Topics of Interest Archives: Risk Management

GRC as an Alternative to Spreadsheets in Enterprise Compliance and Risk Management

This report draws on research interviews with thirteen organizations to provide a guide for others working through their GRC business case development. This report begins by profiling the costs resulting from spreadsheets and manual processes identified by study participants as well as the corresponding benefits offered by GRC. In addition to providing insight into the business case development process employed by participants, this report profiles six organizations selecting Modulo Risk Manager as their enterprise GRC platform.

Please use the form on the right to download this report.

Modulo AI

Posted in Enterprise Risk Management, General Function, General Industry, Policy and Compliance Management, Research | Tagged | Leave a comment

Mobile Content Management, BYOx and the Game of Thrones

wall1Though many companies still struggle with the notion of “Bring Your Own Device” or BYOD, a significant preponderance of businesses has now adopted BYOD as standard operating procedure. The grassroots workforce won this round of mobile technology handily if not resoundingly. Fortunately BYOD is easy enough to support from an IT perspective – there are enough mobile tools available from a fairly large collection of vendors to ensure that devices used in the workplace remain relatively free of potential harm.

The real problem with BYOD for the enterprise is that grassroots movements never stop looking to move ahead once they take root. BYOD has since spawned BYOS (storage), BYOC (cloud), BYOCC (content cloud), and BYOBI (business intelligence). There is also BYOP (platform), which is associated with various forms of SaaS and PaaS and today we can add both MaaS (mobility) and MBaaS (mobile backend). I’m not particularly thrilled with all these BYOs but that is the reality.

Let’s agree to refer to all of them as “BYOx” and let’s immediately note that the BYOx movement isn’t quite as simple a challenge to tackle as BYOD has been, In fact I know from both my own and Blue Hill’s ongoing research that many organizations are now deeply struggling to make sense of how to come to grips with BYOx. It is a daunting challenge but one that enterprises – or at least those enterprises that understand mobility is the key to strategic success going forward – cannot avoid, ignore or choose not to implement.

Why? There are two key issues with BYOx – the first is operational and the second is simply strategic.

The first and the most troubling issue for any business with BYOx is that the common denominator BYOx operates on is corporate data and content. That content takes the form of every possible bit of information residing within a company – whether it’s a simple and harmless document or a simple spreadsheet highlighting a company’s yearly holiday schedule, or the most confidential of CxO memorandums, and everything in between, such as a collection of documents and spreadsheets being collaborated on in real time from both internal and mobile laptops, tablets and smartphones.

Perhaps this collaboration involves highly sensitive and proprietary business intelligence and customer data regarding your company’s sales and marketing strategies for the next fiscal year. Content collaboration in corporate settings also suggests the possibility and likelihood of detailed content management workflows (who has the latest version of a document checked out, who has read-only or read-edit-save rights, and so on). In this day and age such workflows are well understood by most businesses, but once you add mobility and BYOx to the mix complexities arise – or rather can arise for the unprepared – in exponential fashion!

The second key issue with BYOx – and for most enterprises that want to lead rather than follow this is crucial – is that it truly creates enormous potential business advantages. An IT department cannot simply say “No” to allowing its employees mobile access to content. BYOx provides any number of content-related advantages, including, but by no means limited to such things as:

- Mobile content security
- Anytime, anywhere access, when needed, as needed
- Distribution of timely content out to the field
- Increased partner and customer satisfaction
- Increased workforce effectiveness
- Greatly enhanced collaboration across all levels of an organization

BYOD originally created the mobile device management (MDM) market, and vendors ably stepped in to fill a variety of mobile security issues specifically targeting device security, user provisioning and basic device protection. MDM however failed to take securing most business content into consideration, and the larger MDM vendors subsequently created a secondary market, dubbed mobile application management (MAM), to specifically protect corporate content accessed through mobile apps.

These same vendors have, over the last 18 months or so, further evolved MAM and MDM into the collective term Enterprise Mobile Management (EMM), which now also encompasses various forms of MCM – Mobile Content Management. MCM is assuredly not about mobile devices. It’s about your data – all of it, whether structured or unstructured, whether text-, graphics- or video-based.

I am not speaking here about raw, unfiltered data. I mean data that has been extensively deconstructed, re-atomized, analyzed, and developed into both tactical and strategic business intelligence. I’m also talking about data that may have no serious consequences if it escapes the corporate walls – a company’s vacation schedule is not likely to harm anyone.

But I am more specifically talking about such stuff as sensitive sales pricing charts, credit card information and passwords (even when encrypted), which can and will significantly weaken or kill off a company – if not literally then from a business perspective – if it escapes the corporate walls. Content is still ultimately king – we say that not because it sounds good but because it continues to be true centuries down the road.

A Game of Thrones and MCM Strategy
This may sound odd I’m sure, but I have a tendency to think of corporate content within the context of Game of Thrones. I do, what can I say? The next to last episode this season in which “The Wall” was being defended by 100 men against an army of a hundred thousand is in fact not much different than the odds businesses face every day in securely guarding content from those looking to breech the walls of defense. As much as this sounds over the top, it isn’t.

