18.12.2012 by Martin Kuppinger
Some weeks ago I stumbled upon an article, which said that the MDM (Mobile Device Management) market will grow massively within the next five years. I don’t doubt that the market will grow. However I’d raise the question whether it should grow that much – or, in other words, whether MDM is really the solution of choice. I don’t doubt that there is some need for MDM technologies. However, this might be more about understanding MDM as an element of other technologies or a tactical piece of a bigger puzzle.
Let me explain why.
The problem organizations are facing today is that there are more users, more types of devices, and more deployment models they have to deal with. They need to give their users access to the information they need (and thus the information systems they need), regardless of the device and the deployment models – but with enforcing information security and regulatory compliance. It is about the impact Cloud Computing, Mobile Computing, and Social Computing have and how to deal with it in a secure and compliant manner.
This “Computing Troika” means that we have to strategically change the way we are dealing with identities and access. We have more identities and we have to support more ways of gaining access – to resources which are sprawled across multiple deployment models.
Notably, this is not only about users with smartphones or tablets, the devices primarily in scope of MDM technologies (even while some grow beyond that to Microsoft Windows 8 or Apple OS X support). It is about a multitude of devices, from the classical desktop PC in the company, in the home office, or in an Internet Café; it is about notebooks of employees and all the different types of externals; it is about all the smartphones, tablets, and potentially devices we cannot even imagine today. And I’m not even speaking about the Internet of Things and M2M (machine-to-machine) here, which also is about some identities requiring access.
Can we solve this by managing mobile devices? Obviously, that can help. But it is far away from solving the strategic challenge. Furthermore, any approach which focuses on disparate management of a group of devices is questionable. Why not focusing on the solutions which help managing all types of devices, including the “traditional” ones?
Obviously, a device-centric strategy and differentiating between some different types of devices is not sufficient to solve the challenges of today. The same is true for network-centric approaches – if there is not *the* perimeter anymore, protection focusing on that perimeter is insufficient.
The future is about understanding the risk of information access and comparing it with the risk of the access request. The risk of the access request is based on the context, a topic my colleague Dave Kearns focused on at his EIC keynote some four years ago. Context is about the device, the location, the type and strength of authentication, the role of the user and thus also its relationship to the organization, the health status of the device, and many other aspects. If there is sort of a positive balance of information risk and access risk – fine. If not, the access risk either can be mitigated, for example by step-up authentication, or the access might be refused or at least limited.
That requires technologies like versatile authentication, risk-/context-based authentication and authorization, and Dynamic Authorization Management. The latter is required to enable applications to do dynamic authorizations based on policies and on the context, instead of hard-coding authorization rules or at best relying on coarse-grain decisions. It is about putting a risk- and context-aware approach to information security at the centre, instead of artificially protecting devices (instead of information) or perimeters.
MDM might help in mitigating risks for some devices. So it is a concept within that bigger picture. However, without understanding the bigger picture and addressing this, MDM is more sort of an alibi than a real solution. Furthermore, MDM in that bigger picture and with all the devices in mind which can be used to access corporate information (systems), there is a good reason to look for solutions which integrate MDM into a bigger scope – like Client Lifecycle Management solutions which manage all types of devices.
Nevertheless, the MDM market will grow for some time. However, it also will change, maybe quicker than many expect today. And, most important, there are other technical building blocks you should look at first, to address the cause and not the symptom.
Posted in BYOD
17.10.2012 by Martin Kuppinger
BYOD (Bring Your Own Device) is one of the hot topics of today’s IT. Many vendors promise to solve the BYOD challenges, with MDM (Mobile Device Management), MAM (Mobile Application Management), or other technologies. Most of these technologies fix some of the problems. But all of them fail in the great promise of solving all of your BYOD challenges.
Even worse, solving BYOD challenges is not what you should really care about. BYOD is just a symptom of a far bigger evolution. This evolution is about what my colleague Craig Burton just recently called “The Computing Troika” – the three major changes we are facing: Cloud Computing, Mobile Computing, Social Computing. This is about new delivery models for IT. It is about users using new types of devices (and more of them) inside and outside the corporate network. It is about opening up our communication for more external users, including our customers, leads, prospects, and so on. And it’s about communicating with them in a different way.
