Is dissociative identity disorder the prescription for bridging the gap between IT protection and user empowerment? Imagine that I gave myself the task of separating my work and personal identities in this post, according to the currently advocated principles of desktop virtualization espoused by vendors. Just as they would advocate that users separate their activities for work into their corporate desktop VM, and their personal activities into some other context (iPad/personal device) then I would need to separate the components of my blog that are personal from those that are work related. The personal parts would go on my personal blog, and the work related could go on blogs.bromium.com. Would that make it easier to write or to read? No, quite the opposite. It would be indecipherable (trust me, I tried to post this blog exactly in such a fashion and got lost). Would it achieve a sufficient degree of separation between my different thoughts to satisfy IT? Maybe, but why bother if the separation is so artificial that the flow is meaningless? What’s the point of forcing a user to divide their brain into two halves, to attempt to separate personal and work, if the result is a subpar user experience that still ultimately fails to implement a practical boundary between the “me at work” and the “me in my own opinion”?
Further, if IT does successfully define and implement an artificial boundary between my work and personal metaspace, do you think an attacker will be inclined to abide by it? Will the malware masquerading as an email from my wife, my boss, my bank, HR, etc. arrive in my personal email account, or my corporate one? Right.
In the past I have been accused of taking a harder stance on VDI than is appropriate given its increasing attention in the market. When I was at Citrix I evangelized TS-based desktops over VDI (“heretic!”), and now at Bromium I’m focused on securing physical endpoints rather than delivering virtual desktops (“flip-flopper!”). Therein lays the same quintessential problem we at Bromium are trying to solve manifesting itself through my position vs. the position of my company. As difficult as it may be for some readers to separate my opinion from the Bromium stance, the same notion of persona plays out on corporate desktops: How can IT tell the difference between what I do for work and what I do for me?
In lieu of a good solution to this quandary, IT predominantly turns to restricting or disabling functionality (e.g. DLP), erecting barriers around the desktop (e.g. VDI), and putting resource devouring protection tools on the desktop to catch bad things when they do get in (e.g. AV).
Two weeks ago Simon Crosby and I presented at the BriForum event in Chicago. We spent much of our time there butting heads with the giants of the app/desktops virtualization scene, asserting that neither application nor desktop virtualization should be sold or bought under the guise of providing security benefits. I’ll attempt to condense what I believe much of the debate boils down to, and spell out both my own and Bromium’s perspectives (they are slightly different). Allow me to begin with my own conclusion:
Any security solution that doesn’t put productivity ahead of protection will have failed prior to implementation.
I believe the biggest security threat to enterprise IT is Shadow IT. Shadow IT (or BYOD, CoIT, FUIT.. as I’ve come to call it, BYOIT) exponentially increases the enterprise attack surface beyond anything that we can measure, because we can’t know what we don’t know.
Implementing solutions that force end-users, us humans who for the most part don’t have multiple personalities to develop dissociative identity disorder in order to remain in compliance is neither pragmatic nor holistic, and forces us to work and play in different contexts because IT said so with no added productivity benefit. It’s contrary to how we interact with our world, ourselves, our computing devices, and thus destined to fail.
Users will find ways around barriers to productivity. This applies to desktop virtualization, mobile hypervisors, client hypervisors, anti-virus software, proxies, and locked down work PCs. Thus, a “security” challenge to IT leaders out there is: proactively deploy what’s in the best interest of users rather than what best serves IT. Else, what is the user’s incentive for adopting enterprise tools in lieu of working around barriers using existing apps available for free/cheap on the web/AppStore without jumping through hoops?
The above image is a slide I see in a lot of IT strategy decks. Two spheres that define IT’s stakeholds, essentially boiling down to Security and Enablement, with some magic solution that brings these two together in a Venn diagram. The last point I’ll make before transitioning to my Bromium voice (an octave lower with a British accent, say) is that these two circles need to be one sphere, not a Venn diagram – because everything that falls outside the intersection of Security and Enablement represents lost productivity on one side, and security gaps on the other.
Bromium’s position is more succinct:
Users have to enter domains of unfathomable trust in order to do their job. Attackers target trusted applications with advanced, undetectable malware. Humans click on bad links and open infected attachments. Humans write imperfect code, other humans exploit these imperfections. Dividing the workspace between the datacenter and the end-point does not mitigate these threats nor reduce the attack surface of the operating system and applications.
We see our micro-virtualization technology as complementary to both VDI and application virtualization, by protecting the end-points that access hosted desktops and applications we extend IT’s ability to protect sensitive data and infrastructure while empowering the end-user to remain productive at all times in all places.
Back to me.
Brian Madden, the founder of BriForum, refers to the Consumerization of IT as a sort of IT Arab Spring. Perhaps that’s an overly dramatic metaphor, but it does cut to the heart of the matter: although likely not a conscious struggle of me “the user” vs. you “the authority” – there’s just this stuff out there that I need in order to get my job done. Maybe it’s some web site with data I need, or an app on my phone or tablet, or a file created at home on my personal laptop – so I browse, I download, I e-mail, I produce and get my job done. IT can try to slow or stop me by “restricting” or “disabling”, but I’ll circumvent policy in search of productivity. It’s not a protest; it’s just the way things are.