Zero Trust Is Incomplete Without Continuous Authorization

Posted on July 9, 2020 by Brian Duckering

… and continuous authorization is only possible with real-time device trust and a means to instantly revoke access.

Zero Trust Is Incomplete Without Continuous Authorization

Let’s face it, most professionals in enterprise security would agree that when it comes to secure remote access, Zero Trust is the right strategy for our modern workstyles and modern corporate infrastructures. With the vast majority of both our workers and our resources living outside of the now outdated corporate perimeter, it’s no wonder that there is so much consensus that we must find a new way forward if we intend to support the productivity of our vastly remote workforce while effectively protecting the sensitive resources that support that productivity. The experts have all spoken – Zero Trust is the answer.

Great! Sign me up for some Zero Trust.

But I’m like you, and I do my research to learn just what that means so I can implement the best Zero Trust around. What I learned is that Zero Trust is basically the idea that we should not assume or imply trust as part of any access request based only on history or anything we think we already know about the requestor. We used to assume that our corporate networks were trusted, so anyone able to join that network was also assumed to be trustworthy – the same goes for our VPNs. The corporate laptop we issued with the carefully crafted image was secure when we issued it, so any activities on that device should also be trusted. You get the point – for many years we have relied on historical beliefs and insufficient validation to grant broad access to our sensitive stuff.

With Zero Trust, we take each request for an app, system, or resource as a separate transaction that starts with zero implied trust. This solves multiple issues. It addresses the too-broad access by requiring new authorization for each resource requested, each time, effectively shutting off lateral movement within an environment or network. It also ensures that in case anything bad has happened since the last successful access, we have the opportunity to deny that new request. Maybe credentials have been stolen and the requester isn’t really who they say they are. Maybe their device has been compromised by malware and it would no longer be safe to allow that device to be used for sensitive activities. This sounds pretty good, but have we truly addressed the trust problem?

It occurred to me that bad things can (and do) happen at any time. When I’m out and about, I often move from one Wi-Fi to another and not all are safe. I sometimes discover a cool new app to install. I check my email and browse the internet and click on things while I’m working. All of these are activities that anyone in the security business will tell you are potentially risky, and any one or more of them could add risk to me as a consumer of corporate material. Then I asked myself how often I authenticate into the many systems I rely on to do my work. For many of them, it’s only once a day.

That’s when I realized that one-and-done authorization violates the very principle of Zero Trust everyone now believes in. In the same way that one authentication into the castle perimeter exposed far too much to every user, one authentication into an app then leaves that app exposed and potentially vulnerable for the entire duration of the requester’s access. Trust established at a single point in time does not guarantee enduring trustworthiness.

The logical conclusion is that in order for a Zero Trust solution to be effective in its execution, it not only must establish trust at the beginning of each request, it must continuously verify that the request remains trustworthy throughout the entirety of the transaction. Only then will we have truly lived up to the Zero Trust principle.

So, what would such a solution look like and how would it work? In order for continuous authorization to work in practice, two things are required:

  1. Continuous Quantified Trust – Constant, thorough analysis of the trustworthiness of the user and their device.
  2. Instant Access Control – The ability to instantly revoke access if trustworthiness falls, and instantly re-grant access if trustworthiness rises sufficiently.

These are clearly more than mere features of a Zero Trust solution – they rely on an architecture that supports broad integrations and the ability to respond in real time. Let’s take a look at each of these in more detail.

Continuous Quantified Trust 

When I think of trustworthiness, it occurs to me that in no situation is trust truly a binary decision. A person gradually earns trust with their peers over time, earning greater amounts of trust as there are more data points that support trusting that person. In the IT world, users also establish various levels of trust through multiple points of verification. For example, entering the correct credentials may set one on the path toward trustworthiness, but most IT security experts agree that that level of trust is simply too low. So, we add additional factors (MFA anyone?) to attempt to elevate the trustworthiness until we are satisfied that the trust is high enough to grant access.

If we were to add a bit of rigor to this process, we could say that we are calculating a Trust Score. We could even decide that a minimum score is required prior to granting access to certain resources. Let’s say that we agree that a higher trust score would be required to access the company’s financial records than would be required to access the corporate cafeteria menu. Just because we don’t trust someone with our most sensitive records, doesn’t mean we need to starve them. Trust is not binary.

