Un-managing all your endpoints: Treat everything as insecure and you don't need to manage devices anymore! - Gabe Knuth - BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.
Gabe Knuth's Blog

Past Articles

Un-managing all your endpoints: Treat everything as insecure and you don't need to manage devices anymore!

Written on Apr 25 2012 22,251 views, 7 comments


by Gabe Knuth

With consumerization or even desktop virtualization, organizations are faced with the new issue of dealing with all these devices coming in on the same network. We have our managed corporate devices on the corporate LAN, and many organization's approach to wireless devices is to stick an access point on the network and let users connect to it. Some people may laugh at that, but the truth is that it happens. Perhaps there's some authentication involved so that users need to be authorized before connecting to the network, but the network that they access remains the same.

Now that mobile devices that gulp data down are in everybody's pockets (perhaps even more than one), these wireless networks that were once almost entirely for managed devices that didn't pose a huge risk are now being used unwittingly by unmanaged devices, too. Sure, companies have ways to secure things, and many organizations have guest wireless networks that are treated as only slightly more secure than the internet itself, but in many companies there are just two networks: the Outside, and the Inside.


Alarmingly simple!

So, what's a company to do when embracing consumerization, specifically BYOC and BYOD? They could create special networks for each device and force the unmanaged devices on to those networks. There could be different tiers of networks, too, with varying levels of security based on who the desired users are, with more or less security between them and the datacenter based on how managed the devices are. 

Or, you could just treat everything like it's the internet. As time goes by and fewer apps, data, and computing happens in cubicle-land, instead moving into the data center or into the cloud, why even bother managing the endpoints at all? Instead, why not make them unmanaged, treat the users like they're coming in from the internet. You could still have them pass some sort of compliance test before granting access to applications and data, but leave it up to the user to maintain the device.


Refreshingly simple?

It's not terribly different than a situation where a user works from home with their home PC today. If a user passes some tests, they can have the app streamed to them, or have access to files so that they can edit them locally. If they fail or can't run the test, a more secure, more centralized approach can be used, say, with cloud apps or desktop virtualization. The end result, though, is that the organization can finally rest easy knowing that the datacenter isn't sharing the same network with the endpoint devices.

Sure, it's not very flexible, and the more ambitious organizations will adopt something more along the lines of this, but with more networks. Still, you get the idea:


The thickness of the inside border represents the
level of security between the network and the data

Nonetheless, this is an option that I've actually heard end users talking about. We've been talking about it internally for a while now, wondering if people would do it. When someone in the field brought it up to me, I figured it was time to bring it up and see what everyone else had to say about. So…what do you think? "Crazy?" "Not in my house (but maybe in others)?" Or, "We're doing this now, thank you very much!" Think about this paired with technology like VMware Horizon, Citrix Cloud Gateway, and then with mobile application management. There might be something to this after all.

 
 




Our Books


Comments

Michael wrote re: Un-managing all your endpoints: Treat everything as insecure and you don't need to manage devices anymore!

Great idea! The only issue that would concern me is the stability of the endpoints and who takes responsibility for fixing it if there's a problem. By not caring what the users do with the endpoint you'll end up with all kinds of crud installed and any performance issues are pointed at the managed backend and not the endpoint.

Mike

DaveAlabaster wrote re: Un-managing all your endpoints: Treat everything as insecure and you don't need to manage devices anymore!
on Fri, Apr 27 2012 8:09 AM Link To This Comment

Good points, but it does assume that Security is the only reason to manage the endpoint. I'd argue that most orgs that enables/encourages end users to BYOD will struggle to have a completely "not our problem" approach to 'managing' them.

Gabe Knuth wrote re: Un-managing all your endpoints: Treat everything as insecure and you don't need to manage devices anymore!
on Fri, Apr 27 2012 9:58 AM Link To This Comment

You're all correct - there are other implications to this, and it assumes you centralize EVERYTHING. It does make sense in some BYO situations, but again, only if all the apps/data are centralized and all the endpoints are treated as insecure/unmanaged.

As far as I know, it's only been talked about. Anyone know of someone that's done this across the board at their organization?

For the record, I don't prefer this option in most use cases. I like the many networks approach for the control and flexibility it offers. I only wrote about it to have this conversation that we're having since more than a few people have brought it up to me.

how to get rid of a mole wrote re: Un-managing all your endpoints: Treat everything as insecure and you don't need to manage devices anymore!

Thanks for sharing Interesting post. Thanks for taking this opportunity to discuss this, I appreciate with this and I like learning about this subject. If possible, as you gain information, please update this blog with more information. I have found it really useful.

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.

Trackbacks

Endpoint unmanaged | Catdate wrote Endpoint unmanaged | Catdate
on Sun, Jan 27 2013 1:16 AM

Pingback from  Endpoint unmanaged | Catdate