The situation we are facing today is that we are observing exponential growth in all these areas. We thus need to find other ways to deal with these evolutions.
BYOD in that context is just about supporting new devices for some specific groups of users. In the narrow context of BYOD most vendors have, it is about smartphones and tablets used by employees and maybe some groups of externalusers such as contract workers.
In a broader context, BYOD is about all types of devices which are not owned by the organization but are used to access corporate systems and corporate information. That might be the PC in the home office, the laptop of the auditor, the PC in the Internet Café, or whatever.
However, BYOD is just one part of that story. There is COPE and COD as well. COPE stands for Corporate Owned, Personally Enabled; COD is the acronym for Corporate Owned Device. In both areas, it is about supporting new types of devices like new smartphones, tablets and all the devices which will appear at the market within the next few years that we can’t even imagine today.
So from whatever perspective you look at BYOD, it is just a small subset of a bigger problem. The challenge is what the Computing Troika means for IT in general and Information Security specifically. This is about allowing all types of users using all types of devices access to corporate information and corporate systems, regardless of their deployment model.
If you solve that issue (which you have to do anyway) you have solved the BYOD issue. If you simply solve the BYOD challenge, you haven’t solved much. You probably have invested in some point solutions and some technology that fails in solving the challenges imposed by the Computing Troika. True, some of the approaches might provide value even in the bigger context. But that is something you don’t know for sure when just looking at the isolated BYOD issue, which most likely is not only or not even about BYOD – it might be COPE/COD and not BYOD at all, for instance.
So the simple message is: Don’t start investing in BYOD until you’ve understood the bigger context. Define your strategy for that. Understand what it means for Information Security and aspects like social logins, context-based authentication and authorization, your governance approaches, and so on. If you have got that big picture, you can start picking the technical pieces that help you. And furthermore, you can start solving all the legal, organizational, and governance issues around that.
There has been a KuppingerCole webinar on that topic – have a look at the podcast.
Posted in BYOD
03.08.2012 by Martin Kuppinger
A recent article in Network World online had the title “For BYOD Best Practices, Secure Data, Not Devices”. I fully agree with that title. However when reading it I struggled somewhat with the solutions proposed therein, which were mainly about “mobile device virtualization” and MAM (Mobile Application Management) instead of classical MDM (Mobile Device Management). However, neither mobile device virtualization (we might call this MDV) nor MAM really are about securing data. OK, MAM as proposed by companies like Apperian at least also can protect the communication channel and the storage used by apps. However, the main focus of MAM is in controlling the apps which can be used to access corporate data.
That is neither fundamentally new nor does it solve all the problems in that area. What about access to corporate data like eMail using the standard apps? How do you deal with web access? You still might need to create new apps which are more secure than standard apps. And when not supporting standard apps, you might struggle with acceptance issues.
No doubt, MAM brings value. MDM as well brings value. And other approaches like the one of Enterasys which even has trademarked the claim “BYOD done right” for their Mobile IAM solution also bring some value. Enterasys focuses on a network security solution which controls access of devices and what they are allowed to do, including the access to some applications. But also here there are several aspects which aren’t solved – starting with the access of users to cloud services which do not even touch the network and thus never are seen by the Enterasys solution.
Several shortcomings might be addressed by configuring apps, cloud services, and so on. However, the more you limit the higher the risk that users won’t accept the solution, besides all the legal issues of doing things at the devices. I particularly like the idea of MDV with providing an image of a mobile device on another mobile device. So your corporate apps are running in a separate environment, which is under better control. However: Will these environments be more secure or will they just duplicate shortcomings like the ones of iOS and iOS apps? Nevertheless, running corporate apps in virtualized, controlled environments is an interesting approach. But if the user still wants to use the familiar Mail app on iOS, you are again reaching the limits.
Unfortunately the (close to) ideal solution, Information/Enterprise Rights Management for mobile devices, is not there yet. But even there you end up with the risk of malicious apps leaking data – IRM assumes that applications are handling information correctly.