Clearly, we want to be thorough in our measurement of trust for sensitive material, and that means verifying that the user is truly who they say they are and the device they are using is authorized and proven to be low risk. Fortunately, most organizations have already implemented a variety of solutions to help with this, and we simply need to tap into those sources so they can all contribute to this calculation of a Trust Score. For most organizations, these tools generally operate in silos, at the most sharing information with a SIEM system. Wouldn’t it be great if we could leverage all of these user and device security tools as data points in a trustworthiness calculation? If we were really clever, we would also figure out additional indicators, like evaluating for recognized patterns of behavior and other circumstantial evidence of trustworthiness.

Zero Trust solutions typically leverage an identity solution as the starting point, but often don’t go any farther. I think it is important to not only identify the person, but also verify that their behavior, location, time and frequency of access, and many other factors are taken into account as well. Next, just like identity, even the Zero Trust solutions that mention Device Trust simply don’t take it far enough with real-time integrations with solutions that are already functioning in most organizations. To establish the best measure of trust, we have the opportunity, and even the obligation, to evaluate not simply the measurable attributes of identity and device, but also the activity, behaviors and transitory characteristics of both. The graphic below shows sample solution categories that may contribute to the Trust Score. Additional logic, including artificial intelligence could further enhance the accuracy of the Trust Score.

TrustScore

So, the first of the two requirements is this ability to collect and continuously evaluate all of the best telemetry from the available solutions in the organization, in real time. That way, we will know the instant something bad happens by observing a reduction in the trust score. Now, if we could only take appropriate action based on that score.  That is where the Instant Access Control piece comes into play.  

Instant Access Control

Zero Trust solutions already have the ability to mask corporate resources and only grant access once trust has been established, whatever ‘trust’ may mean for each solution. Having the ability to revoke that access at a moment’s notice is another thing entirely. There must be a continuous connection with the Trust Score engine and the policy engine, and this access control tier has to be able to reestablish that cloaked state the instant the trust score falls below the threshold for that resource.

This is clearly the simpler element in the equation relative to the Trust Score. However, there can be some intelligence built in that takes into account the score required for the particular resource being masked. If a reverse proxy is used for this purpose, it can also serve to add additional functions like load balancing and DoS protection. If cryptography is used in the form of a ‘trust token’, then additional characteristics and variables may be embedded to add more intelligence to the decision making, and may even be able to store state in the case of a partial system failure.

Visibility and Self Remediation

One of the biggest complaints I often hear about secure remote access is how much IT resource can be consumed just in support tickets, whether it be users unable to gain access, or they’ve lost access and want it back, or they need access to something they didn’t previously have access to. It occurs to me that this Trust Score could be incredibly useful in reducing that IT burden, if we simply make the score visible to the end user.

Let’s say that we make the score visible on the end-user’s device and include a list of the primary factors that are considered in calculating that score, for example whether the device is running a recent version of the operating system, is using disk encryption, has the required anti-virus programs running, etc., etc. If that user should lose access to a resource they had been using, they would be able to easily see that their score went down and identify which factor or factors are contributing to that decline. In many cases, since it is likely due to something the user just did, like joining an insecure Wi-Fi, or installing malware, they would be able to take corrective action, like disconnecting from the bad Wi-Fi or removing the app.

The same system that detected the reduced Trust Score and revoked access would just as quickly detect that the Trust Score went back up and could reinstate access without any demand from an already overburdened IT department. Users can be in charge of their own security at that point and are now able to remain productive more often, all on their own. In fact, the users may end up better educated on risky behaviors and act in a more secure manner in the future. That’s a win for everybody.

In Conclusion…

Zero Trust is just a concept, not a product. But it is the right way to think about security in the modern world of flexible workstyles and crumbling perimeters. Based on my studies, if we are to truly benefit from what Zero Trust has to teach us, the principles must be applied thoroughly and continuously. Otherwise, we may be fooling ourselves that our sensitive corporate resources are well protected, when in fact we’ve only secured them for a single moment in time.

As you evaluate Zero Trust solutions to provide secure access for all of your remote workers, be sure the architecture supports broad integrations with all of your identity and endpoint security products. Be sure as many attributes and activities as possible are measured to establish a sufficiently high degree of trustworthiness. And, finally, be sure that the solution has Continuous Authorization, because bad things can happen at any time.

Learn more about Banyan Secure Remote Access or request a free trial.

This blog originally posted here – https://banyansecurity.io/blog/zero-trust-is-incomplete-without-continuous-authorization

Posted in All | Leave a comment

The COVID-19 Quarantine Is Exposing The Challenges Of VPN-dependent Remote Access

Posted on May 7, 2020 by Brian Duckering

User frustration and productivity loss should be a wake-up call as we accelerate the long-evolving trend toward the borderless enterprise.

