Mobile document and data security: avoiding the Big Work-Around

A week or two back, the Ponemon Institute released some survey data about just how frequently employees in large enterprises are using external, cloud-based services to store and send critical data.

The answer?  Quite a lot.

Penny Crossman of American Banker termed the usage of these services a “huge security hole” in her article on the survey (with the slightly unsettling headline: “Are your bank’s secrets floating in the cloud?”).

After BYOD comes…BYOA

Some folks are calling this the “BYOA” era.  You see, first there was BYOD – Bring Your Own Device.  The logical follow-on is that employees then start using those personal mobile devices to access non-approved -- or at least non-managed -- applications (that’s the “A” in BYOA).  These could be services like Dropbox, Evernote, and Yousendit!, which they’ve downloaded onto their device or can access in the cloud.

In describing this BYOA trend in a Forbes article, Matt McIlwain of Madrona Venture Group saw this as a great way for small start-ups – the ones selling these applications – to get a foothold in the enterprise by finding a balance being “alluring to individual users and small teams” while making themselves “palatable to IT departments.”

While McIlwain thinks these innovative apps that are capturing the attention of users will usher in an era of greater transparency for IT, folks responding to the Ponemon survey I mentioned earlier see it as a big problem.

"These file sharing and file transfer technologies are very convenient," says Larry Ponemon, chairman of the research group. "The take-up rate of these technologies in the workplace is enormous.”

However, Ponemon cautions, “a lot of company confidential information exists in documents — PowerPoints, Word documents, email and such. If you're a cybercriminal, that's where you're going to find the company's crown jewels."

Nobody makes sure employee work-arounds are secure

Some companies are practically forcing their employees to use such services because they don't provide remote access to documents that their staff needs when they're traveling or working from home or a remote office.  Faced with a brick wall, employees who just want to get their work done will find a work-around.  Those work-arounds often become a big part of their day-to-day processes.

With sensitive corporate data involved, what seems like an insignificant compromise becomes the Big Work-Around -- a serious deal.  By definition, nobody’s in charge of making sure those Big Work-Arounds are secure.

There's a war going on around document and data security, says Ponemon. "You are constantly battling the issue of convenience," he says. "The traditional security model is, we'll just turn it off. What we've seen over the last 20 years or more is a move to empowering the end user through things like cloud computing, virtualization, remote devices and the ability to do your work from remote locations. The issue is, can you create solutions that are convenient and allow the users to do the things they need to do? Security has a voice, but there's a bigger voice called productivity and profitability."

Exactly.  So, how do you strike the balance?

To me, it sounds like the description of a strong potential solution is in the problem statement:  give your employees a way to access documents when they’re using their mobile devices that passes the security sniff-test, but doesn’t require unnatural acts by the employee.

OK, but how?  I’ll give you the Framehawk suggestion for doing this as one potential solution:  don’t have employees pull the documents or data onto their devices at all.  Instead, leave everything behind the firewall, but enable very fast, very secure remote access.  It took a bit of product development investment on our part, but it’s working.

How customers are keeping data off the mobile device

In fact, we’re seeing some of the early customers of Framehawk do exactly this.  With Framehawk, they keep their applications and documents behind their firewall, even if their users are accessing them on a mobile device like an iPad or other tablet.  We create a disposable browser stack in our cloud.  Customers get trusted access to those browsers.  Our mobile-optimized protocol delivers only images from these browsers to the tablet, while handling high-speed, secure communications back and forth between the device and the employee’s documents or applications. Nothing is downloaded onto the edge device.

One Framehawk customer sees this as a great way to keep their field team’s mobile usage of salesforce.com in compliance with their security rules.  Their reps can interact with salesforce.com from their iPads, but none of the names, phone numbers, or other sensitive data from the application (or its reports) finds its way onto those devices.

Of course, one of the big potential stumbling blocks that you’d expect in a scenario like this where everything is remote is performance.  That’s a place where our communication protocol shines (thanks to a strong bit of NASA heritage).  The protocol doesn’t rely on TCP/IP (the wait times to make sure information arrived are just too long) and is optimized for mobile networks and the security requirements of enterprises.  Those design points mean this nothing-on-the-device architecture I described actually becomes feasible.

OK, enough of the infomercial.  The point is this: with BYOD comes a very real temptation to use un-secured apps.  Corporate data is at risk, even in corporate-approved applications like salesforce.com, when tablets are involved.  And IT must somehow deal with this.  And like, the Ponemon survey respondents, we think it’s a real issue.

So real, in fact, that we architected an enterprise-focused solution for it.  Ping us if you want to see a demo or start a more detailed discussion.

