I spend a lot of time talking to EMM (Enterprise Mobility Management) vendors these days. Some of them have been trumpeting the EMM meme for years where as others are just starting to move in that that direction. Previously these were all MDM (Mobile Device Management) vendors, but as that acronym has started to lose some buzz they decided a name change is in order. They have started to realize, as I have been saying for a long time, that MDM as a product is dead. The Consumerization of IT (CoIT) has led them to realize that they can’t keep selling businesses licenses to their product that will sit on the shelf unused due to the exorbitant control that IT would be exerting on a user’s device
What one has to remember is that MDM became another symptom of the sickness that IT has fallen into and vendors have capitalized upon which is characterized by legacy thinking. IT has always wanted to own the device. The data and the apps were always less important than protecting the device. Granted, ten to twenty years ago, they had no other choice, there were coming from a mainframe world where people used terminals and they moved to a server/client model and used the only paradigm available to them.
Take a look at that corporate laptop that you have sitting on your desk. There’s a decent chance that it has whole disk encryption running on it, which prohibits Single Sign ON (SSO) for you. After you unlock the encryption and boot up, you now have to log into Microsoft Windows. No matter which version of the OS you have, you most likely have at least an anti-virus program running on the machine. As Windows likes to remind you, you probably have anti-malware software installed as well as maybe some ad blocking software if you’re lucky. Then you have the personal firewall that is centrally managed by IT and let’s not forget that you are hooked up to a proxy server if you try to access the internet. All these pieces, when they are put together point to IT owning your machine. They have built a giant castle of software around your machine meant to protect them and all their data from having anything malicious happen to it.
Anyone notice a problem with this yet. IT has built the impenetrable wall and yet they’ve made it out of straw. All it takes is one determined individual and the walls start to fall away as they figure a way over the wall while avoiding all the traps you have laid. Usually it is the person who owns the machine, not an outside intruder who does this. Why you may ask? All these things that you did to the user’s machine has managed to slow it down to the point where it becomes almost impossible to get any work done. When I started out in this business, it used to be the running joke that you turned your machine on and then went to get a cup of coffee because it took so long to boot. These days, the boot sequence is fairly quick but getting everything turned on and ready to go now takes twice as long.
At no point in protecting this endpoint, did IT actually spend time figuring out what was truly important to protect. They didn’t have to. Machines were tied to desks and information was stored on servers that sat in a data center. They didn’t start thinking about the endpoint until they had to start dealing with laptops, but they found a way to fit them in the existing model. The only issue is that it’s not about the endpoint (despite the amount of software that has endpoint protection in the name or description) it about the data and the users accessing and using the data. IT didn’t necessarily spend a lot of time training the end user on what to watch out for and how to stay secure. They also forgot about classifying the data and putting good data protection in. They could get away with this when they controlled the endpoints and consumers couldn’t afford good technology…
Now that we live in the age of CoIT and at the same time we have the ITization of the consumer. They cannot only afford good or better equipment than work is providing them, they have faster network connections, and they have become self sufficient at the many of the tasks that IT used to perform for them. IT’s approach to this and the onslaught of BYOD (Bring your own device) has to fall back into the old trap of owning the device. They want full control of the device and the ability to control what you do with it and wipe it if there is a problem. It is just another case of ostrichitis do what you always did and hope for the best.
The real problem here is that IT forgot to involve the most important people in the discussion. They left out the users. The users have (to borrow a phrase from Brian Madden) embraced the philosophy of FUIT (you find a way to make an end run around IT) and want to access the data they need with the right app on the right device at the right time. They are looking to enable these right time experiences that allow them to be more efficient and productive for the business. They are looking to be enabled by IT and the business in ways that allow them to use the right tool for the job. When IT fails at this enablement they find a way to go around. Maybe they throw their data in Dropbox, or send an email with a doc to their home account. They may find an app that does the job better or use a cellular network to get the access they need to find the answers they want when they need them.
This is why, when they look at having their device controlled by MDM they balk at it. They understand the nuances better than IT and they want their data to stay their own while at the same time they want to be able to access the corporate data that they need. They’re looking for solutions that enable themselves and all they ask from IT is that they take their heads out of the sand, partner with the business and security and find a way for them to be happy and productive.
This means that IT has to move away from managing the device and using MDM as a checkbox tool for the auditors (this is when IT deploys a tool solely because it meets one of the requirements that an auditor makes sure you have in place) and they have to look at real solutions that involve minimizing the risk of data loss while at the same time maximizing the enablement of the user. These solutions, which everyone is starting to put under the umbrella of EMM, involve MDM as a feature set, but rarely as a frontline tool. They are slowly moving towards MAM (Mobile application Management) solutions that focus on the apps that will be accessing the corporate data and allow IT to wall off just that data while leaving the rest of the device alone. Eventually EMM will encompass both MDM and MAM as it moves towards MIM (Mobile Information Management). MIM involves creating a solution where policy and security as well as identity are part of the data flow and follow the data wherever it goes. An app will react to the data based upon the policy that is attached to it, not based upon the app itself, and that policy will be based partially on the identity of the user. (We will be devoting a post in the near future to explaining MIM in better terms although there are no full MIM solutions available yet) The best part is the user is unaware of all of this and just goes about manipulating the data in whatever app does the best job.
Remember those features of MDM that were so important, such as being able to wipe the user’s device, those only get used after a user requests it, as the corporate data is already protected. IT will be partnering with the users and developing enablement solutions instead of worrying about herding a mob of wild kangaroos…