In-Depth
BYOD and the Cloud: The Dilemma Facing IT
The bring-your-own-device movement is a warning to businesses that their core is about to get more complicated. What must IT consider right now?
By Nathaniel Borenstein, Chief Scientist, Mimecast
The late Einar "Stef" Stefferud was fond of explaining one of the most fundamental principles of Internet architecture this way: "Push complexity to the edges, keep the core simple." As a general principle, you would be hard pressed to find a successful network architect who would disagree today.
However, in recent years there have been exceptions -- or at least complications -- largely centered on the development of complex network services. The internal complexity of a Cisco router definitively shows that one man's edge is another man's core. Complexity at the core of your operation only makes sense if it's part of your core value proposition as well.
The era of cloud computing brings the potential to outsource almost every non-mission-critical complexity in an IT infrastructure, one by one. The outsourcing simplifies a company's operations but doesn't further complicate the cloud provider, which already handles that complexity as its core business.
Lately, IT departments are being asked to allow employees to use all manner of new devices to interact with the supposedly secure IT infrastructure. A "Bring Your Own Device" (BYOD) movement can look like open revolution when viewed from the CIO's chair. The number and types of devices seems to be exploding, yet Mimecast's research indicates that less than a third of companies support as many as three such devices. How many people will an IT department have to hire to arrange secure access for iPhones, iPads, Android phones, Android tablets, Windows Mobile devices, the evolving product lines from Palm and Blackberry, and the many other amazing devices likely to be just around the corner?
The answer should be "none." Depending on your current strategy, you might be able to redirect a few employees to more productive tasks. For many, it requires a major change of mindset and a certain amount of trust in the face of shifting business risks.
A recurring theme in the history of IT has been the shifting boundaries between in-house and outsourced IT expertise and services. It's a safe bet that when Remington Rand (now Unisys) sold the first UNIVAC to the Census Bureau in 1951, the Census Bureau became a major employer of programmers. Sixty years later, I'd venture that the vast majority of companies that use computers don't employ a single programmer. Along the way we've seen all manner of technical and support services migrate into service bureaus and software companies of every shade and hue.
However, until the Internet and cloud computing came along, there were a few firm boundaries. Data -- at least a primary copy -- generally stayed on premises, on machines under the control of a company's own employees, whether professionally backed up on tape or written to a floppy disk that's now propping up a wobbly table. Most importantly for companies of nearly any size, has been the presence of a sophisticated fire wall separating "inside" from "outside."
That distinction is increasingly irrelevant.
In the era of cloud computing, more of a business' most critical data is being stored on remote servers under someone else's control. If an organization is keeping the most critical data on the outside-- and yes, it's still a good idea with the right vendor -- what exactly makes the inside so special?
The BYOD movement closes the circle. Now there are mobile devices that are "outside" (in many cases inevitably, by virtue of commercial network architecture) communicating with key data and applications, which are also "outside." For now, perhaps, "inside" is the guarantor of identity, but that can (and probably should) be outsourced as well. Eventually, the "inside" of any IT infrastructure may be nothing more than an Internet access point and a few wireless routers in within the building.
How should a thousand different kinds of devices communicate with a cloud service? Who cares? That shouldn't be your problem -- unless you work for the device or cloud vendor, of course. It's their job to make sure that employees can use almost any device with almost any cloud service. If a few combinations don't work, a few device types can be crossed off the acceptable device list or the business can swap one service provider for another. No big deal, as long as the organization has enough of an IT staff to stay on top of what's happening and make alterations to the lists of devices and contractors as needed.
In Waltham, Massachusetts, on the shore of the Charles River, is an enormous building that used to be a watch factory, and is now the Watch Factory, an industrial-themed office complex where Mimecast has its American headquarters. Today, it's unlikely that a watch factory would be designed to occupy a long stretch of riverside real estate, but it made sense in the nineteenth century. Water power drove many industries, and even powered early electrical generators. There was surely a time when the factory could not have operated without in-house expertise in electric generation. Yet, once there was an efficient electricity distribution network, it quickly ceased to make sense to generate electricity in house at all. As Stef advised, complexity was pushed to the periphery -- from the watch manufacturer's perspective, if not the electric utility's.
The BYOD movement is a big red flag, telling businesses that their core is about to get much more complicated unless it's made much more simple. If you want your company to be in the business of supporting hundreds of device types, start hiring. If you don't, start outsourcing your IT services to the cloud, and let the vendors deal with the challenge. That's what you pay them for, right?
Nathaniel Borenstein is chief scientist of Mimecast where he is responsible for driving the company's product evolution and technological innovation. He is the co-creator of the Multipurpose Internet Mail Extensions (MIME) standard and many other e-mail technologies; he has worked as an IBM Distinguished Engineer and as a faculty member at the University of Michigan and Carnegie-Mellon University. He was the founder of two Internet companies, the author of two books, three patents, and numerous technical articles, and a past president of Computer Professionals for Social Responsibility. You can contact him at [email protected].