This post also appears on the Framehawk blog.

On the Surface, Microsoft has good news enterprise

There are plenty of reasons to question Microsoft’s move this week to launch a tablet – and to launch their Microsoft Surface tablet the way they did.  But likely enterprise interest is not one of them.

You could definitely question why they would decide to go against their normal ecosystem of partners – those who provide hardware while Microsoft provides the software.  You could also question whether they have the design point right (landscape, eh?).  And you certainly could nitpick about launching without a delivery date.  Or pricing.

However, as a device, the Surface looks intriguing.  And, a lot of the “typically Microsoft” approaches to lock customers in…er, keep customers coming back aren’t going to work this time around, given their lack of control in the cloud.

Analyst Dana Gardner has a good post on ZDNet about how he thinks some of this will play out. “Microsoft will try to keep this a Windows Everywhere world, but that won’t hold up,” said Gardner. “What makes mobility powerful is the escape from the platform, device, app shackle. Once information and process flow and agility are the paramount goals, those shackles can no longer bind.”

Another big deal with the delivery of the Microsoft Surface, that Dana also noted, is probably the most significant one:  enterprises are deeply wedded to Microsoft, its operating system, and its productivity tools.  We here at Framehawk see this every time we ask customers and potential customers what they want to use from their iPads.  Some very likely initial answers?  Outlook, PowerPoint, Word, and Excel.  SharePoint, too.  A tablet that helps you make the most of those previous investments is a big positive for the enterprise.

Gardner actually thinks the larger implications are pretty profound.  As he said in his post, “with Surface and the Windows PC-tablet hybrid it defines, Microsoft is showing a way to enterprise mobility.”

But will the Microsoft Surface be a winner? Pundits, as always, are mixed (there’s a good SF Chronicle summary here).  I saw comments about the Surface ranging from “rather fantastic” to “not a threat to Apple.” Farhad Manjoo from Slate.com was already “deeply smitten.”  And as Apple fan boys griped a bit about how Microsoft ripped off Apple, I was amused by the alternative view from Lucas Mearian in Computerworld: in fact, Microsoft came up with the tablet PC first (in 2002).  It’s just that nobody cared.

I’m not necessarily convinced that Surface will be a winner, but its appearance (whenever it actually happens) and any adoption it does get in the enterprise, adds to the diversity of devices that IT needs to think about.

A successful Microsoft Surface will increase the need to consider BYOD policies and strategies that are effective, regardless of which device an employee ends up bringing and using for work purposes.  iPads are dominant today.  Android is a player, though still small in the business world.  And, this new entrant from Microsoft will surface an increased need to be device agnostic.  For IT, that means it’s time to really focus on those BYOD issues – and to do so now to get ahead of the curve.

In the meantime, Stephen Vilke, our CTO at Framehawk, tweeted that he “can’t wait” to get his hands on Microsoft’s new tablet.  He expects it, plus Framehawk-delivered applications to be, in his words, “wow.”

And I agree with Jason Hiner of TechRepublic & CNET: “I'll say this about Microsoft Surface... the more I read, write, and think about it, the more genuinely curious I am to get my hands on it.”

I think that’s as good of a start as Microsoft could have asked for at this point.

This article is also posted on the Framehawk blog.

With tablets, do you 'pave the cow path' or rethink IT?

I just saw a nice think piece by Dion Hinchcliffe posted at ZDNet talking about the profound impact of tablets on IT. His premise is that these devices are so revolutionary that IT shouldn’t keep doing things the same way.

In fact, he believes that the rise of the tablet means that we actually can’t, even if we tried.

It’s an interesting thought, for sure. I think the real question that Hinchcliffe’s commentary brings up, though, is whether or not there’s room for doing something fundamentally different while also solving some immediate issues. For example? Like finding a way to make tablets immediately useful in an enterprise.

For starters: making enterprise IT “tablet-ready”

Hinchcliffe talks through the many ways that IT must think about making their capabilities “tablet ready,” especially since “employees are using their tablets for work now.” On the list: requiring a way to handle different OSes and devices, how to service-enable existing IT for tablets, demanding certain enterprise-class features like policy control over apps, cloud-resident data, and location-based services. Not to mention plans for which things to deliver using your inside IT staff v. outsourcing – and how you should take a very close look at security.

The list is definitely complicated and painful to implement. And the suggestions are similar to some we’ve mentioned in discussing BYOD issues we’ve discussed here previously.

Are incremental IT changes enough?

