Q&A: AppDynamics CIO sees SaaS as the future of mobile management

The key to success? Working closely with the information security team, says Brian Hoyt


Application performance management (APM) software provider AppDynamics knows the value of a good SaaS platform, both in terms of offering workers the tools they need while keeping control over access to corporate apps and data.

The San Francisco-based company, acquired by Cisco in March, will provide the switch-and-router vendor with insights into how code impacts user experience and application and infrastructure performance, enabling it to improve business apps -- including mobile apps.

Brian Hoyt AppDynamics

Brian Hoyt, CIO of AppDynamic

Brian Hoyt, the CIO of AppDynamics, is responsible for an IT shop that supports about 2,000 employees who use mobile phones, laptops and/or tablets to do their jobs. And while managing corporate data is critical, Hoyt clearly does not want to be in the business of wiping anyone's personal device via a traditional mobile device management tool.

The solution for his team has been to trust SaaS vendors, who can be singularly focused on data security and access, leaving Hoyt to tackle other important tasks. He talked about how mobile security through SaaS works.

What do you consider the best technique for addressing security vulnerabilities, i.e., ensuring OS updates, requiring strong PINs/passcodes, compartmentalizing enterprise apps and data on mobile devices? I would say we’re in a different situation [than older, larger companies]. We’re in the Bay area and we’re a relatively young company, so I didn’t have to build this considering a ton of legacy that couldn’t keep up with more modern SaaS approaches. What we have may not be applicable to larger enterprises with a lot of legacy [but]...I think that’s the way of the future. And I think larger companies need to embrace that.

There's a realization now that SaaS companies probably have a little better security than what you're able to provide internally, because it's their core business. I think embracing that is key -- outsourcing some of that risk. Because of that, I don't stay up at night worrying about that, first of all because it's out of my hands and second, because we've worked out contractual agreements with them so that if anything happened, I can trust that they're responding.

How large is AppDynamics’ workforce? I’d say close to 1,900 by now. Probably closer to 2,000 because most contractors by their very nature have some form of mobile access.

How many endpoints do you currently have to manage? Everybody’s got a phone; everyone has a laptop; and everyone probably has a third device. So, I’d say in our universe, probably around 6,000.

What are your biggest challenges with enterprise mobility management? We have an information security team that's a peer to IT here. We developed this in partnership. I own the implementation of any solutions for the most part; they help us with strategy. For me, I'm not in the phone business. I don't own people's phones here.... I don't control any space on anyone's phone. We have a pretty light weight set of SaaS tools for our business systems and they come with a lot of [native] security.

If we have an incident -- a sensitive employee termination, for instance -- email will delete off their phone without me doing anything. So, I don't have a lot of deep hooks into people's mobile phones.

What SaaS platforms do you use to secure mobile devices? We use primarily Okta and Duo [Mobile] security for our management of mobile devices. Okta is the one place where everyone can login, whether it be on their phone, tablet or laptop and access corporate resources. Obviously, Cisco has a slightly different approach to this.

I do like some of the features [Okta offers] where I can check policies, like if you don’t have a passcode -- please put a passcode on your phone before you can access some corporate resources. That’s something we haven’t really turned on yet. Duo gives us some insights into what the mobile universe looks like that’s connecting to our corporate apps, but it doesn’t give us the control of the device.

I don’t want my phone messed with as an employee, and I don’t want to mess with my employees’ phones. These things are so much a part of people’s lives that it’s not a business I really want to be in.

So you’re not using MDM to control what data is on an employee’s phone and you don’t wipe data from phones when employees leave or lose a device? I don’t want to be wiping people’s phones. We don’t have AirWatch or any of the traditional mobile device management that’s out there. We’ve shied away from that. I’ve been a little gun shy on that. It has wrecked some CIOs before when they got too heavy duty on that over the past few years.

I understand the risk, but because we use the SaaS world for our business systems and corporate resources, we’re getting a lot of [native] security, as well. I like the model of access control of the corporate resource, but not controlling someone’s phone.

So Okta and Duo are your mobile management SaaS platform. How do they work? Okta is single sign-on portal. It’s essentially a portal where people log in for access to email, or Office 365 or any business system they may have as part of their job duties. They have something called ‘chicklets’ they click on to open up into a new browser window.

Duo is essentially a two-factor authentication tool, but it does have some mobile device management features, or it gives us some insight into what kind of mobile devices are attempting to access our resources.

Is the rollout of EMM/MDM still somewhat decentralized in your environment, i.e., the sales force is implementing their version while other business units are rolling out their own versions? It is centralized. There’s no different versions. Everything is 100% covered by Duo and Okta. If I’m a sales rep and I need to get into Salesforce, I don’t go to Salesforce.com and log in, I go to the AppDyanmics Okta portal and log in, and that’s the only way in. Our key applications are mapped through that portal, and that enforces two-factor authentication as well.

We’ve added a lot of applications to that over the past year. And we also have an automated process so when we on-board an employee, it’s profiling the type of employee it is and automatically provisions certain types of accounts. So, it reduces the on-boarding burden for our IT team.

Does your EMM platform meet all your needs? We’re a fast-growing company. Especially for us, the key is working closely with our information security team, evaluating our stance and tweaking it as we go. We’ve made a lot of progress. In the past 12 to 18 months we [started out] essentially having almost nothing. We just depended on whatever Gmail gave us, and what Salesforce gave us and other SaaS providers gave us, and putting these things in Okta has given us an additional level of comfort around that. But it’s definitely been a process, and that’s ongoing for us and will probably be ongoing forever.

How has having an information security team worked for you? It has probably been close to two years since we hired a chief information security officer. Before that, security was...a little bit of everyone’s job. When we really started to scale and mature as a company, it made sense to have somebody who could give that problem 100% of their mindshare throughout the day.

This was at the time [before we hired a CISO] a really hot topic for our board, and I was spending every board meeting focusing on cybersecurity risk and I’m not a CISO; I’m an IT guy. So I was kind of doing part of it, and our SaaS team was doing part of it and our product team was doing part of it.

What are your greatest concerns regarding mobile security and whether vendors are providing the proper tools to address them? I think there’s always going to be concern. It’s on us to continually evaluate where our vendors are with their security. That’s a big part of what our security team helps us with -- sort of keeping the eyes on the glass as far as what’s going on in the threat environment out there and letting us know if there’s something out there we need to respond to. It takes constant attention both on our vendors and internally.

We’re a target. And, as we get larger, we’re going to be a bigger target. That’s a realization that is shared by our executive team as well.

Have you attempted or considered pilot projects involving unified endpoint management, where desktops and mobile devices are managed under one umbrella? No. Not really. When it comes to laptops, we have [Cicso's] Meraki as a systems manager. That’s something we’ve had for a very long time, probably more than five years. We’ve got a lot of insight into what our AppDynamics-owned and -controlled laptops look like. Additionally, we use the JAMFs [applications management tool] to manage all of our Macs, so we actually have two routes to control our Macs, both from the Meraki systems manager side and JAMFs. We use what I’d consider industry standard tools to manage our Mac environment, which is about 95% of all of our laptops.

Copyright © 2017 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon