latoga labs

Alliances & Partnership Advising

© 2006–2025 · Log in

Employee Owned IT – Security Holds it Back

Leave a Comment

Yesterday was the VMware Community Roundtable discussion on View which featured VMware’s own John Dodge.  If you haven’t participated or listened into one of the roundtables, this is a great one for those who are doing or thinking about virtual desktops.

At one point the discussion turned to Employee Owned IT (EOIT) and offline desktops within View.  It was great to hear all the different individuals whose companies are thinking or implementing EOIT in some form or fashion.  One aspect of EOIT which I have touched on in the past, is security.  Security has come up with multiple of my clients when discussion desktop virtualization and EOIT; I was a bit shocked that the topic didn’t come up yesterday during the roundtable.

When you start letting employees bring in their own computers, connect to the corporate network, and then run a corporate supplied desktop VM locally (or connect to a corporate supplied virtual desktop remotely) to do their work there are still some security risks to keep in mind.  Namely, the uncontrolled operating system attached to your corporate network.

Corporate IT may have locked down the VM the employee is using, but more times than not there are not adequate security mechanisms in place to protect the network from the EOIT OS that is running on that EOIT laptop.  What sites were the employee’s children looking at last night?  What malware might be lurking on the EOIT laptop?  And that employee just plugged their laptop into your corporate network.

Walk into most large enterprises (and many smaller ones too), plug your computer to the physical network and you probably are now behind the firewall.  Many companies don’t have any security in place to prevent outside computers from getting an IP address and instant network access–I know this because I’ve had this discussion with my clients when discussing EOIT and I’ve done it myself in the past.  Most companies setup their wireless network to require authentication, and if it doesn’t require authentication it only gives you guest access to the Internet only.  But this is not the case for the physical networks because the assumption is that those inside the building should have full access.

For EOIT to really take off in enterprises, this existing security mindset needs to be addressed.  Either at the physical network level or at the local computer level.  Since the entire idea of EOIT is to not need to manage the computer, it puts us in a tough spot.  Most large enterprises would take years of time and lots of money to update the security on their network to a level that would enable EOIT for wide spread use.  Many smaller companies would do it much faster and cheaper where the cost savings of EOIT far out ways the security measures needed to be installed.

But how do you solve this problem for the large enterprise?

Can Employee Owned IT Overcome the Hurdles?

2 Comments

For the better part of the past two weeks I have been living the life of Employee Owned IT and dealing with the worst case scenarios.  For those who are unfamiliar with the concept, this is essentially where the employee owns their laptop and uses it for work.  The ultimate version of this concept is the employer providing a yearly stipend for purchasing any laptop or computer that the employee wants (usually meeting a minimum performance requirement) and then providing the employee a virtual desktop for all their corporate work.  The theory is that the employee is happy because they get the laptop they want, can (officially) use it for personal work, and they keep the laptop when they leave the company.  The employer is happy because they have shifted money on their books away from owning depreciating assets, saved money overall on the management of their physical client computers, and have a more secure and controlled corporate client computing environment that is compartmentalized using virtualization and primarily contained within their data center.

I have been living this life as a self-driven experiment.  Working on my personal MacBook Pro–which has all my personal software and utilities I use daily for both work and extra curricular activities (photography)–and running a corporate VM with all my official corporate software installed and VPN connectivity.  Everything has been working wonderfully…until the SuperDrive in my MacBook Pro suddenly decided it didn’t want to burn CDs/DVDs anymore. I had purchased the Apple Care protection plan with my laptop, so all I needed to do was take the MBP into the nearest Apple store, have them run a test to verify that the SuperDrive was kaput, and have them replace it.

All went according to plan up till the replace it part.  I needed to leave my computer there for 1-3 days.

1 to 3 days?  This is my production machine!  The Genius helping me at the Genius bar didn’t seem to understand what that meant.  I needed this computer to do my daily work.  Not just that, but could I trust them to have my personal computer, personal information, web browser passwords, and all for 1 to 3 days?

Welcome to the reality of EOIT.  A few of the hurdles that it faces:

  • Hardware Failure & Repair:  The risks and abuses of some private IT repair shops are well documented by news investigations. So how does an employer embarking on EOIT protect themselves and their employees in these hardware failure situations?  Do they require that computers be purchased from only national distribution channels?  Are these the hardware manufacturers with retail stores so the employee can always physically take their computer to some expert for help or repairs?  How does the employer know the quality of the help or repairs?  Do they even care once they have pushed the expense of this off on the employee?
    • There is a bigger change in the dynamics of the computer sales model here as well.  If the retail store outlet is a requirement, now any retailer without store fronts is at a disadvantage.  The companies that have technology centric store fronts now become lucrative partners (i.e., RadioShack, Cell Phone companies).  Then the battle moves into the classic consumer product sales challenges of shelf placement, kiosks, and the like.  If this type of change were to occur, say goodbye to the enterprise client hardware sales person…I already know that the most forward looking of these sales people think they are seeing the end of their career runway because of the previously describe scenario.
  • Information Security: In the EOIT scenario, the employer’s data should be secure because it is living in a protected VM.  A VM that is most likely living only in the data center and access remotely by the employee.  Or, for select power or mobile employees, living on their laptop but encrypted and password protected and could easily be moved to a an external hard drive before taking the computer in for repairs.  But what about the employees personal information?  Should the employer even care?  Ideally, wouldn’t it be great if the employee could have the same protections and ease of migration for their personal computing environment as they have for their corporate computing environment?  This is the goal of bare metal client hypervisors, like the announced VMware CVP.  One could copy their personal VM off to the same USB hard drive and copy a VM containing a fresh install of an OS to their laptop hard drive.  Now if the IT repair technician starts snooping around the computer, there is nothing there for them to find.

These are the two hurdles that I faces personally with my EOIT experience.  There are a few more that employeers face, like:

  • calculating the actual cost savings that a company could achieve through EOIT
  • determining all the possible risk scenarios that a company needs to account for with EOIT and deciding which ones they need to take on and which they are willing to push on to the employee.

My solution to the two hurdles mentioned above was rather unique to my situation.  First, I have a second MBP that I could use while my production system was in the shop.  Second, I was already planning to upgrade the internal hard drive in my laptop and had the new hard drive in hand.  So I was able to clone my personal laptop’s hard drive to the new, larger, hard drive; reformat the internal hard drive; and install a new installation of the OS.  So when I handed my personal laptop over to the Apple Store, there was no personal data on it at all and I could keep working by booting my second MBP off of the cloned hard drive.

Unfortunately for the EOIT vision, this was a very unique situation and I had the technical knowledge to achieve the work around.  For the EOIT vision to become a wide spread reality, these worst case scenarios need to be easily handled by the common employee, with general computer knowledge, through a simple process that includes only a few clicks of the mouse.  I think that technically we are much closer to this reality that most people realize.

However, the biggest hurdle still exists…does Employee Owned IT drive substantial cost savings and will enterprises embrace it?