However, in thinking through all this, Hinchliffe comes to the conclusion that simply enabling tablets isn’t going to be enough. Instead of “paving the old cow path” that IT has already been following (I love his bucolic visual), tablets require us to rethink IT.

“Tablets are fundamentally different computing devices with entirely new capabilities,” says Hinhcliffe in his post. “To get the real competitive advantage of the next-generation of end-user computing will require rethinking how tablets and their innate capabilities and strengths can be used to transform business processes. Location-awareness, always-connectedness, augmented reality, pervasive video/audio, and more can create highly situational and context-aware apps that hold the potential to provide hard business benefits.”

All true statements. However, their truth doesn’t negate an immediate-term need that we here at Framehawk are seeing right now. That immediate need is all about enabling those employees that are indeed “using their tablets for work now.”

We have very forward-thinking customers like UBS that are building applications and an IT world that is all about mobility and tablets. But we also have talked to many, many others who need something much simpler. Something like: “I want my employees to be able to use our current apps from their iPad.”

It’s not as revolutionary, but hey, it’s useful.

A bit of a continuum

So it seems like there’s a continuum of mobile needs when it comes to enterprise applications. We’ve started to describe it as a bit of a mobile maturity curve (sounds like a great blog topic to come back to, in fact).

Step one is to get your folks the access they need to do their jobs, with the security and performance required, making use of their mobile devices. The next couple steps after that would include more native-influenced look, feel, and gestures for particular applications. And beyond that: more complex mash-ups as experience warrants – and business demands.

I’m betting that no matter how forward-thinking and revolutionary tablets should enable us to be, there’s a smart way to navigate through the normal incrementalism that comes with enterprise IT, while also preparing yourself for the brave new world where iPads and Android tablets are part of the every-day picture inside a major corporation.

The trick, then, is to find a “step one” approach that lets you also take a “step two” and a “step three” toward the world that Hinchcliffe is a proposing – one where tablets are the inspiration and driver for a new way of doing IT.

And to switch metaphors from cows to hawks for a moment, we think we’re a pretty good example of this. Our customers are beginning to use us as a way to take those incremental steps. We’ll share examples as more customers are able to talk publicly.

In the meantime, pay attention to where those IT cow paths lead: they’re the telltale signs of what’s useful today inside the enterprise. And they’re a great place to start.

This blog is also posted on the Framehawk blog.

BYOD risk management: a new extreme sport?

We’ve all been hearing dire warnings about the problems with a “bring your own device” policy in and around the halls of IT. You might get the impression that BYOD is a new extreme sport.  Or as scary as being handed the CEO job of the world’s #3 Internet search firm. In other words, you had better have a net and all sorts of safety gear. Or your resume up-to-date. (Ahem.)

In my view, the scariest part, however, is not the BYOD policy itself, but the extreme lengths that companies are going to make them possible. A couple examples:

I saw a recent Network World article that talked about how the CEO of Mimecast had his mobile phone “remote wiped” as a result of a BYOD policy he helped put in place. The story goes like this: while on a family vacation to South Africa, the CEO’s 5-year-old daughter tried entering the incorrect PIN code 5 times into his phone, and poof – the corporate-installed MDM software erased the content of his phone, including his vacation pics.

And if you think that was scary, this next one involves…lawyers. And risk management evaluations.

Ben Tomhave wrote up a piece for VentureBeat that said, essentially, “look before you leap” when implementing BYOD, and then gave some advice for how to do that. He listed 3 steps: conduct a comprehensive risk analysis, identify and communicate a legal strategy, and deploy mobile device management.

All of that adds up to quite a buzz kill.

Now, the good news is that people are so interested in bringing their favorite mobile devices to the workplace (or at least doing work on those devices), that enterprises feel they must go to some pretty impressive lengths to try to deal with it. But the question is: are such extreme measures really needed?

A look at the cold, hard facts might initially lead you to think so. I found this infographic from ESET, which rattles off some of the stats. There’s definitely a quantifiable problem, especially if, as they say, 81% of people use a personal electronic device for work-related functions. And nearly half of those let someone else use that same device.

Galen Gruman argued in InfoWorld that in The Case of the Remote-Wiped Vacation Photos and situations like it, companies have many other, less extreme options they could (and should) try first. I’m sure the same can be said of bringing in the lawyers and compliance teams.

You can deduce from my tone that I, too, believe these kinds of extreme measures are over the top. If you’re not careful with your approach, you’ll threaten to squeeze any financial benefit (and probably productivity) out of BYOD.

I think the risk must be solved for, just not in the traditional ways you might think – since those approaches are going to lead you to some of the aforementioned extreme solutions. As one of our field guys told me, “the knee-jerk reaction is to implement something really draconian, when the solution is far simpler.”

