Blog Post

In enterprise mobile security, perhaps it’s best to treat all devices as BYOD

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

[protected-iframe id=”0f0dc09a751a0a80cc2bbf0fb4a2c552-14960843-25766478″ info=”″ width=”640″ height=”360″ frameborder=”0″ scrolling=”no”]
Transcription details:
Input sound file:
10-17 am Session 1_1002.MP3

Transcription results:
Session name: The Future of Mobile and the Enterprise
Cormac Foster
Brad Anderson
Alan Dabbiere
JP Finnell

Announcer 00:00
All that set, we’re going to bring out our first panel. This is the future of mobile and the enterprise it’s going to be moderated by Cormac Foster, he’s the Research Director, Mobility GigaOM Research. He’s going to be speaking with the Brad Anderson the Corporate VP of Cloud and Enterprise of Microsoft. Alan Dabbiere the Chairman of AirWatch and JP Finnell the Head of Mobile Strategy and Innovation for SAP Services in North America, SAP. Please welcome our first panel on to the stage.
Cormac Foster 00:29
Hi everybody and thank you for coming out this early you might be feeling almost sleepy or hung over so, we’re going to wake you up with fear today. I’m going to talk about BYOD and how that’s terrifying and how you handle it. Like to start out though quickly by introducing the focus who are here because a lot of you may not know exactly what they do because they work with some pretty big companies. So, Brad can you give us quick overview of who you are and what you do?
Brad Anderson 00:53
I oversee the work with Microsoft and Window Server and I’m system center which is inclusive of the management that we do in the datacenter, private cloud as well all the things that we do for managing your devices and enabling you which is on devices.
Alan Dabbiere 01:05
Alan Dabbiere, Chairman and one of the founders AirWatch, we clearly do mobile device management in the whole enterprise mobility platform and we’ve gone from about 100 to 50 and 100 people in three years so this is just a really exciting time in the space.
JP Finnell 01:17
JP Finnell, Head of Mobile Strategy and Innovation for SAP leveraging our portfolio of the SAP mobile platform which 3O is coming out next week, big announce next week in Vegas and then our mobile secure, which is our portfolio of more device management, application management and content management.
Cormac Foster 01:41
So this is, anybody feel free to jump in, but I’ll start with JP, I think we’re all pretty much in agreement that the most dangerous part of any mobile enterprise as the user and users they can’t be trusted to not be stupid and they can’t be trusted to not be malicious in many cases for folks sake. So, you’re all technology companies, how much can technology actually mitigate bad behavior by users?
JP Finnell 02:11
Well, I’m glad you’re starting off with the user as opposed to the technology because as technologists we’ll get, we’ll be spending majority of time talking about technology and when you think about consumerization of IT, we think about the other way around, the ITization of the consumer. So, you might think that consumers are, you have Moore’s law with basically the processing power doubling every two years and just think about that trajectory and think about the trajectory of users. Are they getting smarter or less smart? And so, we certainly see them getting smarter, but from a security standpoint still 40% of the users out there don’t even use the screen pass code, my sister-in-law drives me crazy because she insists on not having one because it’s truly inconvenient, she runs her business on an iPhone, now that she has the 5S, she’s now got a lot more security, so we have lot of approaches, but fundamentally with freedom comes responsibility and consumerization of IT, ITization of the consumer is about freedom.
Cormac Foster 03:15
You can lock down a device almost completely, to a point where it’s unusable, if you want and you can let them run free, but somewhere in there’s a balance, how do you strike that balance and really how much, can you keep users from accidentally doing dumb things and can you keep users from doing malicious things?
Brad Anderson 03:42
I’ll probably jump in for a minute. The organizations that I meet, I think are kind of fault leading and how they’re embracing these trends, have a couple of these kind of base level assumptions. One, they believe that the users are resourceful. If they told don’t do something that simple and easy to use and complete the usable figure where we go around and would just use the consumer services there is no personal life. Most organizations will take a view that they will trust their users, they want to trust by verifying. You need to have tools, you need to have a strategy that allows you to protect against accidental kind of activities, if you got something who is malicious whether it’s taking a picture of a screen with the camera, they’re going to find ways that they have malicious intent to get around you. Let me just give you a personal example of the way that we think about this, one would think, you like to think that you’re little bit unique in the world, but the name Brad Anderson really is not that unique. Many of you know that the former CEO of Best Buy, named Brad Anderson, the Head of the Dell Server Division was named Brad Anderson and the number of times that I’d get email that was destined for one of those two as remarkable. Where auto fill automatically put my name and I would get attachments of Best, the VP of Dell and VP of Microsoft. That’s an accidental kind of situation in that model if somebody accidentally doesn’t attach an email for example, you want that email, the attachment actually be secure and I’m able to open that unless you’re authenticating as your cooperation act of directory as an example. So, doing things like that where you have rights management, you have the ability to actually have protection embedded natively into the system that the users having to think about it, it’s just automatically there that’s how you’re protecting into accidental kinds of errors, but again malicious is just the whole different world to think about.
