A recent article in Network World online had the title “For BYOD Best Practices, Secure Data, Not Devices”. I fully agree with that title. However when reading it I struggled somewhat with the solutions proposed therein, which were mainly about “mobile device virtualization” and MAM (Mobile Application Management) instead of classical MDM (Mobile Device Management). However, neither mobile device virtualization (we might call this MDV) nor MAM really are about securing data. OK, MAM as proposed by companies like Apperian at least also can protect the communication channel and the storage used by apps. However, the main focus of MAM is in controlling the apps which can be used to access corporate data.
That is neither fundamentally new nor does it solve all the problems in that area. What about access to corporate data like eMail using the standard apps? How do you deal with web access? You still might need to create new apps which are more secure than standard apps. And when not supporting standard apps, you might struggle with acceptance issues.
No doubt, MAM brings value. MDM as well brings value. And other approaches like the one of Enterasys which even has trademarked the claim “BYOD done right” for their Mobile IAM solution also bring some value. Enterasys focuses on a network security solution which controls access of devices and what they are allowed to do, including the access to some applications. But also here there are several aspects which aren’t solved – starting with the access of users to cloud services which do not even touch the network and thus never are seen by the Enterasys solution.
Several shortcomings might be addressed by configuring apps, cloud services, and so on. However, the more you limit the higher the risk that users won’t accept the solution, besides all the legal issues of doing things at the devices. I particularly like the idea of MDV with providing an image of a mobile device on another mobile device. So your corporate apps are running in a separate environment, which is under better control. However: Will these environments be more secure or will they just duplicate shortcomings like the ones of iOS and iOS apps? Nevertheless, running corporate apps in virtualized, controlled environments is an interesting approach. But if the user still wants to use the familiar Mail app on iOS, you are again reaching the limits.
Unfortunately the (close to) ideal solution, Information/Enterprise Rights Management for mobile devices, is not there yet. But even there you end up with the risk of malicious apps leaking data – IRM assumes that applications are handling information correctly.
What is the conclusion? There is virtually no way not to accept BYOD as a reality. There is no perfect solution for secure BYOD. You need to understand the risks for corporate information when they are accessed by different classes of devices. And you need then to find adequate ways for protection – from open access to prohibiting mobile access at all. In between, there is place for the different types of solutions mentioned as well as some others. You most likely will need a mix of security approaches for your BYOD world because there isn’t a perfect solution out there – even when several vendors promise that they have found the holy grail of BYOD security. Be assured: No one has until now. So: Understand your risks. Identify an appropriate set of technologies which help you to mitigate risks. Define and enforce policies. And do it in a way which allows users to do a lot, so that they can understand that some things are forbidden or only allowed when specific security measures are in place – like MDM, like using a specialized app, like virtualization.