Practically every IT organization is afraid of data leakage, of company data getting into unknown hands. Many have invested in complex, expensive tools like data loss prevention (DLP), but the leaks continue because DLP is simply ineffective. Now there's near-paranoia about cloud storage services and mobile devices as firehoses of information loss, despite the lack of evidence supporting those fears.
The industry continues to try find ways to let IT manage better data. Two approaches are emerging, which IT organizations will have to evaluate before placing more expensive bets on management tools — and shaping employee workflows in ways that could damage productivity.
One approach is application management, used by OS X, iOS, a variety of mobile management servers, and to some extent by Android. The other approach is direct content management, used by several managed close storage services, Microsoft's Intune and System Center management servers, and several mobile management servers.
Understanding application management
Application management uses APIs to regulate how applications access and share data, making them into containers. For example, file sharing can be disabled on a per-app basis or restricted to other apps managed by the same server (to keep the data within those managed apps).
iOS 7 introduced this approach at a foundational level in Apple devices, so any app maker could use the standard iOS 7 management APIs, and any compatible mobile device management (MDM) server could control those apps' various content permissions. No server lock-in, no separate personal and work app versions — at least for iOS apps that use Apple's APIs.
Before iOS 7 made this an OS-level feature, app management was typically done using proprietary APIs, so individual apps might work with, for example, Good Technology's MDM tools but not MobileIron's, or vice versa. Those proprietary vendor APIs are still in use by various MDM servers — including those from BlackBerry, Citrix, Good, IBM, MobileIron, and VMware — across iOS and Android in what's typically called containerization. The net effect is that, for the purposes of content management, you're locked into a small number of apps tied to your MDM server of choice.
Android has some application management capabilities related to content sharing, but they're expected to get a major boost in the forthcoming Android for Work initiative Google has under way with several MDM vendors. Other than suggesting dual-persona workspaces are part of the mix, thanks to its purchase of Divide, Google has released few details, and it's sworn those MDM providers to secrecy. My sources tell me some of Android for Work's approach mirrors that of Apple's iOS, but other aspects differ significantly, in unspecified ways.
BlackBerry's BES MDM server also has a form of OS-level app management for BlackBerry 10 apps, via the extra-cost Balance workspace manager. The dual-persona approach, also used by Samsung's Knox and Google's acquired Divide, creates a separate workspace for work apps, so they can't share data with the apps in the personal workspace. That differs from iOS's OS-level API approach, where the apps' content permissions themselves can be directly managed, so users aren't switching workspaces — or tied to a specific MDM server. (BES uses containers to manage iOS and Android apps, which must use BlackBerry's proprietary APIs.)
Microsoft has also deployed a form of application-based content management in its Intune MDM tool, using APIs only available to Microsoft. Intune can manage the content permissions of Microsoft Office 365 apps on iOS 7 or later and (as of last week) Android 4 or later. But it doesn't manage other apps, and Microsoft tells me there are no plans to make these APIs available to other app vendors or to MDM vendors. If you don't use Intune, you can't manage Office 365 apps' document permissions.
Understanding direct content management
Direct content management wraps data files with encryption and access keys that a server or app then unlocks based on policies. For example, a content management server would determine that all files placed outside a trusted environment are encrypted and wrapped, and only authorized applications on authorized devices signed into by authorized users could open them.
Nearly two years ago, after talking to a dozen MDM vendors, I proposed a model for direct content management dubbed InfoTrust. One of the several vendors I talked through the ideas with was MobileIron, which was clearly working up its own model. Last week, it released its first phase of this model, dubbed Content Security Service for iOS and Android.
Its approach is similar to Intune's, except its APIs will eventually be made available to other app makers to use. (MobileIron is not making its APIs available to other MDM vendors.) In addition to supporting MobileIron's own Docs@Work suite, Content Security Service uses Box's and Dropbox's APIs to support their managed cloud storage service offerings.
Through a MobileIron MDM server, a company can designate data to be wrapped and encrypted when delivered to mobile devices, so only authorized devices, apps, and users — all three have to be authorized — can open and work with the documents. Should the documents be moved elsewhere, they are locked. Thus, documents moved among authorized users can be worked on by all those users, but other people are locked out if they receive the documents. A future version will provide a mechanism for providing keys to such outside users, the company says.
