.

Reply

Dan Garcia June 12, 2012 at 9:41 pm

Excellent post again. Data management will be the end game for BYOD, but really the success of the cloud as a whole. Currently there is no way of marking or identifying what is personal data and corporate data if an end user has the control they ultimately desire. Enterprises can’t adequately manage data, information you post on social networks like Facebook, or even things you say to Siri (see IBM).

I see solutions starting to emerge for MIM (cloud data storage).. but social networks or other cloud services are another beast yet to be tamed. It will take a platform change for many of these providers with open standards, I just don’t see it happening.

Reply

Leave a Comment

Previous post:

Next post: