Rethinking the consumer/enterprise operating system

Sunday, October 28, 2012

Rafal Los


I've sat there thinking about operating systems on a perfect Sunday afternoon.  We spend a lot of time in information security worrying about how we're going to secure the endpoint, but whether we're talking about the hipster Mac OS, or Windows, or Android on your mobile handset - the divergence of the security model, in my opinion, is becoming obvious.

When Microsoft converged their kernel and made a single version of Windows most people were relieved, especially Microsoft developers and security types.  It was now going to be easier to maintain the code base - but was that the right call?  I think the jury may still be out...  or maybe it's just not that simple.

Should there be a fundamentally different operating system for the consumer market versus the enterprise market?

Different Strokes

The basis for my question comes from the way that 'security' is thought about and enforced in the two use cases.  On the consumer end you don't want to have your grandmother thinking about whether she needs to update her windows or flash her Android phone to the latest version fixing the various security bugs and adding new features. You'd rather have to not think about 'security' at all ...and let's face it most consumers don't.  You don't necessarily need to have all those remote management and "enterprise" hooks into the OS that you want for your enterprise user.  On the consumer end you want simplicity and less opportunity for the user to "make the wrong security decision" (ie - do you want to update Windows?).  On the enterprise end you absolutely need deeper capability of remote management, policy capabilities, and account separation... things that are pointless on the consumer end unless you're talking about remote malware.  Enterprises need to inventory their assets, push applications, push certificates or credentials, tokens and the like.  Basically you want the enterprise end to be more highly security-configurable, manageable, and deeply defensible from the central nerve center of your enterprise.

Divergent Models

On the consumer end you want simple.  You want the security-based decisions to be abstracted from the user experience.  You want the vendor to set policy and push updates, and want to have security 'behind the curtain' where the user can't opt-out of a Patch Tuesday, or choose to disable UAC or the sake of convenience.  You want the consumer OS to protect the user... often from themselves.

On the enterprise end you want control.  You need the ability to set policy for a mass of users, and control the experience, peripheral attachment, and properties of that endpoint.  You don't want the user to be able to un-do the enterprise controls (ie - central policy disables USB devices) to circumvent your security posture.

What About BYOD?

Thinking about what this means for BYOD - it could be argued that it would be counter-productive to remove enterprise control from a consumer OS (even if it's features that are removed or disabled) because it makes MDM more difficult - but aren't we saying that the endpoint is essentially  not the place you want to worry about security in today's modern security landscape?  Who really thinks MDM is the salvation of the consumer endpoint ...really?  If your enterprise BYOD security policy relies on pushing MDM to your clients you'll end up with your users doing what I did on my personal iDevice - you'll simply remove access to corporate email rather than have the intrusive, invasive, snooping technology installed on your personal device.  You'll have lots of opt-out, or privacy battles.

The applications, on the endpoint and backend, the network and user management is what makes sense in BYOD (as we've said over and over) rather than the endpoint OS or device.

Recipe for Separation

I think when it comes to this discussion it makes logical sense to separate out the security models.  On the use case of the 'consumer' we want simplicity.  You know the vast majority of consumer users don't have their own "IT person" at their beck and call so they need to be spared from having to make those tough decisions they don't understand.  When that certificate warning pops up, it shouldn't give you the option to "go to the site anyway" ... it should (in plain English) say "This website is not good for you, therefore, you can't go to it" - and end it there.  No confusing jargon, no questions asked.  On the consumer end of things we want simplicity and the ability to "just use it" without all the complex security overhead the enterprise systems have.  Each consumer edition of an OS comes pre-configured with the things that you need to "keep you safe" (to an agreeable degree for the consumer) with simple-to-use interfaces and a no-nonsense feedback.

When you're talking enterprise systems, you want central management, and (in the absence of central management) enable the 'power user' to control their own destiny and tweak controls, configurations and security levels by editing configuration files, making their own choices, etc.  You can dump the technical details behind why a certificate error has occurred, and allow the user to continue or quit - knowing they are more likely to have knowledge to make the choice correctly.

