Who owns the computer? When a new employee starts, they invariably sign an IT usage policy, acknowledging that they are using a company-owned system and that it is for company purposes only.
It's a safe bet few people read the full agreement before signing it, but in a homogenous, locked-down office environment, for the most part it doesn't matter. Most companies are prepared to give people a bit of room to move to keep everyone happy. "We own the computer, but don't bring in any viruses or spend all day on YouTube, and we'll let you do your internet banking," they say. All perfectly reasonable.
But what happens when the company doesn't own the computer? As a broadening range of workers demand more out-of-office flexibility, it's a growing challenge for many technology managers.
Thanks to a phenomenally successful VMware float and an explosion of green IT issues, 2007 was the year of virtualisation. So far, most of the hype has been directed at the server end. But some say that changes to come at the end point - the user's machine - loom as an even bigger shift, one with the potential to promote major changes in the way people work and how they access their company's data.
Analyst group Gartner predicts that by 2009, notebooks and laptops will outsell desktop computers in Australia. Quarterly notebook sales were up as much as 30 per cent, year-on-year, during 2007, and notebooks now make up close to half the total PC market.
Much of this growth has come from the consumer market, as the laptop has become the choice of most households in Australia.
The upshot is that there are many Australian workers whose home machine easily matches what they have at work. That realisation, together with the advent of affordable broadband and long hours in the office, means employees now want the flexibility to access work systems when they're at home and on the road.
The chief information officer of Queensland nursing and care group Blue Care,
Paul Parkyn, says up to 20 per cent of his staff access work systems from home. The company developed remote access two years ago, but didn't begin offering it until 12 months ago.
Since then, demand has increased dramatically, not surprisingly given the amount of time many Blue Care employees spend out on the road seeing clients.
"The vision behind the infrastructure was to provide people with the same experience remotely as they had in the office, not only from a functionality point of view, but also from an access and capability point of view," Parkyn says.
"Initially, there was a little bit of [management] apprehension, but the way that we structured the Blue Care IT environment was very much around the ability to work anywhere."
Demand for remote access was inevitable, he says. "It was really only a matter of time before we had people approaching us and saying they wanted this."
In the past six to eight months, demand from staff has been rising. "It's been more of a grassroots type of thing," he says.
Out of the office, Blue Care staff use email and general Office-like applications, as well as the company's care delivery and financial systems, via Citrix.
With a national shortage of nurses, keeping staff happy is vital for Blue Care, and the main driver for granting remote access, Parkyn says. "For us, it's about people knowing that there is some flexibility for them," he says. "If they need to work longer hours, for whatever reason, they don't need to be stuck at the office."
Staff retention alone makes the business case stack up, he says, and Blue Care plans to help even more workers log in from home with an employee PC purchase plan.
In the United States, user-chooser work PCs are becoming common, Symantec CTO Mark Bregman says. "Companies are saying: 'We don't want to own the laptop, we want you to own it'," he says.
But on user-owned hardware, personal data sits side by side with company information in a way that isn't as clear-cut as with a machine that lives in the office.
"How do we put a fence between what you do with it personally and what we do with it for business? How do we make sure that when you access us, the company, that you're not exposing us to all that other bad stuff that you might have on your machine?" Bregman asks.
Along with other companies, Symantec believes one promising approach is the idea of a "virtual sandbox": a separate environment that the company can configure and control, regardless of what else is on the machine. The sandbox could be "raked over" as soon as the user is finished with it - immediately erasing itself.
Bregman says he doesn't like the sandbox moniker. "A sandbox implies you're going to play around in there," he says. Whatever the name, he says the most commonly understood way of doing this is a VMware-style image of the corporate environment on the local machine.
Other methods include application-level virtualisation, such as the one Symantec uses in its Altiris Software Virtualization Solution (SVS) product, where all relevant applications are contained inside a single file. Registry and dynamic-link library (DLL) entries are done as shortcuts.
Another option is to ensure that for web-based applications, certain URLs are allowed to open only on a protected partition. "That's the direction we're going in," Bregman says. "We don't even have solutions, as products, that solve that problem, but we have a lot of elements of the technology moving in that direction." He says the company is also looking at securing the virtual endpoint inside the PC to prevent internal data leakage.
The goal is to integrate these strategies into a complete, fenced-off area.