What is the conclusion? There is virtually no way not to accept BYOD as a reality. There is no perfect solution for secure BYOD. You need to understand the risks for corporate information when they are accessed by different classes of devices. And you need then to find adequate ways for protection – from open access to prohibiting mobile access at all. In between, there is place for the different types of solutions mentioned as well as some others. You most likely will need a mix of security approaches for your BYOD world because there isn’t a perfect solution out there – even when several vendors promise that they have found the holy grail of BYOD security. Be assured: No one has until now. So: Understand your risks. Identify an appropriate set of technologies which help you to mitigate risks. Define and enforce policies. And do it in a way which allows users to do a lot, so that they can understand that some things are forbidden or only allowed when specific security measures are in place – like MDM, like using a specialized app, like virtualization.
Posted in BYOD
08.05.2012 by Martin Kuppinger
Recently I read a blog post by Nick Crown, Director of Product Marketing at UnboundID. He talked about “Bring Your Own Identity” which he thinks is more groundbreaking and disruptive than BYOD (Bring Your Own Device). I would say yes, there is a value in BYOI, but:
- this is definitely not as groundbreaking and disruptive as BYOD
- this is only a small piece in a much larger puzzle and it definitely will not end with a two-tiered identity infrastructure as proposed in Nick Crown’s blog post
- there’s definitely no need to introduce yet another marketing buzzword and acronym like BYOI
Certainly, just like every other vendor’s blog, posts like the one by Nick Crown are driven by the wish to position the company as “the primary vendor” in the specific area. But the question from a customer perspective (and from an analyst perspective) is: Does it really make sense?
So I want to focus on the three points above:
BYOD is one of the trends which are fundamentally changing the way we need to do IT, as well from the system management as from the information security perspective. It is about moving away from device-centric security to information-centric security approaches. That is a massive change, much bigger than any around identities. BYOD is directly related to the big changes we commonly call Mobile Computing and Consumerization of IT. And it relates also to the “Deperimeterization of IT”. BYOI (when defined as the user bringing its own identity) is, of course, related to big trends such as Social Computing. But it isn’t as new as some people claim. Federation as one approach to deal with this has been out for quite a while and is still evolving – look at OpenID Connect, recently awarded a European Identity Award by KuppingerCole for being the best new standard.
BYOI is much smaller than BYOD in its impact because of the second point mentioned above, something we at KuppingerCole have been talking and writing about for a pretty long time now. The reality is that there will be multiple identity providers. This is about things like trust frameworks, about concepts like claims, and about the need to become flexible enough in the days of Identity Explosion. It is about gaining the ability to deal with multiple pieces of information provided by different providers, instead of one provider or two tiers of providers. There will be many different types of Identity Providers – and they are already here, in fact. What changes is the ability to deal with these providers. That is about federation, about claims, about concepts like IDMAAS (Identity Management as a Service) the way Kim Cameron has presented it in his keynote at EIC 2012. However, it is not that much about directory services or technical synchronization. The fact that someone brings his own identity is just a little piece. And more important than accepting a BYOI ID is the ability to accept many different providers and to convert them into other IDs once the type of transaction and interaction with the individual requires such a conversion.
I’d also recommend you have a look at our report “Life Management Platforms”, which is available for free. This report explains a concept which will fundamentally influence the way we deal with “own identities”, which then really could be something you’d like to call BYOI, even while it is not only about bringing but also about controlling.
So even with Life Management Platforms, there is no need for the BYOI buzzword. It is not mainly about bringing your own identity (and, by the way, a Facebook ID is anything but an “own identity” when looking at the Facebook terms and conditions), but about enabling the flexible use of different identities. So BYOI is far too narrow to describe the changes we see these days. And thus we really should avoid using that buzzword and focus on what really is changing around identities.
Posted in BYOD
19.03.2012 by Martin Kuppinger
I read news this morning quoting a survey by Coleman Parkes, an UK-based research company, saying that 15% of CIOs ban private devices to mitigate the BYOD risks. I personally don’t believe in that approach because it is just too likely to fail. It is like Don Quixote tilting at windmills, I’d say.
On first glance, banning private devices might seem the best choice. Using only devices you’ve provided yourself, evaluated and tested, well configured, seems to be the best approach when it comes to mitigating information security risks. But does this approach really work? Let’s focus on five questions:
- Will the managers accept this?
- How do you deal with remote workers?
- How do you deal with external collaboration?
- Are the devices really secure?
- Do you provide what your business requires?