Is the current COVID-19 pandemic, and the resulting shelter-in-place response, really changing the way you think about securing your organization and its sensitive digital assets?  If it is, you really haven’t been paying attention. Zero Trust was rapidly becoming the hot topic of enterprise security even prior to the pandemic, yet the concept was evolving as far back as the early 2000s and the term was coined in 2010. The idea that our enterprises are losing their borders became a major topic in security circles no later than 2012 when Eric Lundquist of InformationWeek started a dialog on that subject leading into RSAC that year. And somewhere in the middle of all that, Google doubled down on the concept in response to a 2009 breach by developing and implementing an elegant implementation of the zero trust concept they called BeyondCorp. Now that we have moved from about 40% of corporate workers operating remotely at least once a week to 90% or more working remotely every day, many organizations are seeing their VPN infrastructures increasingly overwhelmed, hacked and maligned. It’s clearly time to move past the academic discussions and take action – but not everyone agrees on what that action should be.

Let’s review the basic objective of every IT organization in every business in the world – a worker needs access to a resource to do their job. In the modern world, this is an employee, contractor or partner using a computing device to traverse an unpredictable network path to access the required app, system or service. The principle of zero trust says that we cannot take for granted anything about that transaction and shouldn’t grant access unless we can verify the user is who they say they are, they are using a low-risk device, and the communication is encrypted. Since we cannot assume where the user is and there is no such thing as a trusted network, the controls must be as close to the resource as possible, ideally owned and managed by the organization themselves. Now we just need a platform that can establish the security and validity of each request prior to granting access to that resource. It really should be that simple! A good platform will have the ability to collect a broad range of security telemetry from a variety of pre-existing security products (yes, you should keep and leverage your current investments) in order to develop a contextual model for every access and measure that against a set of well-crafted policies – specifically Principle of Least Privilege policies.

The Principle of Least Privilege (PoLP) has been around far longer than the other concepts we’ve discussed, dating back to at least 1970, when the Information Security Office of Fairfax County in Virginia described “providing only the access necessary to perform assigned duties … to ensure the confidentiality, integrity, and availability of … information systems and data.” Note that although the referenced document has been updated many times since, it retains that exact wording today. Unfortunately, role-based access controls (RBAC) have been adopted broadly by organizations as a way to simplify the assigning of privileges. With the dynamic nature of users and environments, the exponential growth of privileges assigned to users, and the high likelihood that one of those credentials has already compromised, it would be prudent to limit access to only what is needed in the full context of the request.

Amazingly, many organizations today still grant these incredibly broad access privileges to workers based on only a single factor. A worker sitting in a corporate office behind the corporate firewall (albeit a rarity today) is trusted, while the worker outside that perimeter is not. Are you using a corporate-issued device? That alone may grant you many privileges that a BYO device would not. How about corporate credentials? Simply appearing to be the person who owns those credentials will allow you to access anything that person would, even if the login comes from an unexpected location or demonstrates an unusual pattern of behavior. Perhaps the worst offender of all is the dreaded VPN. Obtaining access through a VPN is like winning an all-access pass to your favorite theme park. It doesn’t matter who you really are, and you can stay as long as you like, wreaking as much havoc on the poor victim organization as you like. Enjoy! Unfortunately, this VPN problem has gotten even worse since the pandemic stay-at-home order, and not just for the usual scalability and usability reasons. Hackers are taking advantage of the increased dependence on VPNs by finding many new vulnerabilities in these systems. Microsoft is warning hospitals of this increased threat, InfoSecurity Magazine identified a list of new VPN concerns, and the Chinese government is now being attacked through their VPNs. These are just a few indications of a collapsing remote access strategy.

Fortunately, many are coming around to the common sense of a simpler and more robust approach to security that can deliver during pandemics and beyond. But there is much confusion about what it all means and how to go about it. Part of the problem is that zero trust is a concept, not a product, and many, many security vendors have added it to their marketing material. Surprisingly some of the loudest voices are network vendors, which is peculiar since Google’s elegant BeyondCorp approach to the zero trust strategy specifically identifies the network as irrelevant.  Mostly, this means that their solution adheres to or supports the concept, which is great because this means that security admins have great options to solve their various security problems going forward. But the essence of a true zero trust solution is a platform that delivers three specific capabilities:

  1. Establishes access control points to individual resources as close as possible to each resource, ideally without interfering with the most direct and efficient path from worker to resource
  2. Gathers security telemetry from a broad set of third-party security solutions to develop a trust profile for each access request, based on multiple risk factors and behavioral context
  3. Uses granular policy control to dynamically grant or deny access to each resource in real time, based on continuous contextual analysis and PoLP.

