A few years back a customer’s CSO left the room when I said that this customer should start thinking about a scenario, where selected users bring their own devices – he called me “nuts”. Well, I think the smartphone area proofed me right. Basically the smartphones were the first Bring Your Own Device (BYOD) as far as I can tell. The CEO found the latest and coolest phone on Saturday and on Monday IT had to integrate it – not to say that the CEO definitely wanted to read the mail on his/her new toy.
This discussion is over since a long time and most people probably accepted the fact that the world changed – the cheese moved. BYOD, Consumerization of IT or however you want to call it at the end of the day is a reality. They might have different forms: In our case at Microsoft it might be officially a pre-stage as internally we get the hardware but we can set it up the way we want as long as we are following the policies. But even this is not the complete truth as there are a lot of people buying their own hardware and using it to work. I am currently not only running my notebook with Windows 7, I am using Windows 8 Developer Preview on a slate as well – and as I want to understand how we can make it happen – I did not join it to the domain as I want to run the Consumerization of IT scenario. This immediately raises questions on security.
We most probably need mail (Outlook in my case), Lync and some documents on a slate. So, I need to have Outlook installed and connected to Exchange (including RMS-protected mail), Lync as well as OneNote and some documents I want to have with me while I am travelling. What does this mean for IT? What about me connecting to the corporate network? Let’s look at some of the scenarios and functionalities. I know that there are answers to some of the problems but lets look at the questions first:
- Authentication: As it is not a device IT controls, how is the user authenticated? So we might want to require a PIN or a password to unlock the device. This makes sense anyway but there needs to be more than a “only” a paper policy. For those of you who have seen the build presentations on Windows 8 might have seen a new way to authenticate: A user can have a picture and store three gestures to unlock. A great way to authenticate to a slate but does the policy allow for that? Even if it is not a domain authentication, it is the authentication to the holy grail – the mail.
- Lost devices: Typically these devices are cool – that’s the reason why our users buy them – no? So, the risk of them getting stolen – or lost as they are small – is fairly high. How is the data and how are the credentials on the PC protected? So, we talk of disk encryption first, remote wipe second.
- Disk Encryption: There are devices like Windows Phone 7, which have a very sound security model and a very good device security but unfortunately no encryption, yet. There are others with “encryption” built in, which is broken in minutes as the device can be jail broken easily. What is the policy there? On the slate there will be a need for disk encryption as well. Which user will use something like this without being told? Yes, I know. You will but you are definitely not a representative sample as security people. On Windows we can switch Bitlocker on and will have at least the ability to securely protect the disk.
- Wipe: I would want my device to be wiped after a few unsuccessful authentication attempt or – if I lose it – I want to be able to remote-wipe the business data if I am IT.
- Network Access: Now the device comes on our network. What happens if the devices does not have any anti-malware protection? It might spread all the dirt on your network. Not something we typically enjoy. There are solutions to that – since a long time we talk about Server and Domain Isolation Using IPsec and Group Policy which at least separated the trusted and the untrusted devices. But we basically want the devices on the network and have them accessing the data – if they follow certain policies. Therefore we need a way to do policy enforcement and health checks with the ability to quarantine.
- VPN Access: This might be easier as we can enforce the policies as mentioned above much easier as the machines come through a well-defined channel where we can check them but are we allowed to? Think about privacy implications as well.
- Mail: Finally talking of mail. Access to e-mail is probably one of the crucial areas to enable and manage as a lot of confidential information is buried somewhere in mail. Additionally, to access mail, the keys will be needed if the mail is encrypted. Thus a lot of critical information is on such a device.
- Data: As a user I want my data (or at least key part of my data) synced between my devices. In my case between the business notebook and my slate. This should be done in a secure and safe way. Do we as IT want to allow the use of technologies like Live Mesh, which can either do a peer-to-peer synchronization or a peer-to-peer-to-Skydrive sync. In other words, a copy of the data can be hosted in the public cloud secured with a LiveID password.
So, a lot of different problems/questions. However, they are only partly new as I have seen a lot of people taking data home to their own private PC – the one the kids are gaming on – to do their work. Taking home means USB or even sending the data to the private mail account.
Protecting such an environment can have different approaches and I would be interested in what you think and what you need:
- First and foremost we need policies clarifying what can be done and what not. For severe violations, there needs to be disciplinary action.
