Corporate Security and the 2-in-1 Device


Microsoft seems to have fallen into a pattern where one release of Windows struggles in the market but then the next one succeeds, and back and forth. Windows 8 was one that struggled. Windows 8 came with a new class of Apps, and a new UI called Metro. Unfortunately, people didn’t like it much and they switched to desktop mode fast. True to form, Windows 10 seems to be much more successful. But before we completely dismiss Windows 8, it’s worth thinking about what Microsoft was trying to do with that release and why.

Like a lot of office workers I had a Windows laptop when Windows 8 came out, and I also had an iPad. I was experimenting with leaving the laptop at my desk and only taking the iPad with me when going to meetings or was otherwise away from my desk. After all, it seemed silly to carry two devices when I could present from the iPad, takes note on the iPad, and answer email on the iPad, right?


Well in practice, not so much. There always seems to be a last minute change that needs to be made to the slides and, while I can present from the iPad, I can’t easily edit the presentation. I can reply to an email from the iPad but I don’t have access to the network folders and SharePoint sites that contain all the background information I need to formulate the right answer. Plus, the files I have on my iPad aren’t the same ones I have on my laptop; they are copies. Are these copies up to date? Are they in the same format? Can I sync one or both ways easily?

I ended up taking both devices with me to conferences, using the laptop for work, and the tablet for movies, personal email & web surfing.

Windows 8 was an attempt to solve that problem. Microsoft built a device (Microsoft Surface) that could be used as a tablet (with a touch screen and an on-screen keyboard), but really it was running Windows and it could be plugged into a monitor, keyboard and mouse to do real work. The Metro UI was intended to fix touch screen issues in Windows 7 with simpler screen management, big square buttons, and simplified dialogs with bigger controls. Yet, it wasn’t a good UI once you did attach a mouse, and made the whole thing very bimodal.

Now Windows 10 is out with a smoother combination of touch and mouse interactions. A number of hardware vendors are already touting their 2-in-1 machines (it’s now a whole product category). So maybe my days of lugging two devices to a conference are behind me.

But what does all of this mean for corporate security?

Laptops, for office workers like me, were primarily a work machine. Tablets were primarily a personal machine. Combining the two doesn’t just mean combining touch and mouse UI’s. It also means combining business and personal use onto a single device. When I go to a conference with one device, I’m going to use it to access my personal Gmail as well as my corporate email, and it’s going to have the Excel spreadsheet of my son’s soccer schedule as well as the spreadsheet of the project plan. Corporate IT might not like it and may try to insist that there is no personal use or personal data on the company device. But the evidence to date is that there will be push back from employees, and a great deal of circumventing the rules for the sake of convenience.

If we accept a future where one device is being used for both personal and business use, how do we avoid the wrong spreadsheet being attached to a personal message, or an email being sent to my buddy John Smith rather than my colleague John Smith?

DLP and CASB software can block dangerous events, like uploading files to the cloud. But without classification they tend to be somewhat draconian in their policy enforcement and block more than necessary. Data classification enables clear identification and delineation of personal data from corporate data, and run-of-the-mill corporate documents from highly classified ones. DLP and CASB systems can then make smart decisions, allowing my son’s soccer schedule to flow freely between my 2-in-1 device and OneDrive, but blocking any attempt to send a project plan outside the organization.

The tablet-laptop combination seems like a good idea whose time will inevitably come. Moore’s law dictates that anything you can do on a laptop you will be able to do on a smaller device sooner or later. Knowledge workers are being encouraged to be mobile and integrate work into life’s fluidity. Combining personal and corporate information one a single device appears inevitable. And if we’re honest, most of us are already doing it. Our approaches to data security need to fit with this reality and support it rather than attempting block it. And data identity and classification have an important role to play.

Leave a Reply