As you continue to explore this topic, keep watching this space for additional insights.  Additionally, I recommend this piece by Garrett Bekker of 451 Research and anything by Chase Cunningham. Gartner has also written extensively on this movement, including many reports that discuss ZTNA (zero trust network access) such as How to Make Cloud More Secure Than Your Own Data Center and The Future of Network Security Is in the Cloud (which also has a timely Chinese Summary Translation).

Once we get past the current limitations of COVID-19, do I think things will return to the way they were before?  I highly doubt it. Work-from-home rates have already doubled over the last decade, and this experience has surely pushed that curve even steeper.  While this experience undoubtedly hurt productivity for some, many companies and individuals have discovered the benefits of more flexible work hours and completely eliminating their commute. For many, this could become the new normal. All the more reason for IT organizations to get secure remote access right as soon as possible.

 

This blog was originally posted here – https://blog.banyansecurity.io/blog/the-covid-19-quarantine-is-exposing-the-challenges-of-vpn-dependent-remote-access

Posted in All | Leave a comment

3 Simple Steps To Be A Great Manager

Posted on September 30, 2015 by Brian Duckering

Most managers did not become managers because they completed a course in management or passed some test certifying them capable of managing others. There are courses, and even degrees, in management, but most managers first find themselves managing others without much instruction or guidance. So it should not be surprising that complaints of bad managers are so prevalent.

Left to themselves, most managers focus on what they think are the basics – how to set priorities, hold meetings, keep people accountable and dozens of other things that seem directly related to accomplishing tasks. As managers of people, it seems far too easy and common to focus on process over people, or worse, to put more effort into getting your team to do stuff for you and less effort understanding what motivates them to do their best work.

I believe that many managers simply have their own job description completely backward. They think, “There is a lot for me to do, so I have a team to help me get it done.” I think of my job as a manager in a completely different way, and each time I start in a new job, I inform my team of this philosophy.

I tell my team that they are not here to help me – I am here to help them. I tell them that they each have jobs that are important to achieving the vision of this company, and that I am here to help them to do their jobs better and more efficiently. To that end, these are the three things I have found that consistently create the happiest and most productive teams, with the best employee retention.

  1. Help them to be better – Everyone comes into a job with skills; they wouldn’t have been hired if they didn’t. But learning doesn’t stop just because you are no longer in school. Everyone wants to continue to get better at what they do, either for the pure satisfaction of accomplishment, or so they will eventually be considered for a higher level job and earn more money. Usually it’s both. I always make sure that there are opportunities to learn how to do their job better, either by teaching them myself, or by making classes and other educational opportunities available to them. For many, there are different facets of the job, and I find it valuable to learn about their interests and where they want to go in their career, so that I can help them to grow in the right areas, for their goals as well as mine.
  2. Remove obstacles – It doesn’t matter what size company you work in, there is always some level of bureaucracy, some cross-department communication challenge, or some other roadblock to getting things done. The more time your team can spend getting real work done and the less time they have to fight the system or wait for information, the happier and more productive they will be. As their manager, you are in an excellent position to make that happen. You can talk to your counterpart in another department to facilitate a conversation, reset priorities, and extract the information or resources required for your team to move on with their work more easily than they can. They will thank you for this.
  3. Praise them publicly – Everyone seeks approval or validation in one form or another. They want to know that somebody noticed what they did, and that their effort made a difference. It is too easy to just check an item off a list and move on to the next thing without a peep. You may already be praising individuals in your team meetings, but public praising goes beyond that. Tell the whole company if you can. There are two great benefits to public praise. First, the individual gets broader recognition, which reliably makes them feel better about their job and encourages them to continue to work hard (or even harder). Second, the rest of the company sees that your team is a high functioning team that gets things done. Without this, other departments may not even know what your team does. And by getting recognition for your team, there is a halo effect that makes you look good too, even if none of the praise is attributed directly to you.

When a manager works for their team and helps them shine, there are plenty of rewards to go around. The team is happier, they get better at their jobs, they are more productive, and they know that work is a place where they are appreciated. As a manager putting these tips into practice, you will also start to see greater recognition and appreciation of your own work, even if your own boss hasn’t yet learned these three steps.