Managers are one of the user groups driving BYOD – we all know about that. Many of them like to have the newest gadgets. Many doors to BYOD have been opened wide by them. Certainly there are some organizations where the managers weigh information security higher than their own interest in the newest gadget (which they describe as an urgent business need). But there aren’t that many.
When looking at remote workers, which are common in many organizations, then it is also hard to enforce the pure play approach on allowing only devices provided by the employer. That means that the employer has to provide the entire work environment. That’s difficult, however it might work.
External collaboration is another issue, because that is about giving externals access to some sort of shared workspace, if you don’t want to rely on eMail communication only. That is also feasible, especially in the days of Cloud Computing – but then there are other issues to solve for information security.
A really interesting question in these days of “Data Leakage by Design” and inherent security risks (for example in Android), not to speak of questionable concepts on privacy that for sure also affect corporate users, is whether the corporate devices are really secure. For sure it is much easier to mitigate information security risks in an environment with a limited number of device types, operating systems, and applications. But many types of devices including virtually all of today’s smart phones won’t support the required level of control. How to really insure that no “malicious” (in the broadest sense) app is used? How to avoid users accessing the “wrong” web sites? Many organizations have invested a lot of money to achieve that goal in the days before BYOD became popular and seldom reached their targets.
Finally, business is requesting specific types of devices. You might argue that no one really needs a tablet or some types of smartphone. You even might be right. But that puts you in the classical position of IT being an inhibitor for doing business better. And overall, there is some value in new types of devices, even while many things are overhyped. But a restrictive policy never will be able to keep pace with the changes requirements of business users and the way these are communicating.
Fighting BYOD is, from my perspective, the loser’s way. It is the Don Quixote approach not only on BYOD but on information security at all. The fundamental problem with the approach is that it focuses on device security instead of information security. That is very (!) “old school”. Information Security – like the name implies – is about securing information and what is done with that information – at rest, in transit, in use.
You will learn a lot more about BYOD at European Identity and Cloud Conference 2012. There is also a KuppingerCole report on BYOD available.
Posted in BYOD
06.06.2011 by Martin Kuppinger
BYOD: Again one of these acronyms. It stands for “Bring Your Own Device”. You’d also say that it stands for IT departments accepting that they’ve lost against their users. They have lost the discussion about which devices shall be allowed in corporate environments. When I travel by train, I observe an impressive number of different devices being used. There are Windows notebooks, netbooks, iPads, iBooks, other types of “pads”, smartphones,…
For a long time corporate IT departments have tried to limit the number of devices to a small list, thus being able to manage and secure them. However, the reality especially in the world of mobile devices proves that most IT departments have failed. For sure many have restricted the access to corporate eMail to Blackberry devices. But many haven’t managed to achieve that target. And the popularity of Apple devices increases the heterogenity of devices being used by employees.
It increasingly looks like the solution only can be acceptance. Accept, that users want to use different types of devices. Accept that the innovation especially around smartphones and pads is far quicker than corporate IT departments can adopt their management tools.
At first glance that sounds like a nightmare for corporate IT departments. How to manage these devices? How to secure the devices? However, it is not about managing or securing the devices. That would be “technology security”. It is about managing and securing information, e.g. “information security”. It’s about the I in IT, not the T. Thus, we have to look at when to allow access to which information using which tool.
To do this, a simple matrix might be the starting point. The first column contains the classes of devices – notably not every single device. The first row contains the applications and information being used. In the cells you can define the requirements, based on the risk score of both the devices and the information. In some cases you might allow access based on secure browser connections, in others you might require to use virtual desktop connections. In others you might end up with having to build a specialized app. However, if banks are able to secure online banking on smartphones, why shouldn’t you be able to secure your corporate information on these devices?
You might argue that building apps or deploying desktop virtualization is quite expensive. However, trying to manage all these different devices or trying to restrict the devices allowed is expensive as well – and much more likely to fail. I don’t say that it is easy to protect your corporate information in a heterogeneous environment, supporting BYOD. But it is much more likely to be feasible than to manage and secure any single device – given the increasing number of these devices, the speed of innovation, and the simple fact that corporations don’t own all these devices.
Thus it is about preparing for BYOD by providing a set of secure paths to access corporate information and to protect that information – and by understanding how to protect which information where. When you start with BYOD, do it risk-based.