See Related ResearchThe Wall was thought impregnable by those who controlled it, but in reality it had weaknesses. In particular it was vulnerable to very large numbers of would-be attackers. The same is true for most enterprises – surely Target thought it had as secure and mighty a wall around its data every bit as mighty as the photo below suggests. But it certainly wasn’t the case.

That said, The Wall was also vulnerable to very specific attacks using very specialized tools – ok, in this case I mean a giant and a mammoth tackling a gate…but hey, it’s Game of Thrones, what did you expect? But simply substitute hacker and malware to bring things back to the 21st century.

wall3As BYOD proliferates and extends itself into its numerous BYOx offshoots, greater and greater numbers of mobile users will need to gain access to the corporate crown jewels – strategic content. There is great benefit in being able to do so, but that benefit can be significantly mitigated by poor BYOx and MCM planning and deployment.

My research points to many companies heading towards being overwhelmed by BYOx and MCM. In particular, the biggest issue is a great deal of confusion in how to safely unlock content for the numerous mobile users who will demand access. As I noted above, saying “No” to access is not acceptable. Access needs to be granted.

Further, my research also shows that the real confusion for enterprises is primarily driven by the proliferating and constantly shifting face of MCM solutions. There are at least four main categories of MCM vendor solutions – ranging from the EMM players, to the traditional ECM vendors, to the emerging collection of Secure File Transfer vendors and on to numerous cloud-based solutions. A new one pops up every day, and it isn’t only nimble startups that are popping up. In June 2014 alone both Google and Amazon have staked out new ground in seeking ways to become your purveyor of safe, cloud-based content management.

Mass enterprise confusion? That may be slightly overstating the case, but only slightly. It’s close to reality.

What to Do About it?
The first step is to build an effective MCM Decision Framework that will allow your company to effectively home in on the right type of solution for your company. The second is to effectively evaluate the MCM vendors and find the right ones to deliver on your specific needs. Towards this end the Blue Hill team has been working on research to ensure your company is able to fully take advantage of BYOx and is able to fully protect its “deployed content” by making the right technology investments to meet its needs.

Over the next several weeks Blue Hill will publish two new MCM reports. The first to be published will provide enterprises with the means to develop a highly effective MCM Decision Framework. The second will provide one of Blue Hill’s unique Anatomy of Decision reports that will allow IT teams to take the Decision Framework and uncover the right vendors to meet specific needs and drive implementation.

Stay tuned! In the meantime let me offer you a little bit of homework by pointing you to fellow Blue Hill mobile compatriot and Chief Research Officer Ralph Rodriquez’s insightful overview of the MCM vendors, The Battle for Mobile Content is Just Starting.

Let’s expand the dialog! Follow me here at Blue Hill, on Twitter @fastjazz, and on LinkedIn. Follow Blue Hill Research on Twitter at @BlueHillBoston.

Posted in Blog, High-Tech, Mobility, Research, Security & Risk | Tagged , , | Leave a comment

Samsung's KNOX 2.0 to be Embedded in Android L - Should Your Enterprise Care?

Courtesy of Samsung MobilityBack near the end of January 2014 Google and Samsung signed an important mobile cross-licensing agreement. Yes, they had of course been long time partners as far as Android is concerned, but there have also always been underlying intellectual property tensions between the two, driven primarily by differing business strategies and perspectives that had begun to threaten the overall relationship.

Samsung makes its money selling hardware and has a CEO who is damned sure that it is only through software that Samsung will differentiate and “innovate” and become the dominant player across all mobile and wearable industry segments – whether from a consumer or enterprise perspective. Google sells software but has huge aspirations to sell various pieces of computing, mobile and wearable tech hardware. One can certainly see where the tensions all reside…and why.

Both Samsung and Google have helped each other over the last seven years in establishing Android and Android-based hardware as the predominant foundation for all things mobile (at least in so far as raw overall global numbers are concerned). But Samsung’s interest in software and Google’s in hardware (as well as Google’s need to not only work with Samsung but also with all of Samsung’s hardware competitors) inevitably creates non-trivial concerns about motives and motivations.

Google’s key concern: Might it be possible that Samsung can do enough unique things with Android from its end that it could eventually highjack Android from Google? Worse, might Samsung be able to do enough to drive overt fragmentation that Google might not be able to control? Given Samsung’s dominant scale and overall Android hardware position the answer is absolutely yes.

Samsung’s key concern: Might Google look to spread the Android wealth in such ways and among different hardware vendors that Samsung might find itself at a loss for any differentiators what so ever? Again the answer is yes.

From Google’s Android fragmentation and highjacking perspective, Samsung’s KNOX 2.0 mobile device security platform is exactly such a beast and a perfect and important example of where the underlying tensions between the two have long lurked. Samsung deserves a good deal of credit for diligently working to deliver KNOX – although there are issues with it, as pointed out by Blue Hill Chief Research Officer Ralph Rodriguez (@ralphopinons on Twitter) in an earlier post dubbed Why Samsung KNOX has Flopped.