Originally posted on LinkedIn Pulse: https://www.linkedin.com/pulse/3-easy-steps-great-manager-brian-duckering

Posted in Leadership | Tagged , | Leave a comment

EMM and EFSS Should Work Together

Posted on July 22, 2015 by Brian Duckering

Enterprises interested in supporting a mobile workforce figured out a while ago that they needed Enterprise Mobility Management (EMM), even if it wasn’t always called that, and they didn’t really know precisely what they needed at the time. But they needed something. As the evolution and adoption of EMM has increased, so has the realization that it is not enough. The first goal of EMM was security, the second productivity. This is why stand-alone MDM failed – all security, no productivity.

Where are the files?

Aside from reading and responding to corporate email, most productivity requires access to documents – reading, editing, sharing, etc. And enterprises are still figuring out where is the right place for those documents. For security sake, many businesses, especially those in regulated industries, are inclined to leave them right where they are, inside the firewall in traditional and dependable file shares, like SharePoint and a multitude of Windows File Shares. Others, often with some trepidation, are moving into the cloud or to some alternate on-premises solution. No sane IT administrator looks forward to a data migration project; they are long, expensive, complicated, and nobody looks forward to re-training users. So why do they do it.

What is the role of EFSS?

Enterprise File Sync and Share (EFSS) offers improved access to files from any device, including mobile devices, with different solutions offering different pros and cons. But it is essential for users to have universal access to ALL documents, regardless of where they are, and it is essential to IT that this access be controlled by an EMM solution and not by randomly by the individual. EMM solutions rely on a managed ecosystem in order to have the proper visibility and control over user activities. But participation is still inconsistent, and certainly not universal. For example, XenMobile users can work with Box in the Worx environment, but will have to go outside of XenMobile if they use Office 365 because Office 365 is not part of the Worx Verified program. This diversity of solutions and lack of universal adoption across all EFSS and ALL EMM introduces unnecessary complications for both users and IT.

Integrate, Unify, Simplify

A better approach, especially for those with files in multiple locations, is to work with a virtual file manager that aggregates access to all EFSS solutions AND works with all major EMM solutions. Then users will have simple and secure access to any file in any system, and all transactions remain within the control and visibility of the company’s EMM.

Unifyle is the only such solution that I am aware of today. Unifyle is partnered with Citrix (XenMobile), VMware (AirWatch), Symantec (Sealed), CA EMM and MobileIron. Add to that a multitude of connectors for both enterprise file shares and cloud-based file storage solutions, and there is no reason for any user to access any file that isn’t accessed within the safe confines of their EMM solution.

And perhaps the best part for all involved is that everyone’s files can remain right where they are today. There may be other reasons to move files around. But secure mobile file access should not require a file migration project.

This blog is also posted here:  primadesk.wordpress.com

Posted in Uncategorized | Tagged , , | Leave a comment

EFSS Should Be Secure, Not Just Convenient

Posted on July 13, 2015 by Brian Duckering

Unifyle has already proven its mettle for convenience, being the only Enterprise File Sync and Share solution that gives you all of the benefits without migrating any files, and unifies access to everything in a single dashboard, on your mobile device or in your browser.

Data security is also of paramount importance, regardless of where your files are. No one questions that encryption is the way to secure files at rest, and we are starting to hear of some of the cloud providers offering encryption. Box, for example, is now offering companies the ability to encrypt files using their own keys. This is smart for security, but kills some of the functionality normally provided by Box, like SEARCH, because Box can no longer read and work with the files. Plus, each provider will eventually have their own strategy for encryption, leading to a potential nightmare of key management and logistics.

Consolidating security offers similar benefits for security as consolidating access offers for productivity. If all of the functionality, like search, share, edit, etc. are all consolidated in the same location as encryption, your files can be secure without losing any convenience or productivity. One dashboard will hold the key (on-premises) and also provide unified search, secure sharing (even shared files can remain encrypted), and access to local editing.

Unifyle offers customers the ability to add encryption to ANY connected file source, and still give full functionality. Admins can use the same approach to encrypt any or all file sources with just a switch, completely independent of the storage location. Direct access to the cloud service will show only unreadable files. Using existing encryption solutions from Symantec and others, or Unifyle’s built-in encryption, customers have both flexibility and ease of management.

And if IT managers really want to get crazy with security, Unifyle makes adding anti-virus just as easy.