- We want to have some policy enforcement. Basically, the key functionality the user is interested in is often e-mail and therefore Exchange might be one of your key management point for this. Exchange is basically able to enforce the following policy options to your device (from Understanding Exchange ActiveSync): Remote Wipe, Device Password Policies (minimum length, characters, alphanumeric, inactivity time, enforce history, enable recovery, wipe device after failed attempts), device encryption. Therefore, it can be expected that the key requirements can be met. But there is a fair chance as well that not all devices fulfill all the requirements. Or even worse: The active sync client could simply lie to the server.
- Would it be an option for an IT organization to require a client installation? Would the policy “if you want to use your own device, you have to let us install a piece of software” something which can be implemented? I am not completely sure are the user will look at the device as his/her own and will refuse interference. On the other hand it is the company’s data. A fairly interesting conflict. If we are allowed to install a client, all of a sudden technologies like Network Access Protection become feasible as we have a trusted piece of software being able to check the health of a computer
But what else is needed? Do you need management? Inventory? What else would you expect in such a scenario from your technology? Let me know – I am interested in this debate.
Roger
Well, a really interesting topic you picked here.
Honestly we face this issues more and more often over the last few years in our company. Interesting thing is the higher in hierarchy you go, the less important your security concerns seem to become.
As an example, I was recently on a big IT symposium where the elite CIO’s of mainly Germany, Austria and Switzerland were guests. One of the biggest of their concerns was iPads, iPhones and all these other devices that are brought in by the people to the company network. All of them complained, some offer some not evolved tools to “try” to help in this matter.
Anyway, all of them seem to be unhappy but than I realized something interesting. 90% of the people there were having an iPhone, iPad, Android and how else the things are called today as a business tool.
So the problem in my case is, that the ones making the decisions are not capable of defining policies as they are the “bad guys” themselves.
I had some presentations of companies trying to sell their mobile device management solutions to us and all of them I could send home as the technique is simply not evolved enough and fails at basic things.
All in all a hard topic and honestly I think, that all this cool new toys in the wild are simply not enterprise ready as they have been developed for the seemingly much bigger consumer market. That makes me feel that only time will bring us a solution here.
As another example: Microsofts own Windows Phone 7 (I use one myself and I think it is the best phone there is on the market) lacks in enterprise ready services and doesn’t even recognize for example most of the Exchange ActiveSync policies (only the minimum policies like device password, password length, remote wipe are covered).
WHY? Well easy to answer. Business devices don’t sell and create no revenue, at least not at the beginning (look at Blackberry now).
For myself, I will continue to monitor how everything will develop and hope that we get more help from the manufacturer of the devices once they realize that companies are also big customers.
Looking forward for any comments as always
Hi Freddy,
thanks for your insights and comments. I am not sure whether we need to look at this trend being negative. I am convinced that it offers a lot of great opportunities for businesses to streamline what they do and get more efficient. So, the consumerization is something which can help us to drive motivation (I love my slate – do I absolutely need it to do my business? Well, I can justify it as I want to show the coolness of our technology…). Having cool products is a must these days (even though I would challenge the coolness of the iProducts but I am biased there )
Therefore let’s accept the fact that this is going to happen and start to work on integrating it. Therefore I would like to understand what is really needed from a risk management perspective.
To me, RMS is one of the key technologies in there as I can persistently protect the information. However, the management will want to access this information from any mobile/private/consumer device as well.
Thus the second piece (again from my point of view) has to be policy compliance. It would kind of be cool if I could use RMS not only with the user (who has access and can do what with which information) but to extend that to the device (… and only if the device fulfills these policies). That’s where we need to get to.
If I look at Microsoft IT, we build most of our defenses around the machines being domain joined. As long as you do that you can do more or less everything as Microsoft IT can enforce the policies and this works really well. When it comes to the phones, we need to enforce some policies and then technically we allow iPads and iPhones – politically this is a different discussion (I do not have an iPad or iPhone). BTW, Windows Phone 7 supports all Exchange Active Sync policies, except device encryption – obviously.
Persistent protection of information and policy compliance are the two key ingredients from what I see (including the identity/authentication piece). And interestingly, both would make our trip to the Cloud easier as well as we would finally understand the sensitivity of the data as it is classified (and protected) by RMS.
Roger