Herding Kangaroos

by Brian Katz on December 10, 2012 · 17 comments

I spend a lot of time talking to EMM (Enterprise Mobility Management) vendors these days. Some of them have been trumpeting the EMM meme for years where as others are just starting to move in that that direction. Previously these were all MDM (Mobile Device Management) vendors, but as that acronym has started to lose some buzz they decided a name change is in order. They have started to realize, as I have been saying for a long time, that MDM as a product is dead. The Consumerization of IT (CoIT) has led them to realize that they can’t keep selling businesses licenses to their product that will sit on the shelf unused due to the exorbitant control that IT would be exerting on a user’s device

What one has to remember is that MDM became another symptom of the sickness that IT has fallen into and vendors have capitalized upon which is characterized by legacy thinking. IT has always wanted to own the device. The data and the apps were always less important than protecting the device. Granted, ten to twenty years ago, they had no other choice, there were coming from a mainframe world where people used terminals and they moved to a server/client model and used the only paradigm available to them.

Take a look at that corporate laptop that you have sitting on your desk. There’s a decent chance that it has whole disk encryption running on it, which prohibits Single Sign ON (SSO) for you. After you unlock the encryption and boot up, you now have to log into Microsoft Windows. No matter which version of the OS you have, you most likely have at least an anti-virus program running on the machine. As Windows likes to remind you, you probably have anti-malware software installed as well as maybe some ad blocking software if you’re lucky. Then you have the personal firewall that is centrally managed by IT and let’s not forget that you are hooked up to a proxy server if you try to access the internet. All these pieces, when they are put together point to IT owning your machine. They have built a giant castle of software around your machine meant to protect them and all their data from having anything malicious happen to it.

Anyone notice a problem with this yet. IT has built the impenetrable wall and yet they’ve made it out of straw. All it takes is one determined individual and the walls start to fall away as they figure a way over the wall while avoiding all the traps you have laid. Usually it is the person who owns the machine, not an outside intruder who does this. Why you may ask? All these things that you did to the user’s machine has managed to slow it down to the point where it becomes almost impossible to get any work done. When I started out in this business, it used to be the running joke that you turned your machine on and then went to get a cup of coffee because it took so long to boot. These days, the boot sequence is fairly quick but getting everything turned on and ready to go now takes twice as long.

At no point in protecting this endpoint, did IT actually spend time figuring out what was truly important to protect. They didn’t have to. Machines were tied to desks and information was stored on servers that sat in a data center. They didn’t start thinking about the endpoint until they had to start dealing with laptops, but they found a way to fit them in the existing model. The only issue is that it’s not about the endpoint (despite the amount of software that has endpoint protection in the name or description) it about the data and the users accessing and using the data. IT didn’t necessarily spend a lot of time training the end user on what to watch out for and how to stay secure. They also forgot about classifying the data and putting good data protection in. They could get away with this when they controlled the endpoints and consumers couldn’t afford good technology…

Now that we live in the age of CoIT and at the same time we have the ITization of the consumer. They cannot only afford good or better equipment than work is providing them, they have faster network connections, and they have become self sufficient at the many of the tasks that IT used to perform for them. IT’s approach to this and the onslaught of BYOD (Bring your own device) has to fall back into the old trap of owning the device. They want full control of the device and the ability to control what you do with it and wipe it if there is a problem. It is just another case of ostrichitis do what you always did and hope for the best.

The real problem here is that IT forgot to involve the most important people in the discussion. They left out the users. The users have (to borrow a phrase from Brian Madden) embraced the philosophy of FUIT (you find a way to make an end run around IT) and want to access the data they need with the right app on the right device at the right time. They are looking to enable these right time experiences that allow them to be more efficient and productive for the business. They are looking to be enabled by IT and the business in ways that allow them to use the right tool for the job. When IT fails at this enablement they find a way to go around. Maybe they throw their data in Dropbox, or send an email with a doc to their home account. They may find an app that does the job better or use a cellular network to get the access they need to find the answers they want when they need them.

