It was sitting in a boardroom in the Abingdon headquarters of Sophos where I first heard a word that probably summarises 2011 so far.
If it was data loss and advanced malware in 2010, then consumerisation has been the key theme of 2011. Sian John, security strategist at Symantec, said that there are four key themes dominating end-user conversation at the moment: cloud, virtualisation, social networking and mobile.
It seems that there is no escaping the themes of mobile, ‘BYOD' (bring your own device) or its overall umbrella term ‘consumerisation' in 2011 and there are many issues and much confusion surrounding it.
It was Sophos' director of technology strategy James Lyne who said that it was a major problem and would result in IT managers losing control of data and continuing with the ‘deperimeterisation' of a network.
The issue was also addressed at the press conference for the Infosecurity Europe conference a panel debate. Nigel Stanley, practice leader at Bloor Research, called the smartphone ‘the only piece of IT that we take to bed with us', while John Colley, managing director of (ISC)2 EMEA, summed the issue up well.
He said: “As security people we see problems and do not allow them into the corporation and the problem is that the people who want to use them are at board level and as a security professional it is hard to say that they cannot use it. They will say to the IT team to fix the problem and let me use it.”
Six months on it is fair to say that the issue has been acknowledged and addressed thoroughly, so the next step should be to solve the problem. Naturally there is no silver bullet solution, but what we are seeing is vendors such as MobileIron and Zenprise gaining space in the market with technology that offer some kind of solution.
I caught up with Lyne recently and asked where we stand now. He said that companies now cannot afford to block devices so they are shifting into embracing them and this has led to IT managers and CISOs running a consumerisation programme.
Lyne said: “It is coming from the CFO, not the CISO and there are tax benefits to the BYOD model. There are two aspects to this: users with an IT-approved managed asset who can use it at home; the other is financial breaks, as the company can buy an asset to use at home and rent the device to the user, much like the cycle to work scheme. This will also save tax and help the user have their device that they require for use at work.
“There are different reasons where a handful of technologies help: there is a consumer device that IT does not know about or get to manage at all; or it is blocked for work and play. In it security has to be deployed to block to protect against infection.”
He said that in an instance where a device is owned by the company but rented back to the user, the IT manager can operate programmes that are to the benefit of the user, such as: giving them free anti-virus as a perk; doing patching; blocking infected websites; and not compromising the experience but protecting the data.
“This way it is a compromise but it is not perfect, where we are seeing companies emerge is where there is a divide between work and play,” he said.
Bob Tinker, CEO of MobileIron, said that mobile is now in the middle of IT, as there is a serious pattern shift, and before it was what you could and could not do, but now we are more grown up and embracing ideas.
He said: “This is a big security change and what happens next is the question on how to deal with apps that are out of bounds. You can keep control with a blacklist but Apple and Google will never say no to an app and it is a task for IT to have tools to deal with the consequences.
“You cannot prevent users from downloading specific applications, but mobile is different from PCs, as now IT has to deal with a new platform every six months over many OS, whereas before IT had to deal with one OS (Windows) that changed every three to five years.”
Nigel Seddon, area director of LANDesk Software, agreed with this, saying that now IT managers anticipate supporting about eight different mobile platforms or operating systems by the end of 2011. Companies with successful IT departments will move from focusing on the device to focusing on the platform.
In terms of a solution to consumerisation, he said: “Companies have to provide themselves with the capability to quickly lock down devices assigned to a user. IT departments need to immediately block specific devices from corporate data if they pose a threat.
“They also need remote wiping capabilities for devices that are out-of-policy, non-compliant, active threats, lost or stolen or at a user's employment termination. Automation is the only possible way to manage the explosion of mobile devices.”
Analyst Larry Walsh said that as more enterprises adopt BYOD programs, simple clouds such as that proposed by Apple's iCloud will become a true enabler.
So what are the tactics and solutions that could swing this into a successful position? Lyne said that those who succeed will be those who deploy a policy that is less offensive and does not use draconian controls.
Looking at technology, Lyne said many people are deploying the Citrix Thin Client, while Good Technology's approach is to build a wall to protect the user, and Virtual Computer, a new virtualisation vendor, provides a virtual image on the desktop to keep the session isolated without a base OS.
So if there is capability to have a wall between work and play, is the solution decent sandboxing? Lyne said yes, but often they are fallible, but the BlackBerry PlayBook's option to provide a work and play environment with separate policies was a real step forward.
He said: “There is an enforced line between them so there is a degree of 'physical' protection. Nothing can access the data between them; we need to see how good the walls are between them but it is a good sign of controls being built in from the get-go.
“If OS vendors do not offer it, VMware and Citrix will do and as a device becomes more powerful, the virtualisation vendor will move in. Consumerisation can be fixed, for all of us it is about delivering technology.”
The decision on what to buy and use is completely up to businesses, but after six months of surveys and opinion acknowledging the problem, perhaps we need to take the next step and find the answer.