This blog is also posted here:  primadesk.wordpress.com

Posted in Uncategorized | Tagged , , , | Leave a comment

Working with files should be easy – even when mobile

Posted on June 18, 2015 by Brian Duckering

Like everyone else in business, I just want things to work, including when I’m on my tablet or phone. Recent evolutions have helped by bringing us mobile business apps for just about anything you may want to do. And when there aren’t mobile apps, we can easily tap into some VDI or XenApp environment to get the functionality we need. But here’s the problem…

I can’t get my files in and out of the apps!

I still have to jump through way too many hoops to get my files into those apps, work with them, and then get them back where they belong. At work, my files are in SharePoint and various Windows file shares – completely out of reach when I’m mobile. So I do what most of us do, copy the files I need into my personal Dropbox account so I can get the files where I need them to be productive. Of course I then have to reverse the process to put them back, having already violated all of the data safety policies of my company. Files seem to be the final frontier for business mobility.

Many businesses are looking to migrate their data to the cloud (those that can even seriously consider the option), in hopes of solving these access and productivity issues. But nobody I know is excited about the process, the cost, the time, or the lost productivity of such major migrations.

Fortunately, there is now a way for these companies to skip the migration and headache, and it works for companies that can’t even consider the cloud as well.

Unifyle is a relatively new product that finally takes this challenge head on. Here is the basic idea:

  1. Leave all of your files where they are.
  2. Install some software in your datacenter (100% on-premises).
  3. Tell users about the new secure, mobile-friendly portal for all files.

It takes less than an hour to install and configure, giving users mobile and PC access to all enterprise and authorized cloud file sources. Now who wouldn’t want to invest an hour to solve the last biggest challenge to enterprise mobility if they knew about it? I can’t think of anybody either.

This blog is also posted here:  primadesk.wordpress.com

Posted in Uncategorized | Tagged | Leave a comment

Is Consumerization of IT Believable?

Posted on February 4, 2015 by Brian Duckering

Enterprise IT projects are easy to spot. They are the ones that take weeks and months to complete.  And yet they may never truly be complete – because enterprise IT is necessarily complex. As an IT admin, I know it’s always been that way and always will be.  Right?

Consumer projects, on the other hand, have to be simple enough and fast enough that almost anyone can get it done without getting frustrated and giving up after an hour of struggle.  Even the consumer “experts” have had to get their times down. An Xfinity system installation or upgrade used to waste 2 to 3 hours, but surprisingly is now generally done in half an hour.  As a consumer, I just won’t stand for it and consumer providers have adapted.

So why doesn’t enterprise IT have the same expectations? Technology continues to enable simpler products and services that don’t compromise on functionality. But IT admins are skeptical and slow to expect things in the enterprise to work as they do in our personal lives. Will they keep accepting the status quo, and thus slow the adoption of simpler products?  Or will they believe, and by believing speed the evolution of IT consumerization.

Unifyle is one of the companies committed to bringing the consumer experience to the enterprise with their simple, secure and easy-to-install software.  They are determined to change the perception of what enterprise IT can and should expect from their providers, and are even offering a challenge to IT admins to prove it.

Unifyle brings consumerization to enterprise file shares and other storage services by converting them to a consumer model, like Dropbox or Box.  People can share files directly from file shares without spreading uncontrolled copies everywhere, they can access and edit files using mobile devices, and they can find files almost anywhere with a single search.  Basically, the enterprise can have the flexibility and convenience that consumers already enjoy, but with enterprise controls and security.

This blog entry is also posted here:  primadesk.wordpress.com

Posted in Uncategorized | Leave a comment

Tablets Will Cross the Tipping Point to become Serious Business Tools in 2014

Posted on January 22, 2014 by Brian Duckering

Compared to PCs, tablets have faced severe limitations as a primary productivity tool for business. In fact, tablets have historically provided only a small fraction of the functionality businesses count on from desktop PCs and laptops.

That will change in 2014 as tablets further infiltrate the business workforce. This change won’t stem from an influx of new and exciting capabilities from the tablets themselves however. Outside of slimming down, and improved touch-screen capabilities, tablet functionality growth has been minor. They are still easy-to-use, super portable and provide quick access to a variety of apps.  But we need to look elsewhere for an increase in business aptitude.

Tablets will become serious business tools when they more closely replicate the functionality of a Windows laptop, with a good experience. This means being able to run the many Windows applications that businesses rely on every day.  The problem with tablets is that they have been limited to running tablet apps, and slimmed down versions of “office” apps created for tablets have not yet measured up to the full, rich experience of PCs users rely on for core productivity.  And forget about all those 3rd party and custom apps unless you are willing and able to invest in significant mobile app development. Desktop virtualization solutions that present a remote Windows desktop on the tablet can be miserable to use because Windows was designed for a mouse, keyboard and a large display, not a 10-inch touch device.