This is why, when they look at having their device controlled by MDM they balk at it. They understand the nuances better than IT and they want their data to stay their own while at the same time they want to be able to access the corporate data that they need. They’re looking for solutions that enable themselves and all they ask from IT is that they take their heads out of the sand, partner with the business and security and find a way for them to be happy and productive.

This means that IT has to move away from managing the device and using MDM as a checkbox tool for the auditors (this is when IT deploys a tool solely because it meets one of the requirements that an auditor makes sure you have in place) and they have to look at real solutions that involve minimizing the risk of data loss while at the same time maximizing the enablement of the user. These solutions, which everyone is starting to put under the umbrella of EMM, involve MDM as a feature set, but rarely as a frontline tool. They are slowly moving towards MAM (Mobile application Management) solutions that focus on the apps that will be accessing the corporate data and allow IT to wall off just that data while leaving the rest of the device alone. Eventually EMM will encompass both MDM and MAM as it moves towards MIM (Mobile Information Management). MIM involves creating a solution where policy and security as well as identity are part of the data flow and follow the data wherever it goes. An app will react to the data based upon the policy that is attached to it, not based upon the app itself, and that policy will be based partially on the identity of the user. (We will be devoting a post in the near future to explaining MIM in better terms although there are no full MIM solutions available yet) The best part is the user is unaware of all of this and just goes about manipulating the data in whatever app does the best job.

Remember those features of MDM that were so important, such as being able to wipe the user’s device, those only get used after a user requests it, as the corporate data is already protected. IT will be partnering with the users and developing enablement solutions instead of worrying about herding a mob of wild kangaroos…

  • http://twitter.com/landonf Landon Fraley

    Isn’t one of the challenges with MIM similar to the SDK/wrapping challenge for MAM? The app vendors need to support some yet-to-be-determined standard for adhering to the policy, ensuring the data’s integrity.

    Now that Citrix has all (most?) of the pieces, I can envision this starting to take place under the Receiver umbrella, but only time will tell. Being able to control the device (Zenprise), the apps (CloudGateway Enterprise) and providing an integrated alternative to Dropbox (ShareFile) should go a long way to helping customers support their diverse application needs.

    BTW, for those that don’t know, I work for Citrix but the post is my own thoughts.

    • http://twitter.com/bmkatz Brian Katz

      Landon –

      Yes – one of the challenges of MIM will be having an API that can
      understand the policy and security that follows the data. This is why
      companies that are at the MAM stage have an advantage moving forward. In
      order to be competitive though, a company is going to have to open
      source that API in order to have in the most business apps possible…

      As far as Citrix goes, I’m not sure whether that would be the
      receiver umbrella or the Netscalar (I think the latter but I am not a
      Citrix expert). Yes – with the acquisition of Zenprise Citrix should
      have most of the pieces that it needs but it’s putting the pieces
      together in a coherent story with some special sauce that is required.

      • http://twitter.com/EMobilityInside EMobilityInsider

        Thinking about MIM having an API… So try this on. Premise: Enterprise digital assets need to tote a common metadata wrapper that a server can ask a client “do you respect the metadata?” and then the server can proceed based on the answer from the client. I buy into a vision that any client you desire to use on mobile device or even desktop/laptop should be able to securely use a digital asset under Enterprise governance. This implies that digital assets carry a metadata payload along with their content that any App can read.

        The approach that MS took in Office 2007 and Apple did with Resource Fork structure in their digital assets are both interesting. They are not wrappers but an integral part of the asset. Wrapper approaches are prone to failure; witness the repeated flameouts of IRM technologies (closed, can’t access it, extreme admin overhead, assets extracted from IRM defeat it). I could envision having an Internet MIM edge server that shows me an Enteprise virtual asset store (indexed and searchable, of course) that handshakes with my local client and my local client will allow local asset manipulation based on the metadata that the client carries. A common metadata model could be developed that would carry a common set of attributes and also be extensible for additional control models.

