Even though it is not specific to security, this idea came to me while attending Dell’s Annual Analyst Conference (DAAC) in Austin, Texas two weeks ago. One of the hot topics discussed at the conference is the issue of bring your own device (BYOD). Dell recognizes this is a major trend and is looking for ways to remain true to its business-to-business DNA but still offer a competitive end-point solution with strong management and security capabilities. This is a problem for companies like Dell because a significant amount of revenue comes from corporate and not consumer sales, but BYOD is a consumer sale.
Not all is lost, however. As corporations move away from purchasing blocks of PCs for their employees, they will still have the capability to influence their employees to purchase certain equipment. The value for the employer is that they can still have some visibility to the types of equipment employees will use. The employee wins because they have assurances that the equipment they purchase has been vetted with some level of assurance that there is compliance with company systems.
What this means is that organizations will need to treat their former business customers as channel partners. I can envision scenarios where device makers provide their former customer marketing funds and special incentive funds (SPIFs) to encourage employees to buy their equipment. They will also be willing to offer the end user customer/employee a volume discount for employees for purchasing specific equipment. All of the major cell phone providers provide this type of program. PC makers, but also other types of device makers, need to start looking at their former customers as channel partners.
There are precedents for this. As my son heads off to college, the college bookstore has sent him a number of differing promotional pieces highlighting specific Apple and Dell computers available for purchase at attractive discounts. Cell phone carriers also provide volume discounts for company employees.
So, what does this mean for information security? Well information security and specifically risk management is the science (and art) of dealing with the acceptance or transference of risk. At first blush, allowing an employee to bring his or her own device would actually increase the security risk of the device. However, this is not necessarily true. In order to understand this further, let us consider what information is resident on a device, and what information is transient. The other question is: this information that is either at rest or in motion, can it be effectively encrypted and decrypted by a web-based/services-based application?
Clearly, the answer is yes. Application and specifically secure application and data encapsulation will become the norm. Assuming companies adopt this architecture, the endpoint ceases to become the weakest point in the security ecosystem. This does mean the end of the truly fat client with respect to the delivery of the application. It does not mean that OS X or Microsoft Windows will go away, but it does mean that they are less and less important. As such, organization’s security architecture will need to focus on secure application containers running on a variety of devices and operating systems. The devices that can host these containers most effectively will be the ones the device makers’ new channel partners will want to sell.