Being in a start-up is about delivering a new take on existing problems – going for the simple solution arrived at by looking at the problem from a different perspective. As you can probably guess, the Framehawk answer to BYOD is to take a look at long-held IT assumptions and rethink them. The goal: solve the enterprise’s risk problems while also supporting the user -- never forgetting why they wanted to bring their own device in the first place.

Hopefully we’re piquing your interest. There's more information here and yet to come on this blog.

Of course, if you really want to do things the hard way, you can always rent a helicopter, a parachute, and a snowboard.  Or, that Yahoo! CEO job might still be open…

This blog is also posted at the Framehawk blog.

Taking some steps out of stealth

I’ve been doing a lot of behind-the-scenes work over the past few months as my new company Framehawk has been preparing to come out of stealth.  That has meant the volume of posts here at Data Center Dialog has dropped off a bit, but that’s all about to change if things go as planned.

Last week’s Under the Radar conference was our first official Framehawk public event.  Our CEO, Peter Badger, was onstage for 6 minutes (14 minutes, if you include the Q&A) to explain who we are and what we do.  And the outcome was pretty encouraging:  we won the Audience Choice Award for the Mobile Access category.  (You can see video of his award-winning presentation -- and live demo -- here.)

That event also served as a bit of a milestone for us, marking our emergence from stealth.  We’ll still be very focused on the success of our early customers (like UBS), but we won’t be quite so secretive going forward. 

As a result, we’ve spiffed up our website a bit and even started our official company blog. Surprise, surprise: I’ll be one of the consistent contributors there.  I’ll be cross-posting appropriate content both there and here.

The first couple posts are already up over there:  one saying “hello world,” one talking about the Under the Radar conference itself, and another two (one by me, one by our CTO Stephen Vilke) starting to scratch the surface on the BYOD topic.  I’ll also continue to blog here on other cloud, IT ops, and data center topics not necessarily connected to Framehawk as appropriate (but isn’t all about mobility and cloud computing these days?).

Check us out over there, keep reading here, and let me know if you want to know more about what we’re doing at Framehawk.

The new iPad unboxed -- and already making an impact

For those of us working in the mobile space, Friday was one of those fun days. It’s the day that the new iPad, formerly informally known as the iPad 3, started arriving. That sent some people to their local Apple shrine, er, Store to get their hands on the newest tablet.

The true “in” crowd, however, had their orders placed the day of Apple’s announcement, and just needed to sit back and wait for the delivery guy.

Our CEO here at Framehawk, Peter Badger, of course was one of the early birds. His two new iPads arrived at his house early Friday morning. As I tweeted then, he interrupted our Friday morning staff meeting to live broadcast opening up his new gadget. We all oohed and aahed over the phone line.

So what is it like? Is it bigger and better than the iPad 2…or just better? Peter recorded The Great Unboxing, so see for yourself:

Questions about the new iPad

There are certainly a bunch of questions consumers have about the new device, like what’s that new HD screen like? But more to the point with our customers and prospects, how will this new tablet impact the enterprise?

MarketWatch writer Ben Pimentel asked Peter for his take on the new iPad and its implications for large IT organizations for an article that ran Friday. “Holy moly,” said Peter, “this is better than going from basic to HD cable.

“Adding that to 4G network availability is going to put a lot more pressure on enterprise to really get their act together and figure out a way to support iPads and other tablets in the workplace,” he continued. “They can’t afford to sit on their hands anymore. Their customers and employees are going to beat their door down with this latest device.” Ben also quoted my blog from earlier in the week about the enterprise impact and serious CIO interest.

But back to the device itself. As he was trying the new iPad out, Peter commented that “everything looks cleaner, sharper, more luscious. This latest device is just unbelievable. I didn’t think I needed the 3 upgrade until I started to use it.”

Anything negative? “I have to say,” said Peter, “the new iPad looks similar to my iPad 2.”

I guess by that he means that getting device-geek street cred will be more difficult. You see, given that it looks so physically similar, you’ll actually have to tell people that you have the new iPad.

But you’ll probably be doing that anyway.

The new iPad -- with an enterprise twist

Last week’s “new iPad” announcement elicited the breathless attention of the industry, as expected.

One angle that didn’t get too much play by Apple itself, however, was the impact of this new device on the IT departments in large enterprises. But fear not. Others noticed the oversight. For example, salesforce.com CEO Marc Benioff complained over Twitter that Apple missed a trick in not recounting the iPad’s in-roads in the enterprise. Last year’s iPad 2 launch, he tweeted “was enterprise friendly,” implying this one was, well, not.

