Everybody’s talking about the post-perimeter era – an era in which there is no longer a distinction between being inside the perimeter of the organization or outside of it. In this new era, our personal devices mix access to sensitive, corporate and personal data. The conventional thinking is that because services and apps have moved to the cloud there is no longer a need for strict domain boundaries.
However, this thinking ignores an important part of human nature. We all have and need boundaries between our corporate persona and our other personas. We expect these boundaries to be respected, we expect our privacy to be respected. In this post, we’ll discuss this human need and its collision with the post-perimeter trend in information technology.
Most people have multiple personas – their persona at work is different than their persona at home with their family and friends. They typically have a room at home dedicated to work that is completely separate from living rooms / family rooms. People tend to like to keep their lives mostly separate. In the past, we used to also have a clear distinction between our work computing and our personal computing. We used to have a device we’d use for personal purposes and a device we’d use at work. This makes a lot of sense as we don’t want to mix our personal life with our corporate life. We want our employer to respect our privacy. We want to be able to keep our personal data even if we move from company to company since we might be using different apps/websites/data at home vs. at work.
This line seems to be getting blurry. Our employers suggest that we bring our own devices to work with BYOD programs. They might allow us to use our home devices to access corporate resources, but request in return that we install a bunch of monitoring apps on our personal devices. Organizations expect employees to work at home and abroad. Helpdesk support agents ask to take over our devices to troubleshoot issues. IT asks to be able to remotely wipe or lock our personal devices. When we present a presentation we typically share our entire screen, including all of our apps and notifications – both work-related and personal.
On the other hand, emerging privacy regulations like GDPR, are asking employers to provide users with an easy way to keep personal data apart from their work data. Employers must not monitor and process the employee’s personal data. This applies to the user’s device as well. Some organizations are trying to provide employees with a dedicated personal folder on their devices, but this is not really providing a strong boundary for personal information.
Some employees try to avoid mixing personal and corporate use on a single device, but this is extremely hard without significantly degrading the user’s productivity. Using two separate devices for personal and corporate use is common, but is a huge time and productivity killer due to the constant context switching. Also, in many cases, users use their smartphone as their personal device and their laptop as a work device. This, however, means that you have to consume your personal apps on an inconvenient smartphone form factor and limit your personal use to very simple tasks. What if you’re at work and want to print/edit a personal document, or do some other work that requires a full laptop form factor? You’ll probably send that document to your work laptop, mixing the two domains.
Provisioning a VDI work desktop for each user can keep some boundary between the two worlds, but they are expensive, lead to inferior user experience and limit where you can get actual work done. They also potentially compromise the security of corporate resources as malware on the user’s personal device can see, interact and leak data out of the remote corporate desktop. Using all kinds of device health checks to check if the device is healthy isn’t really reliable when they face malware that completely owns the user’s physical personal device.
Things get worse in the cloud era in which all services – both personal services and corporate services – are hosted in the same public cloud. With this revolution, there is theoretically less sense for corporations to keep any kind of OS/device boundary between personal and corporate access. Why would an enterprise want to have to manage a physical work device when they can delegate that work to the user and let him access corporate apps on his personal device? However, what enterprises are missing is that while this can reduce cost, it will either lead to worse endpoint-based security breaches and corporate data loss or to a violation of user privacy because of the need for endpoint monitoring.