When it all comes down to it, I'm starting to believe having a unified consumer and commercial OS just doesn't make sense.  We fundamentally have (at least) two tiers of users, and we can't continue to do a "one size fits all" solution for them.  The big question is what?

Note: Brian Katz wrote what is no-doubt a great counter-point to this piece, so out his piece "2nd Floor Admin".

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Microsoft Operating Systems Network Security Information Security
Post Rating I Like this!
Mikko Jakonen Article I can easily agree.

I feel that the divergence is not necessary "required" state, but will happen on level that it supports private vs. corporate computing needs. The problem with the operating systems within mobile or with desktop environment is not the "operating system itself", it is the structure and use cases how it is going to be utilized.

It is absurd idea that operating system under constant change and patching (not naming single one vendor here) due the security needs would serve compartmentalization as needed by the community.

However, the issue is unfortunately wider than that. In many ways. Just to introduce a few. I do have to bring 'clouds' to the discussion. For the obvious reason again. It is not just matter of consumer / enterprise, but enterprise / private issue as well.
Many of the organizations are utilizing more and more cloud bases services and exactly same is happening within consumer/private users.

Just an example how tight the relation is: Hardly anyone is using iPhone without iCloud? The whole 'gadget' is integrated with the cloud.

Similarily, no BYOD can be constructed on top of such set of functionalities and on which where private ("consumer") and corporate interests are potentially conflicting or rely on such different models of utilizing services or maintaining the data.

SO - the question wheter or not there should be DIFFERENT operating system for the consumer market vs. enterprise market is itself bit tricky. YES, the corporate AND private interests should be met and YES, parallel capability to support both worlds through clouds with a different needs is desired - no, it is required. Does this require separate operating system for each? Maybe not.

The different management needs and capabilities does not necessary require separate operating system, though it is not possible to run them on same environment - correct?

I do not believe that offering simplified, yet effective management capability ("grandma model")
requires separate operating system development but services to cover it, like our friendly example iCloud here.

However, I do believe that coporate need to control their information flows and information assets. This could be achieved through 'cloudified' approach as well.

We already know that all operating environments (& systems) requires constant "keep it up-to-date" activities. I believe cloud will
save us here in the long run. So the models are highly divergent, but similar by the use cases.

So how these two co-op together? Well, as CPU speed, capabilities in memory management and network speed increase I believe we will witness (no - I demand it!) a form of virtualization taking a place here. Wether or not its 'baremetal' approach, I can't tell.

Possibilities exists. This is exactly what mobility requires, to be able to separate YOU from you.corporate or you.private.

The issues what exists currently with desktop environments are moving towards mobility and the game is not getting any easier.

Same vulnerabilities exists and no operating system divergence help here.
Only the compartmentalization of operating system and information assets might help, with secure enough services provided for the user entity. No BYOD 'technology' on top of vulnerable operating system stack relieves the pain.

So the conclusion: We need 'operating system' or virtualization capability which is capable to run multiple, needs based environments - operating systems
and while not required to store data and closed, it will abandon the environment and start from the fresh.

Yes, something alike exists already but not mature enough and definetly mobility aware. What we need is wide spread industry adoption for the understanding how this SHOULD be, not just stacking the issues on top of each other. In parallel, a virtual 'SIM cards' shall see wider adoption while me.private and me.corporate may be running simultaneously.

Interesting thoughts?
Kathleen Jungck Amen. With the complexity of the operating system increasing, many non technical end users would benefit from lower end options, even thin clients. I've lost count of the number of times I've assisted my relatives and neighbors and witnessed their frustration. Most espouse the feeling that less is more -- less hassle, less maintenace, "just make it work."
Rafal Los Thanks for the feedback, and the well-thought-out replies!

It will be interesting to see where this goes in the real world, part my brain :)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.