Alan Dabbiere 05:23
To take one last approach on it, I don’t like to come to the theory — that you’re going to have either good user experience or security. I think innovation is going to drive much more security especially in them accidental, I think the malicious is different, but multi-factor authentication things like what Brad was talking about, innovation is really driving a much more secure user experience at every level and yet letting it be very native and very easy and actually making it easier will make it more secure because if you start to block and make it too hard, people then really go back and do things that are not mentally malicious, but they do things that they shouldn’t do because we’re just trying to get our job done, it’s the banker with the secure phone in this pocket and the personal phone in this pocket everything gets done here.
Cormac Foster 06:08
Okay, so next up let’s shift to technology, so AirWatch, SAP as well, but AirWatch is known for enterprise mobility management and you can get the feel for it actually that we read on this, if we haven’t read it, please do. But, enterprise mobility management comprises a number of different things mobile device management, we think of this mobile application management, app wrapping that sort of thing. A lot of these functions will eventually work their way into operating systems or maybe applications themselves or hardware what the Samsung is doing with Knox. Does that make you obsolete? How does that change for you? How does — what you do change overtime as the tools themselves become more common place and integrated elsewhere?
Alan Dabbiere 07:00
It does that, it changes overtime, it’s incumbent on us to continue to innovate. So, we embrace the fact that these devices are getting more secure and some of the features and functions are going into the device operating system and in the meantime, we live in the present not the future. So, the fact that we’re building email clients for more security or the fact that we wrap a email attachments in ways that they can become more secure. If that ends in the operating system is great. What we do is vendor agnostic, so the fact that we can sit on top of Windows, IOS, Android and Knox and the five different versions of Android. The fact that we’re doing all these configuration management that’s incumbent as part of security to configure manage track, telecom expense management, App level wrapping, content distribution, so as these devices become more enabled and more secure they are still a big, huge role for us to play because again we don’t think any one OS or hardware manufacture will solve the agnostic, commanding control problem and so, we think we’re very well situated for the future.
Brad Anderson 07:58
Just building upon what you’re saying, in the operating system, the applications, there are interface and capabilities that are being exposed that help us with security and with management, but someone has to orchestrate all of it. Who’s going to sit on top of that, who’s going to give that consistent experience to the IT professionals and to the end users so that as more in the working on a PC than the App, they’ll be able to work it on an IOS device or an Android device they want to just work and they wanted to be familiar and consistent, somebody has to orchestrate to make all that happen and that’s working and that’s what we do as software vendors.
Alan Dabbiere 08:27
So, Knox for example all of that has done through API, Knox does not come with the consul, it comes with the APIs and I use the expression mobility stuff by a thousand cuts. If you got a 1,000, 10,000 and 100,000 devices out there you want central systems that are monitoring, managing and making it easy for the user to configure those devices, no matter what manufacturer around the world that they came from.
Brad Anderson 08:47
It’s that the end-to-end solution building on the infrastructure that the operating system gets us.
Cormac Foster 08:50
So, three years from now is the MDM System essentially like the [?], the open view that the system will record for your systems management.
JP Finnell 09:00
Yeah, I’d love to talk about that, as I think about MDM, I think a lot of the MDM kind of configuration management capabilities they’re kind of commoditizing and a lot of the conversations that are happening in this right now are around application management. As you think about application management, I like to compare to what happen with kind of the desktop or the PC management capabilities going back 15 years ago. There were configuration management, there were OS deployment, there were more controlled capabilities and they were sold separately, they all converge as the market matured and I think that’s what going to happen as well as we think about users willing to work on multiple devices and vendors like us needing to enable users on all of their devices that are inclusive of PCs, handheld tablets, phones. So, I think all of that’s in the process of converging right now and as the conversation moves up to application management, organizations really have got a step back and say what’s my comprehensive and complete solution for managing access to the applications into the data that my users need across all their platform. So, I think we’re going to see converge.