I don’t necessarily agree it has flopped, but what is important to note is that Samsung understands that KNOX is critical to securing a future Samsung legacy in the enterprise. Without KNOX there is absolutely no enterprise play for Samsung. Further, KNOX enables Samsung to claim partnerships with most of the mobile application management vendors – as Ralph subsequently pointed out in another blog post titled Samsung KNOX Finally Gets a Good Boost at MWC14.

From Samsung’s point of view Google might certainly opt to finally release its own enterprise-focused security capabilities. Since Google owns Android (regardless of the Samsung highjacking threat) doing so would likely render useless a substantial Samsung software investment and leave KNOX as a far less effectively differentiated platform. And, every Android device vendor ends up with an enterprise security platform. To a very large degree Samsung’s deep investment in Tizen stems from these issues as well. I won’t delve into Tizen in this post other than to note that I do not believe there is much of a future for Tizen (I include here wearable tech derivatives), which leaves Samsung’s future inescapably rooted in Android.

see_related_blogs

This is the back story to why Google and Samsung decided to seriously reinvigorate their relationship in January by signing a substantial, joint 10-year patent and cross-licensing deal across both the existing mobile patent portfolios of each company and the next ten years’ worth of them. At Google I/O 2014 the announcement that KNOX 2.0 would formally find its way into Google’s Android platform as part of Google’s new Android for Work initiative was the first practical result of the joint agreement. Though hardly the centerpiece of Google I/O, from an enterprise mobile perspective this was the biggest news to be had as far as I am concerned.

Google and Samsung – Two Companies, One Enterprise Voice

Sundar Pichai, Google’s Senior Vice President for Android, Chrome and Apps, is adamant that Google will utilize a variety of Android for Work mobile enterprise features new to the upcoming version of Android – Android L – to align the interests and focus of Google’s entire collection of Android mobile device vendors, and KNOX is a key piece of this. To paraphrase Pichai slightly, he wants to “ensure that there is really one story to tell.” Lenovo, Huawei, Dell, Hewlett-Packard, Sony and HTC are on board to date, and more will be announced.

As Google’s largest mobile partner Samsung benefits a good deal – Google’s endorsement of KNOX adds much needed credibility to the platform, brings additional engineering resources to the game and keeps Samsung rooted as Google’s most important – and not merely its largest – partner as well.

To be sure, aside from the Google I/O announcement there isn’t as yet a great deal of information available as to how KNOX will be integrated, and one might also speculate as to how far Google will go in doing so. The official press release from Google and Samsung stated only the following: -

“…The next version of Android, which was previewed today at Google I/O, will include a number of new features for enterprise users and IT administrators, such as a separate container to manage and secure business data.”

But in my humble opinion Samsung has taken KNOX a great deal further than most enterprises are likely to know. It isn’t my goal in this post to dig into the KNOX architecture (a more formal Blue Hill Anatomy of Decision report is forthcoming) but I will say that KNOX 2.0 has been granted Common Criteria Certification.  This is non-trivial and no small feat, and though Samsung still has a way to go to even begin to touch BlackBerry certifications territory (or even Good Technology territory), the KNOX certification speaks volumes to Samsung’s general commitment to the enterprise.

Courtesy of Samsung Mobility

Given this, as far as I am concerned there is no way that Google won’t implement the entirety of KNOX as Android L’s core enterprise security platform base.  This is already beyond merely “good enough” security for many enterprise mobile strategies and for any business that wants to use those advanced Samsung devices that support KNOX 2.0. Google’s own implementation will open up many more advanced Android hardware choices, such as HTC’s One M8.

Multiple vendors speaking with one true mobile enterprise device management and security voice changes the landscape – or rather, Google hopes it will change the landscape for Android in the enterprise. That common voice is necessary to take on the challenge of Apple’s still untouched dominance in the enterprise.

Without the cross-licensing deal from January in hand I can tell you we would not have seen KNOX gaining so much favor from Google. At its core it is quite interesting that though the cross-licensing deal is only between Samsung and Google it never the less provides the bridge to many Android vendors speaking with that one common enterprise voice.

So, as to the question posed in the headline, I will that say at the very least enterprises do need to care – a great deal. And they need to begin investing resources towards gaining an in-depth understanding of KNOX – its capabilities, how it compares to what enterprises now have available from Microsoft, Apple and Blackberry, and how it fits into the larger overall enterprise mobile management (EMM) landscape and the vendors that play here, such as Good Technology, AirWatch, BlackBerry and MobileIron – to name but a few.

The issue of enterprise security has come full circle – the “merely good enough security” of just 18 short months ago that most enterprise IT shops found so convenient to adopt has hit a real wall. “Far beyond good enough security” is once again the law of the enterprise land. I’m not yet even remotely ready to breathe a sigh of relief on this front but hey, it is all a small though significant step in the right direction.

KNOX fits this scenario perfectly.

 

Posted in Blog, Mobility | Tagged , , | 2 Comments