Over the last 10 years, corporate IT has witnessed an astounding transition in its role and the expectations of its customers. This transition is often called "consumerization," but it is better termed "empowerment" as individual employees have assumed the right to seek and adopt the tools they need to best execute their jobs. This transition has steadily broadened IT's traditional role as keeper of corporate infrastructure into a more innovative, open and consultative role: identifying consumer trends that make sense in the enterprise, listening to employees to understand what they need and adopting them at scale. The next frontier for this transition is in endpoint computing and it is time that IT stops viewing endpoints as infrastructure, and starts viewing them as tools.
Infrastructure implies centralized control and ownership. While BYOD is a small nod to the fact that centralized control of smartphones and tablets may not be a viable or cost-effective strategy, it is by no means an embrace of the true destination. The world of laptops, tablets, desktops and smartphones is increasingly blurred as the raw computing power in these devices converges and the form factors mutate. The hybrid devices on the market today are the industry's first attempt at innovation, and whether or not they are successful marks the start of an inevitable trend. Device manufacturers are betting on diversity, but diversity, by its very nature, drives personalization as individuals will want to select the devices that they feel are best for their needs.
If the BYOD trend tells us anything, it is that IT's preferences become increasingly irrelevant with regard to whether or not employees bring their personal device of choice to work. In this age of consumerization, employees will find a way to bring the tools they feel they need to work. And, hence, the point of this article: devices, as they become more diverse, are tools, not infrastructure, and IT can recognize and embrace this transition.
Rethinking endpoint devices as tools requires two fundamental changes in thinking for corporate IT:
(1) applications' infrastructure must migrate to a ubiquitous platform, not a vendor or device-specific platform, and
(2) endpoint security must focus on data, not devices.
Corporate applications, whether they are built in-house or built by a 3rd party, must operate on any device to enable employees to choose the best and most convenient device tools for their jobs. While that statement may seem unrealistic for IT to adopt, the good news is that IT is already most of the way there. Applications' infrastructure has increasingly moved to the corporate intranet or, more recently, the cloud. The web is a ubiquitous delivery vehicle and application stack that is supported across all devices and will continue to be for years to come. What has been missing is the full feature set required to power IT's complete application stack, including: sufficient performance, offline access, flexible and powerful graphics, and a complete client-side programming language.
HTML5, while still evolving, has already addressed these concerns. In addition, with Internet Explorer 10 now available all of the major browser platforms implement a significant proportion of the HTML5 extensions that have been defined. Where gaps in the standard remain, PhoneGap is a viable, cross-platform, and open source option for closing those gaps. Part and parcel to HTML5 and CSS3 is the ability to seamlessly adjust an application's user interface and features to the form factor and capabilities of the device on which it is running. Hence, with the browser as the target application platform, IT can build a unified applications suite targeting devices as varied as smartphones and desktops.
While HTML5 addresses the development and delivery of applications to any device, it may seem like a step in the wrong direction with respect to securing those devices: as browsers in themselves are not inherently secure. However, browsers do solve one of the most important aspects of endpoint security via the https protocol as they can ensure end-to-end trusted communication to the corporate network. Hence, a security solution for browsers is simply a matter of securing data at the endpoint and leveraging the features already available in the https protocol to ensure trusted communications.
Notice that device security played no role in the outline of a solution for securing corporate data delivered through a browser. This choice signals an end to the complex endpoint software stack of anti-virus, personal firewalls, full-disk encryption, network access control, application whitelisting, mobile device management, and all of the other tools that IT has used to try to protect the corporate network from compromised devices. Ultimately, IT cannot keep up with the diversity of devices employees will demand while dragging along this expensive and complex software stack as a requirement. The reality is that all of this investment in device security has yet to yield a truly secure device. With the explosion in device diversity, endpoint security cost and complexity is rapidly growing. It is time to rethink the approach to endpoint security.
A more reasonable and effective goal than securing all devices touching corporate data is to secure all apps touching corporate data, regardless of device. The more those apps converge on the browser as the delivery platform, the more this challenge reduces to building a secure, cross-platform corporate browser. In brief, building a secure corporate browser is tractable with the right technology choices. These include:
• Full encryption of all client-side data, including the browser cache, cookies and any application data stored via HTML5's offline features
• Client and server validation using https' certificate validation features
• Protecting access to corporate apps with a unified sign-in process that accounts for varying security risks across devices, locations and roles by implementing additional authentication factors when required
• A comprehensive data policy engine built into the browser that allows policies for data sharing and offline access to travel with the data itself
• App-level implementation of all critical security functionality to ensure that security is not compromised by a compromised device or device operating system
It has taken some time for the promise of real cross platform development using HTML5 to become a reality. In truth, there have been some false starts along the way, which have inevitably created skeptics worried that this promise will never be achieved. Fortunately, the reality has caught up with the vision, and the most elegant and practical solution for secure, cross-platform application development, delivery and support is here for those who are willing to listen.
By Elizabeth Hackenson, CIO, AES Corporation
By Dr. Frank A. Morelli DPS, SVP Global Business Processes,...
By Rob Thomas, VP-Product Development, Big Data and...
By Radhika Venkatraman, SVP - CIO, Network & Technology,...
By Brian Burke, CEO, Smashing Ideas
By Anne Legg, VP - Strategic Marketing, Credit Union...
By Melissa Scheppele, CIO, Ascend Performance Materials
By Nuria Simo, CIO, Inter-American Development Bank
By Jenny Watson, VP-Digital Marketing & Direct, AutoNation
By Kevin Reilly, CIO, Eby-Brown Company, LLC
By David L. Stevens, CIO, Maricopa County
By George Hines, CIO, Massage Envy
By Paul Zikopoulos, VP, Competitive & Product Strategy,...
By Zoher Karu, Vice President and Chief Data Officer, eBay
By Shawn Paskevic, CIO, NEBCO, Inc
By Todd Simpson, CIO, FDA
By Alexander Popowycz, CIO, Health First
By Alex Choy, EVP of R and D and CIO, Change Healthcare
By Dave Hudson, CIO, Veritiv Corporation [NYSE: VRTV]
By Andy Jurczyk, CIO, Seyfarth Shaw LLP