IT security has long operated on a simple principle: Because the firm owns all user endpoint devices that access company information, securing the devices means that data on them is secure. But what if that foundational principle no longer applies? The increasingly insistent and inconvenient spread of sensitive data to non-company-owned devices suggests that it doesn't.