This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Ojas Rege, vice president of strategy for MobileIron, believes we are in the midst of radical shifts in architecture, operations and governance as the PC economy fades. These shifts, he says, will force companies to rethink everything we know today about enterprise IT, and he suggests mobility should become the center of your architecture.
I recently had a chat with Rege about where mobility is taking corporate computing and his ideas are enlightening.
Rege argues that there are two dominant factors that will drive these shifts. First, the fundamentals of operating system architecture have changed as we transition from PCs to smart phones and tablets. And second, there have been significant role changes in our end user communities.
Let's look at the case that Rege has built to support his hypothesis.
We have three dominant mobile platforms today: iOS, Android and Windows 8. Compared to the Win32 PC operating system, these mobile platforms have quite a different architecture that, according to Rege, actually makes the devices easier to manage. (He notes that Android is going through some significant changes right now and that Google Work will make the platform much more secure for the future.)
There are three major changes in the OS as you go from Win32 to iOS/Android/Windows 8 and up:
- The move from an open file system to application sandboxing
- The switch from an unprotected to a protected OS kernel
- The move from untrusted to trusted management primitives
In the Win32 world of the PC, the file system is open, making it possible for applications to access each other's information. Data is not tied to a single application and this introduces the potential for viruses and data corruption/loss. Additionally, applications can access system processes. All of this makes device security a real nightmare. Hence the need for all sorts of endpoint protections, which, all too often, fail us.
The mobile platforms have a sandboxed application architecture. This means that every application on the device is isolated from every other application. What's more, data is tied to a specific application, so it's not going to leak over to some other application that is going to steal it off the device. This eliminates application conflicts and the "DLL hell" of the PC world. With regard to the OS kernel, the mobile platforms have a protected operating system kernel, which drives platform stability. Patches and updates to the OS come from the device manufacturer instead of from an organization's IT department.
The third point above has to do with who is trusted to interact with the device for security and management. For example, say you want to wipe a device clean. On a traditional PC, pretty much anyone – or anything, such as a virus – can do that if they know the proper commands to execute. On a mobile device, the operating system exposes a set of management primitives to trusted platforms like MDM applications, which can interact with the system level to wipe the device or perform other management tasks.
"As much as we think that mobile devices are inherently difficult to manage, the fact that we have consumer operating systems has actually helped us with the underlying security architecture," Rege says.
The way IT secures PCs today is largely through a system image. End users aren't permitted to install anything they want on a corporate-owned PC; they are told to use a standard image that IT determines and enforces. If a serious problem arises a technician might simply reimage the device to get it back to a clean state. On smart phones, however, an enterprise can't control the device image, even if the company owns the device. End users are going to download the apps they want for personal use in addition to the apps the company requires. Thus the notion of a standard image goes away.
The new model for security will be based on the evolution of trust that depends on the user, the context and posture of the device, the application, the data repository, and perhaps even the specific file the user wants to access. Access control that determines access to enterprise resources will have to take into account a lot more than simply who the user is. This means that application and service provisioning will become more user-centric as opposed to focusing simply on the device.
This brings us to the evolving role of the user in computing. Mobile computing, whether it's for business use or personal use, has given people a sense of empowerment. For the first time, people have choices – in what device to use, in what apps to use, in where and when to do what we need to do. On the consumer side, people have gotten used to having a great user experience. This genie is out of the bottle and it certainly affects how enterprise computing should be approached, Rege says.
Most enterprise applications today were designed to provide features and functions with little concern for how good (or bad) the user experience might be. The business user has to adapt to the application, which is the complete opposite of how the same person interacts with his personal applications. This disparity is something that companies need to address with their business apps. Rege calls this the app modernization imperative, where businesses will need to redesign their applications so that workers will have a great user experience regardless of the device they choose to use.
Privacy is another big issue that comes into play as more workers choose to use their own devices for business use. Individuals want to access company apps and data via their own smart phones and tablets, but they don't want the company to access their personal apps and information on those devices. For IT managers, observing this demarcation between business and personal isn't difficult because of the architectural properties discussed earlier: application sandboxing, isolated data, and trusted primitives. This makes it easier for IT to look at the device and see only the enterprise information without seeing the personal information.
Privacy will drive companies away from device VPNs to enterprise application tunnels. If there is a business application on a person's own smart phone, that application will need secure connectivity at the application level, not the device level. Access control must take into account the user and what he wants to do within the context of the posture and location of the device, the time of day, etc. For example, it's OK if the sales guy for the Midwest territory wants access to a business app, but not if the person identifying himself as this sales guy is using his mobile phone from some foreign country in the middle of the night.
I've only scratched the surface on Rege's conceptualization of how mobility is already radically changing IT as we know it. It's his belief that companies have to shift in this direction because mobility unlocks human potential in the workplace. It lets people do things they couldn't do before, and isn't this the very definition of innovation?