        I know our industry is rife with proprietary approaches, fragmentation, and lots of stubborn entities who don’t see solving some of these problems as in their best interest. But, without a useful common approach, we may continue to be dependent on administratively intense systems delivered as vertical solutions.

        • http://twitter.com/bmkatz Brian Katz

          This is along the lines of what I have been talking abou. The issue is having this conversation without actually taking about DRM which is very hard for most people

          • http://twitter.com/EMobilityInside EMobilityInsider

            it would be nice if OASIS (SAML folk, amongst other things) was leading the metadata/protocol creation process. We could get industry thought leaders to do something cool and then everyone could request it in their RFP’s!

  • benontech

    This is yet another great piece of writing by Brian. I do agree that “legacy”, or as I sometimes call it “incremental” thinking is big piece of the problem. IT is often too busy chasing the next problem, playing a game of corporate “Whack-a-mole” to think strategic. No technology is a better example of that then MDM. It takes traditional PCLM technologies and concepts and attempts to extended it to users and devices that don’t want to be managed that way. A square peg in a round device. My favorite quote from an End-User was “I didn’t pay for my iPhone instead of using the free Blackberry, so I can hand it over to you to install software that turns it back into a Blackberry”.

    I think Corporate IT can learn alot from the choices end-users make when it comes to devices, apps and even accessories. I think they expose the gaps in IT strategy and telegraph where the industry is going. I wrote about it here: http://bgis.me/OAznZT

    That being said let’s not confuse layered security and defense in-depth concepts with short sited management approaches. IT will always be a balancing act between security and usability, as those to forces seem to be diametrically opposed. I think that to conflate the issues of not understanding consumerization and the need to secure an end-point is dangerous. I do agree that security, like all other IT groups needs to understand that we live in a rapidly changing world where devices, networks and even servers may longer be under corporate ownership, let alone control. We just need to make sure that we don’t shrug off security requirements in the name of end-user experience.

    • http://twitter.com/bmkatz Brian Katz

      Ben –

      Great comment. and I love the quote you picked as well…right on the money. I am not saying that we should ignore security concerns at all. The point is to not ignore security but don’t assume that because you own a device that it might be secure. In many cases it is a false sense of security.

      Defense in depth and layered security can’t make it impossible to accomplish the task. This is why, as I have said many times before, security has to be one of the partners at the table form the beginning as does the user. This is the only way to build secure solutions that everyone will use.

      So I think we do agree…

      • benontech

        We usually do ;)

  • Bob_Egan

    Except that your SSO example is not particularly relevant to mobile device scenarios as many providers including SAP, IBM provide the ability to drop a SSO certificates onto a users device, thus providing the ability to use enterprise apps w/ transparent log in via an iPad etc,

    • http://twitter.com/bmkatz Brian Katz

      Bob -

      There are certainly solutions to some of these issues out there but the better question is how widely are they used and do they handle all enterorise apps or just the SAP/IBM/Whomever…It comes down to deploying these solutions in meaningful ways.

      I was actually drawing the parallel between the current desktop and mobile but I get where you are coming from

      • Bob_Egan

        It depends on what’s important to the business, the employee role and necessary audit / compliance requirements. That real ( and perhaps sad) state of the BYOD / CoIT market is that in most cases it really equates to email enablement. The millisecond a company thinks beyond email, they are woefully under planned and ill-enabled. And that is precisely when most BYOD initiatives are compelled to think beyond the BYOD MDM boutique point solutions and toward CoIT suites. That will be where that action is in 2013.

  • http://www.facebook.com/talmklein Tal M. Klein

    I mostly agree, but I think even wrapping the app can become a pain if they user has the same app for personal use. I like the shift in the wind towards an enablement-minded IT organization, but we’re still far from it. You show me an IT administrator who doesn’t see the end-user as the enemy and I’ll show you ten who do. This whole FUIT thing is very IT-centric. End-users don’t think “FU IT”, they think, “oh, this website/app/device/etc. lets me get my job done more easily.”