So what will change in 2014 to push tablets over the tipping point into substantial and relevant business tools? The concept of a workspace, the sum of individual apps and files needed for a user to be productive, independent of a Windows desktop, is gaining traction and getting a lot more attention.  It’s not a new concept, but in 2014 workspace technologies should evolve sufficiently to bring the apps that businesses need to the tablets that users want to use, without sacrificing the rich capabilities essential to core productivity. Virtualizing the workspace is becoming a key tool in the IT arsenal for reducing the cost of managing and maintaining desktops. But perhaps more importantly, these technologies are providing IT with the tools necessary to allow users to be productive in all of the new ways they are insisting on working, including on tablets.

And speaking of IT, it often won’t be IT driving tablet use, but the business leaders themselves. Using tablets as a primary business function can allow greater flexibility for workers to be more productive in more places, but may also create a better experience for customers and provide competitive advantages through new business models. For example, why collect customer information on site and return days later with a proposal when options and configurations can be explored with direct customer input and real time feedback on a tablet?

But don’t take my word for it. Forrester believes enterprise use of tablets will rise significantly in the coming years, predicting 18 percent of tablet sales to come from businesses. Another forecast from Forrester puts total tablet sales in 2017 at 381 million units, up from 186 sold in 2013.

Also posted on NComputing blog here:  http://www.ncomputing.com/node/6703

Posted in All, Mobility, Technology | Tagged , , | Leave a comment

BYOD is a red herring!

Posted on August 2, 2013 by Brian Duckering

Vendors plaster it all over their websites, touting how they solve the BYOD problem better than the next vendor.  If you put BYOD in the title of your webcast, show session, white paper, or anything else, you are sure to get lots of interest and more hits than one without the BYOD distinction.  But what is it about user-owned devices that is causing such angst that it gets this much attention and so much discussion?

Do companies need to have a BYOD program, or just a mobile program?  Does BYOD make management and security much more difficult, or is it the devices themselves and how they are used that makes these tasks challenging.  All of this talk of BYOD makes it sound like users purchasing their own devices and bringing them into work is a completely different challenge from corporate provided devices.  IT’S NOT!

I will concede that there are some important legal and potentially financial considerations around who owns the device that is used for business, especially in regulated industries.  But the vast majority of BYOD conversations are about management of the device, security of the data, and most importantly the user experience.  And there, it makes no difference.  It makes no difference because we no longer have business mobile devices and consumer mobile devices – they are all consumer devices now.

Blackberry once introduced legitimate business devices that were designed to specifically serve the needs of businesses and NOT the needs of consumers.  A consumer-purchased Blackberry, once connected to a corporate BES server, was not a new and baffling challenge to IT.  It wasn’t until users started bringing iOS and Android devices into the work environment that the BYOD horrors began.  But BYOD is a distinction of who purchased the device, as if it really matters who the owner is.  That is not where the problem exists.  Any company that provides iOS and Android devices has exactly the same challenges, even though they made the purchase.  So let’s get over BYOD and just solve the MOBILE challenges.

It is the impact on user experience that has caused companies such a hard time with the so-called BYOD problem.  In a sincere attempt to protect mobile data, IT applies policies, and those policies have a negative impact on the user experience.  Different technologies and approaches have different levels of impact and should be considered carefully before implementation.  But, so far there is not a zero impact way to protect mobile data.  We’re still waiting for the killer technology that completely negates the need to care what devices and apps are used, and only controls the data that needs protecting, with a transparent user identity check.

What about all of the personal stuff on BYOD devices?  Some claim that the BYOD challenge is largely about all of the personal stuff on the device that the company doesn’t want to touch, doesn’t want on their networks, and doesn’t want liability for.  Guess what.  Company provided devices often wind up with just as much personal stuff as their personally owned counterparts.  The user’s expectations of privacy and retention of their personal mobile assets may certainly be higher on their own devices than those corporate devices where personal use is a luxury and convenience.  But, again, the issues are the same for corporate IT, as many recent lawsuits over lost personal pictures and private data will attest.

The problem commonly referred to as BYOD, is really a problem of user expectations and consumer-type devices (and consumer apps) being used in a business setting.  That is the challenge before us.  There are some valiant efforts by all of the vendors moving us closer to solving these issues in better ways.  But let’s not kid ourselves about what the real problem is.  Either buy devices for your users, or let them buy the devices themselves, according to the regulatory, legal or financial requirements of your business.  Then forget who owns them as you go about solving the real problems of mobile productivity.

