The consumerization of IT is forcing IT departments everywhere to rethink their policies, processes, and support procedures. But device diversity isn't all you need to worry about. Consider the applications that users now have free access to--and that allow them to circumvent all those policies and procedures you've so painstakingly put in place.
Take Dropbox, the bane of every BC/DR and content management admin. Sure, you could block Dropbox, but what happens when an end user walks down the street to her favorite mobile device store and picks up a wireless 3G card, which she can then plug into her laptop or desktop and use to gain access to the Internet uncensored? You see where this is going, right? Whac-A-Mole isn’t a long-term strategy.
I think this problem will eventually reach the point where IT will demand that a regulatory effort be launched. The goal would be to enforce criteria around how software-as-a-service (SaaS) applications are developed, ensuring that capabilities that will empower IT to protect the integrity and security of corporate data and access control are built in.
The big question, of course, is what body would have the power to enforce such regulations. The government is too inflexible and slow, not to mention the outcry that would result. A better route would be a standards body that has in its membership both SaaS vendors and enterprise security pros. That's one option; another possibility, likely more effective and faster on the uptake, would be for OS vendors to require certain criteria for applications that are going to run on their operating systems. But for that to happen, customers of those platforms would need to demand this change.
My bigger point is that, as technology companies stop marketing to IT departments and start marketing to your end users, smart shops will think differently and push the ecosystem to invent solutions for today's reality, instead of trying to make yesterday's tools fit a changed world.
One promising technology that we could base such new thinking on is location awareness. If SaaS applications are required (by the standards body we discussed earlier) to have functionality for location awareness, we can then develop tools to allow IT to enforce policies and procedures on the use of consumer services when devices are located within the organization. Think about it this way: If Joe is trying to move some files from the server to his Dropbox account, and location services track that he is in XYZ building, where IT has subscribed to the location service and specified a policy, then Dropbox would enforce your regulations based on location. When Joe goes home, he can do whatever he wants. At work, rules apply. And not to pick on Dropbox--Amazon Cloud Drive and Apple iCloud present similar challenges.
Take this approach and apply it to all applications, and we regain a reasonable level of control.
Right now, location awareness is completely optional, which means some software developers will build it within their applications, others will not. Similarly, some operating systems may have this framework, while others don't. But it's one way we could get a handle on the consumer applications that are threatening to unravel years of data management and security efforts. Would you get behind such an approach, or do you have a better plan? Let me know.
Elias Khnaser is the technology officer for integrator Sigma Solutions. Follow Elias on Twitter: @ekhnaser