    • http://twitter.com/bmkatz Brian Katz

      Tal –

      Great comment…and you are right, wrapping does lead to 2 versions of the same app which can certainly make things interesting for the user. As we move to proper MIM we should be able to move to a single app that responds to the policy that follows the data.

      From an end-user’s perspective you are completely on target…they aren’t thinking of IT they are thinking about their job. We, as IT, tend to translate it into FUIT. When we are working with the business and the users and focusing on enabling them this tends to go away.

    • Bob_Egan

      I really believe that if you show me 1 company that is enabling anything more than email on mobile devices and I will show you a 100 who are not. Thus, the only time the FUIT thing comes up is when IT policy plugs the use of a particular web site or imposes WhiteList/Blacklist policies on what are largely consumer apps – and IT can’t / doesn’t / shouldn’t keep up.

      While i technically know what wrapping does / does not do, i’m like a drive river bed in search of water to understand mass adoption examples truly make this a problem today (except for email).

      • http://twitter.com/bmkatz Brian Katz

        Bob –

        When you are talking BYOD you are correct, as you have heard me rail on many times, most companies think email itself is BYOD and we would both disagree with that. I purposely didn’t call out BYOD here as this was related to Mobile and shouldn’t matter if a corporate or personal device.

        When companies are rolling apps, and many are, the data is very important. You have to make a choice of owning the device or owning the data by owning the app. App wrapping which is part of the MAM solution is important and does solve some of the issues that MDM brings up with respect to BYOD devices…It still leaves the dichotomy of 2 apps for a single user if you use it for corporate and personal.

  • http://twitter.com/Wh1t3Rabbit Rafal Los

    Brian – fantastic post and even better (albeit odd) discussion on Twitter today… so much so that you’ve inspired me to write a position piece from my PoV… here: http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/Up-to-Our-Ears-in-Technical-Debt-Mobile-Data-Devices-and/ba-p/5895475

    I’m 100% confident this discussion isn’t over.

    As Tal points out here in the comments – we’ve got problems covering the easy (black/white) scenarios …what about when the owner of the devices uses the same application for both personal AND corporate use?!

    I think I need to go lie down…

  • http://twitter.com/TamoRules Tamojit

    I believe IT is only trying to meet two ends of world meet, hug and kiss each other, without realizing how different they are in nature and of-course in behavior. And for what ? to keep things simple for them or as you said – fit every thing in their existing security models. If we go back in time and see the origin of MDMs, we will find ourselves working with corporate owned Blackberry devices tightly controlled by BES . That the fact is, data security achieved in blackberry devices through the BES architecture was the highlight for its widespread adoption as an enterprise devices, is the root cause of our current issues. Blackberry, then was hardly a consumer device and so, there was no conflict.

    The problem started when the most popular consumer devices iphones and androids decided its time to enter the enterprises and they tried to apply the blackberry success story on these phones as well. The thought process – tight security is the primary aspect for being a successful enterprise device resulted in this chaos.

    All these new devices, followed by BYOD, led to the paradigm shift in the world of enterprise mobility. Unfortunately, ITs could never appreciate the change and imposed the security models of the stone age on these modern consumer devices.

    iPhones and androids were never meant for MDMs and to be frank, guess we all know, hack to get around it, was never difficult, as all MDMs relied on OS capabilities which could be controlled by the user owning the device turning them on and off.

    We have already seen MDMs evolving into MAMs, MSMs and MIMs. But all these are still trying to solve the same problem, when the problem has already changed its dimensions. Its time we think of security as an enabler for the users and not the for the corporate houses. Rather then saying, how can companies securely give access to their data, we should be thinking, how can users securely access corporate data. In the time of CoIT, we should be keeping users at the center stage and not the organizations.

Previous post:

Next post: