CIO Review >> Magazine >> October - 2013 issue

Devices are Tools, not Infrastructure


Monday, September 30, 2013

Seth Hallem Founded in 2011 and headquartered in New York City, Mobile Helix is an enterprise application and data security platform provider focused on enabling unrestricted enterprise productivity.

Over the last 10 years, corporate IT has witnessed an astounding transition in its role and the expectations of its customers. This transition is often called "consumerization," but it is better termed "empowerment" as individual employees have assumed the right to seek and adopt the tools they need to best execute their jobs. This transition has steadily broadened IT's traditional role as keeper of corporate infrastructure into a more innovative, open and consultative role: identifying consumer trends that make sense in the enterprise, listening to employees to understand what they need and adopting them at scale. The next frontier for this transition is in endpoint computing and it is time that IT stops viewing endpoints as infrastructure, and starts viewing them as tools.

Infrastructure implies centralized control and ownership. While BYOD is a small nod to the fact that centralized control of smartphones and tablets may not be a viable or cost-effective strategy, it is by no means an embrace of the true destination. The world of laptops, tablets, desktops and smartphones is increasingly blurred as the raw computing power in these devices converges and the form factors mutate. The hybrid devices on the market today are the industry's first attempt at innovation, and whether or not they are successful marks the start of an inevitable trend. Device manufacturers are betting on diversity, but diversity, by its very nature, drives personalization as individuals will want to select the devices that they feel are best for their needs.

If the BYOD trend tells us anything, it is that IT's preferences become increasingly irrelevant with regard to whether or not employees bring their personal device of choice to work. In this age of consumerization, employees will find a way to bring the tools they feel they need to work. And, hence, the point of this article: devices, as they become more diverse, are tools, not infrastructure, and IT can recognize and embrace this transition.

Rethinking endpoint devices as tools requires two fundamental changes in thinking for corporate IT:
(1) applications' infrastructure must migrate to a ubiquitous platform, not a vendor or device-specific platform, and
(2) endpoint security must focus on data, not devices.

Corporate applications, whether they are built in-house or built by a 3rd party, must operate on any device to enable employees to choose the best and most convenient device tools for their jobs. While that statement may seem unrealistic for IT to adopt, the good news is that IT is already most of the way there. Applications' infrastructure has increasingly moved to the corporate intranet or, more recently, the cloud. The web is a ubiquitous delivery vehicle and application stack that is supported across all devices and will continue to be for years to come. What has been missing is the full feature set required to power IT's complete application stack, including: sufficient performance, offline access, flexible and powerful graphics, and a complete client-side programming language.

HTML5, while still evolving, has already addressed these concerns. In addition, with Internet Explorer 10 now available all of the major browser platforms implement a significant proportion of the HTML5 extensions that have been defined. Where gaps in the standard remain, PhoneGap is a viable, cross-platform, and open source option for closing those gaps. Part and parcel to HTML5 and CSS3 is the ability to seamlessly adjust an application's user interface and features to the form factor and capabilities of the device on which it is running. Hence, with the browser as the target application platform, IT can build a unified applications suite targeting devices as varied as smartphones and desktops.

While HTML5 addresses the development and delivery of applications to any device, it may seem like a step in the wrong direction with respect to securing those devices: as browsers in themselves are not inherently secure. However, browsers do solve one of the most important aspects of endpoint security via the https protocol as they can ensure end-to-end trusted communication to the corporate network. Hence, a security solution for browsers is simply a matter of securing data at the endpoint and leveraging the features already available in the https protocol to ensure trusted communications.

Notice that device security played no role in the outline of a solution for securing corporate data delivered through a browser. This choice signals an end to the complex endpoint software stack of anti-virus, personal firewalls, full-disk encryption, network access control, application whitelisting, mobile device management, and all of the other tools that IT has used to try to protect the corporate network from compromised devices. Ultimately, IT cannot keep up with the diversity of devices employees will demand while dragging along this expensive and complex software stack as a requirement. The reality is that all of this investment in device security has yet to yield a truly secure device. With the explosion in device diversity, endpoint security cost and complexity is rapidly growing. It is time to rethink the approach to endpoint security.

A more reasonable and effective goal than securing all devices touching corporate data is to secure all apps touching corporate data, regardless of device. The more those apps converge on the browser as the delivery platform, the more this challenge reduces to building a secure, cross-platform corporate browser. In brief, building a secure corporate browser is tractable with the right technology choices. These include:
• Full encryption of all client-side data, including the browser cache, cookies and any application data stored via HTML5's offline features
• Client and server validation using https' certificate validation features
• Protecting access to corporate apps with a unified sign-in process that accounts for varying security risks across devices, locations and roles by implementing additional authentication factors when required
• A comprehensive data policy engine built into the browser that allows policies for data sharing and offline access to travel with the data itself
• App-level implementation of all critical security functionality to ensure that security is not compromised by a compromised device or device operating system

Every device platform on the market today has a high performance, HTLM5-compliant engine for rendering HTML5/CSS3 and executing JavaScript built-in as a reusable control for developers to integrate into third-party apps. A secure browser that enhances these controls with the security features outlined above enables corporate IT to build a unified applications platform that extends across devices of all shapes and sizes; without compromise in functionality, performance, or security. The endpoint device then transitions to a tool for employees to select as it suits their needs, rather than another piece of infrastructure that must support the sanctioned IT software stack to ensure its acceptability in the corporate environment.

It has taken some time for the promise of real cross platform development using HTML5 to become a reality. In truth, there have been some false starts along the way, which have inevitably created skeptics worried that this promise will never be achieved. Fortunately, the reality has caught up with the vision, and the most elegant and practical solution for secure, cross-platform application development, delivery and support is here for those who are willing to listen.