Steve Kovsky:
Thanks for joining us for this discussion of mobility in the workplace, some of the security and usability challenges that businesses are facing. Joining us today is Alex Willis, vice president, global sales engineering, and Baldeep Dogra is senior director, solutions marketing. I'm Steve Kovsky, editorial director.
Let's get into some of the questions. Baldeep, could you talk a little bit about how the roles responsible for mobility seems to be shifting in the organization?
Baldeep Dogra:
Yes, great question. What we're seeing is the IT teams wanting to get a better idea of their estate, so having a fundamental view of assets, for example, is key.
But the security teams are still concerned about what the threats are. They would look at mobile devices, for example, as not being part of their realm of influence. So, it is important to get IT Ops and Sec Ops in the same room. You know that fourth pillar, cooperation, that's where I see this being a driving force to get that done.
So, I think what’s important is to make sure that security teams understand that the mobile device is an endpoint, just like laptops or desktops. There's the same amount of business that can be conducted on a mobile device as can be on other devices.
Steve Kovsky:
Alex, how do you see that?
Alex Willis:
There have been challenges in bringing those two teams together. It depends on the size of the organization; you know very large organizations have really defined security processes.
I went through one this morning at our own company, as I needed to get something done and I had to complete a request form for a security assessment before an integration could be built.
I will say on a positive note, I have started to see recently, within mobility teams, they'll have a cyber person, or a security person assigned. I think that's a positive sign because I think what's been happening traditionally is — large organizations, especially — they have a security team that defines policies.
And we know from working with these companies for 20 years and having been in the mobile space in the early BlackBerry days, these policies were typically defined by the capability of what an old BlackBerry server could do.
It's like, well, what are the policies you offer? Let's make it extremely restrictive, limit what people can do, and then that's the policy. And then they just hand it to the other business units, including the IT team, to implement. So, there wasn't really a discussion around finding balance between productivity and security. It was just, “here's the policy,” and then as we started to get into more different types of phones and accessing more data that didn't have the capabilities of what a BlackBerry server could do, those policies were rewritten, or exceptions were made.
That whole thing has changed. But the thing that I think remains for organizations that don't have a cyber person dedicated to the mobility team, is they're still setting a strict policy and then giving it to the mobility team to implement. Usually, that results in someone in the mobility team being able to “check a box.”
“Security team requires encryption of data at rest on mobile devices. Does this system I’m evaluating support encryption of data at rest?” Yes: Check box, done. There's no real evaluation into how that encryption is done. What cryptography is used? Is it consistent across iOS®, Android™, Windows®, Mac®, and so on? Or is it just checking a box and that’s good enough?
That's the discussion we find ourselves having most when we're helping customers or companies assess their strategy against the risk that they want to avoid, and those risks are getting bigger because the attack surface is growing. We've got devices everywhere. We're accessing unprecedented amounts of data in the cloud, that's protected differently, I'd say, then what you would traditionally do behind the firewall.
So, a lot of stuff is happening here, but that's the one challenge I think that we still have is that security teams set policy, and then a different team just needs to follow it. And if they can check a box, they're cleared by the security team — (even) when there's an ability to go a little bit deeper and assess what's happening here.
Baldeep Dogra:
That's a great point, Alex. Policies would define how a device would be used and governed, and the security behind that – it was almost implied. There would be no second thought about security. However, that's changed over the years, and the persona within companies has changed over time as well.
We used to go to the IT person, who would then get somebody from network security. “They've got a port that you need to open.” But when they understood that the port that we opened was outbound initiated and it was very safe, we no longer needed that conversation because that security was implied. Our reputation started to grow based on how we did security, but it's a little bit different now because of the operating systems (OS) out there that are being used, and the fact that you've got other solutions that rely on the host OS.
Steve Kovsky:
The threat landscape has changed tremendously, with so many types of threats morphing so quickly. The advent of ransomware is a huge motivator for the criminal element. If mobile devices provide them with a weak link in the protection chain, they're going to exploit it, and we've seen that happening.
One of the things we've been talking about is process, another of the (people, process, technology and collaboration) pillars. And something that's occurred during your careers here at BlackBerry is there have been other vendors entering the market. It seems like in a lot of businesses now, mobility management and control has drifted over to the operating system and now that starts to define policy and capabilities — and it may not be the best way to approach it. Have you seen that coming from an operating system company that also makes lots of other products that are now de facto standards? Have you seen people relying on sources other than BlackBerry? Has the operating system become more prevalent as kind of an arbiter of how mobility is handled and secured?
Alex Willis:
Yes, and I think the vendors of those operating systems have done a pretty good job. I mean they've certainly assigned or aligned focus to it and budget to it, and you know, each talk about iOS and Android. They both have container capability to separate work from personal, and then you need an MDM or UEM server to be able to manage those policies effectively. So, there's plenty of choices in choosing a deployment type.