Cormac Foster 10:00
You guys want to fight a little bit about the a figure that probably irritated you a little bit, the commoditized of MDM?
Brad Anderson 10:04
Well no, it’s the word that people use, but I don’t think Microsoft the operating system Windows got commoditized, I think it sort of a one and it came out at huge scale, but wasn’t a commodity there was only one, I never went into Dell and said, I want to look at that other operating system and so what we do is really hard, we didn’t grow from 100 to 50 and 100 people over a three years because this was a solution that needed 25 developers, there’s a new mobile operating system every 15 days. So, while the price is coming down, I think the number of providers they can actually solve the problem across every one of these new OSs going back to your 6.5 and your CE and Tyson and everything that Knox and Samsung and folks like that are doing. There may not be a perceived value in the way we’d like that there needs to be, but I don’t think it’s a commoditization, I think the players are getting fewer, they can do it, I think it takes massive scale to provide it because it’s got so inexpensive, but security breaches when there’s one big security breach and I think that someday it’ll happen people are going to go wow maybe all gel break detection isn’t created equally or maybe being six weeks late on being been able to manage CE or been able to secure Apps or a new operating system, see that’s the problem, we really want someone who’s out the day before the operating system comes out not six weeks after the operating system comes out.
Alan Dabbiere 11:22
We’re not saying things that are different.
JP Finnell 11:23
No, just the commodity, the word commodity I think you’re spot on.
Alan Dabbiere 11:27
Prices dropping, it’s kind of that’s like a barred entry if you can’t do the configuration management and tie on with the profile capabilities in IOS or with Android or Windows; you can be able to play in the market.
Cormac Foster 11:37
Alan Dabbiere 11:37
So, the conversation is now rising, I think up a level thinking about what we’re doing in terms of protecting the applications and the data and that’s where the focus of the conversation, I think and the industry needs to be headed.
JP Finnell 11:46
So, you have this co-modification trend which really brings on the cost, but then you also have you know the fragmentation that’s going to keep it from being commoditized, but then also have the complexity of mobile like as supposed to a desktop, right so we have telecom expense management, wireless expense management, so we have more responsibility as individual users for the device and for the control of it.
Alan Dabbiere 12:05
And that is no longer about the point solution, we think it’s about the platform, that there’s so much integration that has to happen between MDM, App management, content management because all does need to be wrapped up with telecom expense management because you put out 10,000 or 100,000 devices and let them synchronize, you’re going to have some employees travelling to France for the week and you can get a mighty big phone bill with a couple of app updates or a big content update and if you’re not doing this in a very comprehensive and coordinated way, It’ll be a problem.
Cormac Foster 12:33
So, talking about platform, there’s a lot going on, and there is a lot more going on now from just two or three years ago and if I’m an IT guy and I need to first secure these phones and tablets and phones in the enterprise, first order of business is not losing data and not getting sued for being out of compliance. How do you I go about doing that like if, what advice would often you give to an IT guy or girl who’s responsible for managing couple of hundred and couple of thousand devices and they don’t know where to start, you can wrap your apps if you’re not developing them, you can develop your apps, if you’re looking at developing an app, you can use an SDK and build some sort of App management into that you can lock down the device and some tools are right for some jobs and some aren’t, so where do you start?
Brad Anderson 13:27
So, it’s about flexibility, but you need layers of security, it’s not just about the App, it’s not just about the data you can virtualize the data, but on an gel broken or compromised device you can have screen print wrappers and keystroke trackers. So, you want to get it at the chip-set level, at the database level, at the operating system level, at the application level, at the hardware disk level and so multiple layers are going to be really, really important.
Cormac Foster 13:52
But, what you do first?