Just don’t be distracted by who owns the device.

Posted in Mobility, Technology | Tagged , , | 2 Comments

Users have made their move – now it’s your turn IT

Posted on July 17, 2013 by Brian Duckering

For users of mobile technology, the decision has been made, and they are happy.  Users are eagerly buying up the gadgets of their choice to use for personal productivity and entertainment.  Now they can keep in contact with their family and friends, manage their personal finances, have a fitness coach in their pocket, etc. at all times and anywhere they go.  There is no need to be chained to a particular device or a particular location ever again.  There is tremendous flexibility, productivity and connectedness available through these ingenious devices.

The choices users make for their own personal lives rarely have anything to do with expectations or abilities in their professional lives.  But 0h, they would certainly like the enormous personal benefits they have found to extend into the work environment.  And why not?  It’s email, and file sharing, and collaboration, and content creation, and data manipulation – all the same stuff that goes on at work.  This is not the first time in history that consumers have found themselves ahead of their employers on the technology curve.  Oh, right – it’s almost always been that way.  But in the past, there were two worlds.  We would leave our personal lives behind when we went into the office.  We would give up all of the technology advantages we had at home to come into an office that was often 5 to 10 years behind.  That’s just the way it was.  But we got our jobs done on the equipment that was provided, and then went home to our families, leaving that world behind.

The difference this time around is that the two worlds are colliding. Almost as soon as we got these smartphones and tablets, we started also using them for work, connecting to office networks, collecting and sending work emails, and sharing our work with colleagues in the cloud.  And we don’t even have to go into the office to get things done.  Productivity is soaring.  Life just couldn’t get any better than this.

Users have made their move – now it’s your turn IT.

The first action that many IT organizations took was to attempt to lock out these menacing and dangerous rogue devices, as best they could.  After all, they have a duty to provide for the security of their business data and networks.  These methods didn’t always work that well because, after all, these are new devices and the tools and methods to deal with unmanaged mobile devices still haven’t evolved very far.  In fact, many businesses have found that attempting to block users from their new-found productivity ends up backfiring.  Remember this, IT:  if you interfere with the user experience, they will go around you.  This often results in even more risky behavior, as users have to go farther around IT to get their jobs done.  This includes using consumer apps and consumer-oriented cloud services that were never intended to have enterprise-level access controls and protections.  Keep in mind that the users are not the enemy – they are just trying to get their jobs done.

Happily there is progress.  There is a growing acknowledgement in the IT community that their role in this new world is different that in the old.  IT must be ENABLERS of productivity in addition to their traditional role as protectors of intellectual property.  Moreover, IT doesn’t get to make all of the decisions any longer.  The users have chosen, and they aren’t going to go back.

So what is IT to do?  There are regulations to comply with; there are existing policies and procedures that must be adapted; there are CEOs with iPads that must be dealt with.  Fortunately, most in IT want to do the right thing – to be enablers.  But they are challenged with immature technologies for mobile management and security, and no clear mandate on mobile strategies.  The progression of mobile technology has been fast in a historical context, but feels like molasses relative to the insane rate of mobile adoption.  MDM was initially exciting, until we discovered that it didn’t actually do much to protect company data, and tended to upset the users when any policies were applied.  MAM (including app wrapping and API methods) definitely does more to address the data leakage issues on mobile devices, without upsetting users, but the technologies are still fairly immature and most of the third party apps we rely on are not available in this form yet.  MCM (content) has promise too, but we’re even less sure of what that may look like, as each vendor has completely different ideas of what this even means.  Ultimately, IT really just wants to be able to protect their data and not worry about devices and apps and such.  Strong authentication access control to data, plus encryption when stored or transmitted, independent of device, app or location is really all we need.  But nobody can offer that today.

So I believe that many in the IT community now want to be enablers and know what they want their next move to be around mobility.  But their options are limited and the vendors offer few options today.  Some are just waiting.  But doing something may be far better than doing nothing, even if it is not ideal.  Giving users an approved path to use their mobile devices is a good first step to avoid anarchy, which is far more dangerous.  Also, multiple surveys show that businesses that have adopted mobility are seeing greater productivity, competitiveness, and even profit compared to those that do not.  So time is of the essence.  Taking a pass right now is not a good strategy.  So do something, even if it doesn’t address all concerns.

The users have made their move – now it’s your turn IT.

Posted in Mobility, Technology | Tagged , , , | Leave a comment