"If you can make this work the way we think you can, in principle, you could walk up to a virus-infested, spyware-infected machine in a cyber kiosk in Istanbul, pay for access and log onto the Symantec corporate server," Bregman says. "We would download a little thing that could substantiate a safe zone and you could do all your work. Then when you leave, it goes away."
It will be, he says, "like you're wearing a bio-containment suit. That's the vision, but we're not there yet."
So how far away is such technology? "I think it's pretty close," he says. "There are a number of small companies with elements of it. We have elements of the technology.
"I think we'll start seeing it being proto-typed and piloted within the next year. When will it become ubiquitous? That's a few years away."
CIOs like the idea because it removes some of the human risk element, he says.
"The computing power has reached the point where we can afford to pay the overhead cost of all of these layers of inter-action," he says. "The benefit is better manageability and better security. The third dimension of that is better compliance, which the enterprise cares about.
By using a sandbox environment, companies will be better able to show that they are complying with rules forcing them to document the protection of information.
Sydney-based Citrix advanced products vice-president and CTO office chairman Martin Duursma says his company introduced a sandbox-like system for application streaming earlier last year.
But at present, the sandbox application doesn't erase itself and the product is designed to contain conflict, rather than be used as a security system. But the potential protection of a self-erasing sandbox hasn't gone unnoticed. "It's something that we're looking at, but it's not something that's in the current product as it stands," Duursma says.
As ever, the big enterprise software makers certainly don't have the mortgage on a good idea, and others are already pushing sandbox-based systems. Open-source group Sandboxie's self-titled product is designed as a way to provide safer web surfing by taking browsing and downloads inside a virtualised zone. Internet security group ZoneAlarm offers similar functionality in ForceField, which is in public trials.
But even as vendor interest in sandboxes increases, CIOs such as law firm Gilbert + Tobin's Andrew Mitchell say they are generally happy with the remote access they have, even if the sandbox does have merit.
G+T's partners now have the option to buy their own PC or Mac, Mitchell says. "We have a variety of mechanisms via which people can log in," he says. The options include Citrix and a virtual private network.
To streamline VPN access, the company plans to switch from individual RSA security tokens to similar functionality built into partner BlackBerrys.
Most G+T staff who use remote access - about 20 per cent of them - tap into it for email, documents and the firm's practice management system, Mitchell says.
Asked whether he'd consider a sandbox, he says in some ways the technology goes back to the old mainframe days.
"We'd probably have a look at it," he says, but adds that its application would need to be considered. "You have to weigh it up in terms of what you're doing and how your people work and operate."
Mitchell says such technology would be more beneficial for an organisation that had employees travelling between multiple offices or countries.
And he cautions that virtualising desktops has consequences at the server end.
"When you go to full desktop virtualisation," he says, "you have to make sure you have very grunty servers in the back end, with high disk space."
The Australian CIO for consulting and accountancy firm KPMG, Ian McBride, says he's also happy with the way employees get remote access. Of the company's 5000 staff in Australia, about 2200 spend a lot of time working outside the office, connecting via laptops and Windows Mobile handhelds, he says.
"They're all controlled through a VPN," McBride says. "My rule of thumb is that I make it as easy as possible for people to connect, and then we go from there."
Employees are supplied with hardware, but many can also connect from home using Microsoft's terminal services, he says.
"What I'm not hearing from my people is 'I can't get in touch with what I need'," he says. "That said, I don't think we have enough wireless [mobile broadband] cards out there yet."
McBride says a new document management system and audit tools are driving the need for increased connectivity. But he wonders if a sandbox system would provide much more functionality than he has now.
"We've been really happy with the way that our people have been able to get to their applications," he says.
For more security, the company has SafeBoot hard drive encryption.
"Our policy says we let our people 'responsibly use' their laptop for personal use. That means don't fill the thing up with all your MP3s and videos, and we monitor it when they connect to the network."
Like McBride and Mitchell, Blue Care's Parkyn says the sandbox is a good idea, but not one for which he has an immediate need.
"Certainly, it's something that we may consider for the future, but for now, running a terminal session arrangement works exceptionally well," he says.
Blue Care plans to increase the capacity of its remote access, he says. The company underestimated how many people would be using it.
Parkyn says he can see a future in which the majority of Blue Care's work will be done remotely.
© Fairfax Business Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.