Last week I met Michael Grey, Supply Chain Evangelist for Dell. We were chatting about future technologies given the incredible leaps that have occurred in computing over the last 30 years, with significant waves of change including:
- widespread use of mainframe computing
- proliferation of desktop computers
- ubiquitous internet
- Web 2.0 / mashups versus SOA – to allow the connection of web based software to share data in a secure manner
With all this change I was interested in what was next.
One of the points he raised was the issue of people becoming far more attached to their own computer than wanting to use a company one (which typically would be inferior to their own personal machine).
It raises a whole heap of issues:
- Ability to provide support for multiple machine types (various manufacturers and editions of software)
- How to maintain a Standard Operating Environment – an SOE reduces risk and cost in support
- How to limit the company from risk should someone’s computer have pirate software or songs, or illicit material
- Does setting up VMWare cut it? (VMWare is virtual machine software – basically like running a clean install of all software and documents. You then have two versions of an operating system on one machine. Also really great if you want to run two operating environments eg Mac OSX and Vista).
If a company turns a blind eye to other information on a computer, is the company at risk? - Is the individual at greater risk as a result of connecting to a company environment?
In some respects, putting an appropriate policy in place can work provided it is audited regularly for compliance. And automated tools can validate the legitimacy of information held on a laptop, and most likely companies will stipulate that the individual warrants that everything they hold is legal.
Without automated tools to validate the legitimacy of information held on a laptop, it is unlikely that a policy will be enough. Most likely companies will stipulate that the individual warrants that everything they hold is legal – but active checking on the compliance with policy, and records that indicate as such, are likely to be mandatory. The only other alternative is a blanket no – not something that today’s breed of knowledge workers from all generations like to hear.
Either way it is new ground.
So, what should you do?
1. Define where the highest levels of demand for connecting personal machines are
2. Identify and develop a policy and get explicit signoff
3. Put in place auditing measures
4. Trial and monitor
If you have been through something like this or are about to, please post a comment and let me know your views.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
October 2nd, 2007 at 8:32 pm
The big issue in my experience is not with technical solutions, but with employee expectations and clear definition of responsibilities between the employer and the employee.
Let’s take the assumption that an enterprise security environment is only as strong as it’s weakest link, then you end up with wanting to install a minimum security baseline. This then leads you down the path of SOE, standard security settings, virus software, O/S, security and software updates etc.
This is where the greyness starts – if the employer insists on a MSB, then who pays for the licenses? who monitors compliance with license terms? Who monitors that the MSB is actually in place? What if their machine is out of date and can’t handle the SOE? Who maintains and pays for the internet connection? If it’s the company’s connection does this mean that the user’s kids can’t play on the machine for fear of breaching the company’s acceptable use policy? What happens with P2P if it’s on a work connection?
These issues are all very real and in practice, the simplest solution seems to be not to go there, which is possibly okay in the short term, but in an interconnected world this is not going to be a practical or cost-effective solution in the medium term and hence things will need to move forward.
My guess is that starting with an appropriate agreement which combines employment law and SLA-speak would be the starting point, combined with some thorough risk and technical analysis of what’s possible, and what downside needs to be managed.
October 4th, 2007 at 12:17 am
Thanks Todd, great response.
One of the things that we find often in our consulting projects is that supplier provides – or that the personal machine just doesn’t connect to the network physically – ie there is internet access only.
With so many devices able to hold a lot of data, USB and other data take off devices are another whole area of challenge to be reconciled….
More fun to come!
Justin