The MobileIron approach is similar to using PKI, though more proprietary. In the case of Content Security Service, MobileIron's MDM server manages the proprietary keys.
Another form of direct content management is offered by Microsoft SharePoint and enterprise versions of several cloud storage services: a repository where both folders and files can be given access permissions to specified users, and their usage is tracked.
SharePoint is an ineffective tool for this file-management need because it doesn't really work outside Windows PCs. But Box and Dropbox have built real businesses around such services across all the popular operating systems (mobile and desktop), and Microsoft seems to be trying to rework its OneDrive for Business to do the same in a multiplatform world.
But unlike MobileIron's approach to direct content management, the approach used by file-management tools doesn't protect the actual data; it only regulates the access to it. Many authorized users find it quite easy to email or otherwise share files from those repositories to unauthorized users. After all, it's common to work with outsiders in today's business world, but security tools often don't accommodate that reality.
A related approach that does understand how business actually works comes from Hitachi Data Systems. It has a tool to monitor files as they move among computers and mobile devices, as well as record when they leave your audited environment, so you can identify copies made outside your purview.
Today, content management is a mobile-only affair
You might have noticed that nearly all the examples I've cited involve only two operating systems: iOS and Android. There is no deployment on desktop operating systems like Windows and OS X (though OS X uses the same management APIs as iOS), nor on the browser-oriented Chrome OS, and very little on minor mobile OSes like Windows Phone and BlackBerry.
In practice, you can manage access of documents on the two most popular types of mobile devices, but not on computers, where the vast majority of document work is still done today.
For example, with MobileIron's Content Security Service service, once a document is protected and sent to a mobile device, no computer user can open that document — only authorized iOS and Android users can work on that document.
Likewise, Intune's management of Office's document management applies only to iOS and Android, so Windows and Mac users can share any document with anyone, even if those same users are locked from sharing those same docs on their mobile devices.
The mobile-only protection is true of other vendors' tools as well.
Which begs the question: Why bother?
One answer is that the vendors are reacting to IT paranoia, justified or not. But that's not a fair answer, even if it has an element of truth. Most companies rely on DLP tools or some sort of information access management tool to block unauthorized data sharing. It may not work well, but it's in place, so IT has focused on what's new, which is mobile and cloud.
Another answer is that it is the mobile OSes that are pioneering, testing, and proving these notions, so organizations that adopt one or both approaches now will get an advantage of being earlier in protecting its data and more experienced in doing so, a competitive advantage. Today's computer security isn't that effective, but mobile security is actually quite good, and as more usage moves to mobile, it makes sense to take advantage of that mobile strength as much as possible.
MobileIron's VP of strategy, Ojas Rege, says the Content Security Service will evolve as more of the needed pieces come into the various OSes and as the company works through the issues around key management and authentication. "It's the first step," he says — a refreshing acknowledgement that we're in the early stages of an evolving technology. I hope other MDM vendors try out similar notions.
Rege also says he expects Windows to evolve to be more like iOS, Android, and OS X in having a core set of content management APIs at the OS level, which is essential to app and server vendors being able to deploy this technology broadly.
My own conversations with Microsoft reinforce the view that Microsoft is evolving Windows this way. The big challenge is that Windows users — IT, especially — resist upgrading to new versions, so the critical mass of Windows 10 PCs may not come for several years, leaving mobile OSes to carry the ball. (OS X is able to use these techniques, but outside of Apple, it's hard to see app vendors adopting the technologies for their Mac apps before they deploy them in their Windows apps.)
In the meantime, I believe we'll see Microsoft instead focus on its Office management APIs as a way to sell its Intune service. Although most large enterprises are unlikely to toss their existing MDM investments, a lot of smaller companies use nothing more than Exchange to manage mobile devices, apps, and content. Intune will be an easier sell for these mainly Microsoft shops — though it will not address non-Microsoft apps.
We're in the early days of a new era in content management. If you can handle the fact that today's products are going to evolve a lot, you're in a great position to get ahead of the curve in the critical area of data security.