In fact, many industry commentators took a shot at what Apple’s new announcement will mean for the enterprise. The sheer quantity of commentary tells me that the enterprise impact of this device, uncertain even 18 months ago, is pretty much guaranteed. The consumerization of IT is alive and well. Or at least it’s what people want to talk about.

Different ways that enterprises and iPads mix

The enterprise-related comments about the new iPad announcement fell into a few categories. First, they recounted where they thought enterprises were on the adoption curve of iPads -- and tablets in general. Second, they reviewed what the popularity of the iPad means to IT and the systems those folks must tirelessly maintain every day. Third, there were a few comments on how the enterprise might respond to all this. Here are some highlights I thought were worth repeating:

CIOs want to move to the tablet…now

Ted Schadler of Forrester believes things are moving aggressively, based on the 100 or so inquiries from CIOs he has taken in the past 6 months. So what has been the most common question they’ve asked? “How do I get business applications onto the tablet?” Our field folks here at Framehawk are hearing the same kinds of questions.

Ted also recounted all the business software that’s making a move to the iPad, though most of his examples are productivity-style apps that you’d find on a PC. The customers we are talking to are certainly interested in those, but they are also looking for ways to use the more business-critical applications with tablets as well.

“Post-PC”

Schadler also imagined a new question that the newest iPad will bring to the forefront: which employees get laptops instead of PCs? Eric Lai of SAP/Sybase called out the “post-PC-ness” of the new device in his CNET write-up. In fact, Wired called the “post-PC revolution” that Tim Cook talked about as “fighting words.” What does “post-PC” mean, specifically? Tim Carmody of Wired said it this way: it means that “computing time and attention [by consumers and the IT department, frankly] shifts to phones and tablets and television screens, among others. And the traditional PC becomes a more specialized device for particular tasks.”

The new iPad’s improvements will impact existing IT systems

But even before that shift happens, there's a chance that everyone in the enterprise is going to feel the impact of the new iPad -- and not in a good way. A Computerworld story by Matt Hamblen noted that people bringing the new iPad to the office (sanctioned or otherwise) might actually end up causing a huge network crunch.

Hamblen reported the possibility of employees trying to avoid high personal mobile network charges for downloading HD movies and the like just might do it at the office, impacting corporate Wi-Fi networks. He also pointed to what might happen if many people are trying to get iOS or app updates at the same time. “The Wi-Fi download burden on corporate networks could be severe,” said the experts that Matt interviewed.

Will the enhanced processing power change what’s ported to an iPad?

One interesting commentary that the specs of the new iPad brought up: the enhanced processing power could be a boon to running big applications on the iPad. One of the users interviewed by John Cox in a separate Network World article mentioned "4G, the new processor speed, and improved screen resolutions will allow IT to port more backend applications like Oracle, and Siebel to iPad."

In reality, it’s not only the processor that’s holding this back. It’s the development effort it takes to rewrite things. So while the new iPad’s souped up specs are beneficial improvements, don’t think it will mean suddenly SAP will be ported to your iPad. At least, not with this traditional approach. (Now, if you’re interested in some alternative approaches, I know some people to talk to.)

Cheap and cheerful for enterprises: iPad 2 ROI

Finally, Cox of Network World, Geoff Simon of Technorati, and several other folks commented that the lowering of the price for the iPad 2 might just be the ticket for the enterprise IT departments. “Starting at just $399, the iPad2 with 16GB is perfect as an enterprise-level business tool," says Simon. "For enterprise, the promise of skyrocketing ROI is what makes the iPad so irresistible.” Simon believes enterprises will start with productivity and process management tools, eventually moving more toward business intelligence capabilities.

Leaving competitors in the dust?

Is this demand the same for all tablets? Schadler of Forrester and a number of data points say no: the other devices aren’t getting the same uptake or interest. Carmody of Wired reported that in his interview Schadler wasn’t “quite so bullish on other tablets” (including forthcoming Windows 8-related efforts), given Apple’s head start and the consumer-driven preferences of people selecting their own devices (read: Apple).

The projects that we’re working on at Framehawk seem to match this thinking: iPad projects are under consideration first, everything else after that. (I posted some relative adoption stats in a previous blog if you’re interested.) A round-up of analyst reports from Apple’s announcement continues the lovefest – with general agreement that Apple has lapped its competitors.

Either way, the era of tablets (which Apple ushered in in the first place) is certainly being accelerated by the newly announced iPad. And despite little commentary from Apple, that impact is definitely stretching far into the enterprise.