Brad Anderson 13:55
When I think about protecting the data in the application, I like to kind of step back and say what’s the overall strategy that we’re trying to accomplish in enabling our users and so rather than kind of looking specific into the security, let’s step back and say what’s the overall strategy and I think what I hear from IT, what I hear from CIO is what sounds like permissible request which is very complex, which is enable me to enable our users on all the devices they want to work on which is inclusive of PCs. Enable me to give them a consistent experiences, consistent and familiar, they give some access to the corporate applications and the data they want to use in way that I know it’s secure and protected so that I can fulfill my responsibilities to the company, do you think about that holistically, then anyone will be able to express policy, you might be able to express access policy and its implemented, real time as the users move across applications, they move across devices. So as an example, you don’t want to be able set as access policy that says for example, if I’m working corporate device, there is no domain joint, I trust that device and I’m going to enable users to be able to access applications and data and bring that down locally and run that all in a distributed model. But then, as a user, and I’ll just use as an Android as an example, you can even say Windows RTE, maybe not domain joint, maybe they don’t have the same level of trust for the device and ultimately we’re about enabling users to get access to their Apps and their data, but you wanted to have that policy expressed and then as the users authenticate and identify themselves whatever your identity management solution is, it automatically makes the decision of how they can get access to data, how they can get access to applications and does that based on security and on the policy that you expressed, that’s the top level. Then if you dive down in, as analyst say, and there’s different places you can do protection, you can protect at the datacenter, you can protect at the device, you can protect at the application, the operating system, and you want to have that kind of a tiered model. Ultimately, I think where the market needs to get you is we want the security and the protection to travel with the data, meaning that in that case I’ve gave of user sending an attachment accidentally, you want the protection and the security to be embedded into that data and I think ultimately we want to protect at the data level so that in case of an accidental kind of a miss App like that even that the gets outside your firewalls or you lose a device, it’s protected because it requires something like an authentication to your identity solution before it can be accessed and that’s what the market needs to get to.
Alan Dabbiere 16:11
And I think there are two other points, one is flexibility, there are instances where email only is fine or where App security and app management only is fine. There’s instances where content management for a board packet, there are used cases of doctors in five hospitals and they can’t five MDMs. So, flexibility is absolutely paramount, the second is a recommendation to treat all devices like BYOD, we think the future used cases, idea that is a corporate device, I don’t need to think about the BYOD use case. When these devices are becoming your car key and your house key and a great consumer kind of efficiencies and things that are coming out on mobile and machine to machine to make your lives easier, it’s almost irresponsible to think that people are not going to use these devices for their personal lives. It’s irresponsible to think that a screaming child in an airport and the parents are not going to hand to that child to watch a movie or entertain them for a minute, so the idea that, I don’t have to worry about any personal functionality because I’m going to lock that device down so much is again going to drive people to do irresponsible things.
Brad Anderson 17:08
And that BYOD in the premise of your question really assumes that there are choices, right? That you have as starting point, you didn’t have a choice, you’d start with the device. Now, we have it’s BYOX, BYO A thru Z, bring your application, bring your own content, bring your own data plan, I mean it’s all those entry points that you can start you have the choice now, they’re not just starting at the device level.
JP Finnell 17:36
Well, BYOD has a kind of exposed a lot of lousy security that was, I think lousy security was in place or an absence of security that was in place before all this happened. It wasn’t like this, many of these organizations were particularly secure and were treating their securely before, they just didn’t worry about it because they thought everything was there.
Brad Anderson 17:56
It’s really a false sense of security if I protected at the datacenter level, at the device level and it’s just the false level of security.
Alan Dabbiere 18:02
We also see that there’s a lot of like our security theater, people go and protect one part of the phone so much and they leave another part exposed. I secure my email, but I don’t put a pass code at the device level, so all of my call logs and all of my voice mails are exposed. I don’t want to use MDM because of privacy, but then I put myself in a position where I can either wipe the entire phone or let someone go home after they leave the organization even disgruntled and fired with all of their email. I put myself in these really bad positions even though I spend millions over here on one layer of security, I completely lead this layer over here, completely exposed and unaddressed.
Brad Anderson 18:40
This is one of those places where some of the convergences in the industry are happening and we talk about things like consumerization of IT, we talk about big data, one of the requirements of the software that we all build is we’ve to do an incredible amount of tracking and logging, so that when do you have to go do some investigations, you do want to go look at who has accessed what, when and where you know that is all available. A good example is the number of PC or the number of phones, the numbers of tablets are left on planes or in cab this is just unbelievable, it’s just, everyone is aware of the data. The first thing an organization needs to be able to do is go take a look to see hey when I last checked in with that device whether it was an hour ago or a day ago, wasn’t encrypted, didn’t have a power on password, here’s the data secured on that device and you need to look at that immediately because you know you could be in a situation where you got to go out to public disclosure about loss of customer data.
Alan Dabbiere 19:29
But you better do it in a way that you can separate personal and corporate data and I’m going argue that there are so many people out there they aren’t doing that well and there’s going to be a situation where somebody wipe something important personally even with the waiver we don’t know that would be–
Cormac Foster 19:43
And with that last piece of fear to wake everybody up, we’re at our 20 minutes, so thank you very much everyone.
Brad Anderson 19:49
Thank you.