What I've noticed in the market is that most organizations don't use bring-your-own-device (BYOD) programs. They'll just provide connectivity directly to the cloud on those devices. Part of the challenge, I think, is because of user adoption. On both iOS and Android, if you want to activate the security policy, the user must activate it in some way. However, there's always been a degree of mistrust between users and their organizations, that if they enroll in something, there's the perception that the company then would have access to their personal data. They'd be able to “fat-finger” a keystroke and wipe all their data on their phone, and all those types of things.
So, while they have pretty good containerization, most companies don't use it and so their BYOD program users aren't protected by that level of security, if separation of work and personal is in place. So, you can go (with) native integration, just use the native e-mail apps or office apps directly on those operating systems. We can support both of those as well. We can manage local policies on those devices. There's also the challenge of what device it is, and what policies are available to you because of that device.
So, iPhone® has their policies on Android, it's a much wider spectrum. Well, if it happens to be a Samsung® device, then you have these additional Knox policies, and those policies are good. It's just in order to get them, you must activate them in a certain way that isn't being adopted like it should be. So, the cleanest (scenario) is complete separation and containerization, and then management of only that container without having to require any activation.
So, depending on the operating system, from a usability standpoint it’s difficult. In order to take advantage of the security posture that you can achieve with them, it's inconsistent across devices first, so if you have an organization that sets standards, it's going to be different for your iOS users versus your Android users, and so on. So, that creates a difficulty. It results in organizations not using it unless they're corporate-owned devices, where they can fully lock them down.
Steve Kovsky:
Baldeep, what about in a Windows environment? You're talking about the operating system that the company runs on as opposed to the operating system that the phones run on. What are some of the challenges that people face in a Windows environment?
Baldeep Dogra:
I meant both. So, when you think about operating systems and security, you know you are generally reliant on the security that they provide, when you look at a secure platform like our old BlackBerry® platform, right? That was all about the device emotion, but now you're thinking about trust. And you're going to move from an emotion to trust and BYOD for example is emotion. You don't get people saying, “I want to use a Windows device,” right? They'll say, “I want to use an iPhone.”
What we're going to do is think about how we establish that trust between the company and the user for any device — not just the fixed device — whether it's Windows, Mac, or Chrome™. That means that the security system from a process perspective, and a people perspective as well, you know, security setups or SOC (security operating center) teams would be responsible for the visibility, and then taking action for that device and its usage. That would mean IT would then focus purely on productivity and activation of those devices, in addition to managing those policies that Alex just mentioned.
Alex Willis:
Well, Windows Mobile isn't really a thing anymore. It's really iOS and then a bunch of different flavors. I mean, yeah, they're still around for like old OT devices and things like that maybe, but it gets you into the desktop platforms. I think there was kind of a stutter step on modern management of Windows machines and Mac. So, it's different than traditional domain-joined, SCCM-managed, fully controlled laptops. The concept is moving a laptop into the category of a mobile phone, because essentially that's what it is these days.
Especially when you think about an iPad®. I travel now with my iPad as my work computer; I don't bring a laptop anywhere anymore. My travels, these days I'm going to speak at an event, or meet with a customer, I’m doing presentations, going through design discussions, things like that. So, I don't need a big bulky laptop anymore on the road. I just bring my iPad. So, the term for laptop changes.
There are capabilities to manage these laptops, like Windows and Mac, and as a modern management. So, we can affect policies, we can create app stores, we can do a lot of those things, and we have the capability to put the dynamics container on a Windows machine, or a Mac. So, we don't have to manage the machine at all.
We can just put the fully protected desktop onto a computer that can also extend and allow BYOD policies, just like we do on a phone. So, if we're a Windows shop, and you want to bring your own MacBook®, you would just put this app on your device, and then you get your e-mail, your web apps, our protection against data leakage, you get encryption of data at rest, you get all the things that you need to check those boxes — and really deliver on the spirit of what those checkboxes mean.
That hasn't happened as fast as I thought it might. People are still looking at traditional ways to manage laptops. So, I don't think the leap has happened yet to treat a laptop like any other mobile device. However, I think that's coming, and there's a lot of benefit to being able to do that. In terms of productivity, especially in the pandemic, it really came in handy. Even if you have a sales force that's mobile all the time, you know, laptops get broken or stolen or something like that. You just need to get back up and running. In the modern world, you can just go into a local store and buy a new device, and then be up and running in a few minutes.
We have several customers that are set up that way and the pandemic, again, was a good proof of concept (POC) for that: You know, moving many office workers who aren't normally mobile to a remote setup. They might not even have a laptop from work, only a desktop in the office. So, either being able to quickly “remote in” and work on that desktop at the office, or just to have remote work capabilities on a BYOD or personal PC — and having it meet all the security requirements that the organization has — is important.
Steve Kovsky:
Those are great points. I think I will pause right there, and we will pick this conversation up again in our next podcast, for Part 3 of this discussion. Thank you very much for your time today.
