Pick your strategy for BYOD

Two main schools of thought guide the adoption of BYOD in the enterprise. One is to reduce the risk of the devices themselves by managing them closely through policy and software. The other is to reduce the risk to data that may be exposed or lost through mobile devices.

The latter is happening by default in most companies while everyone considers whether the former can be done. All organizations need to decide on which overarching BYOD strategy will guide all their individual BYOD projects — or agree that different pockets will use different strategies (which usually isn’t optimal).

[ Also on InfoWorld: Data security in a BYOD world | Understand how to both manage and benefit from the consumerization of IT trend with InfoWorld’s “Consumerization Digital Spotlight” PDF special report. ]

The latter strategy, focusing on securing the data, separates the device from the data — which can be accomplished in several ways. Many different solutions are being developed, including using Web services, virtual machines, virtual desktop integration, and virtual application integration. Most of the “unmanaged BYOD” vendor offerings focus on one of these types of solutions.

I believe this focus on data security is the best strategy for many reasons, not the least of which is that keeping unmanaged devices off your network would stifle productivity. BYOD is inherently unmanaged, and in trying to control it, you’ll always be putting a square peg in a round hole.

At the same time, you don’t want end-users connecting to highly sensitive data via systems that are at major risk of being compromised, without any offsetting controls. That would be foolish.

This basic idea behind this data security strategy dates back to the 1960s and is known generally as the “red/green paradigm.” As you might expect, the green part is for low-risk systems, while the red system is supposed to be used for all high-risk operations. The two are logically or physically separated — but unfortunately, every previous attempt at this sort of differentiation has failed.

Most failures are due to imperfect separation and the very hard task of ensuring that the green part of the system stays green. For example, I’m often asked to review “browser protection” solutions that promise to keep Internet browsers free of compromise. They usually employ some sort of “sandboxing” that prevents unauthorized processes from permanently modifying the underlying system. Unfortunately, malware invariably slips right through. 

I have the same qualms about sandbox approaches to mobile device security as I do about sandbox approaches to browser security. Because the sandboxed application necessarily interacts with the operating system, the separation of the red and green zones is under constant threat. The problem with sandbox solutions is that if they became superpopular, they would likely be exploited just as much as the mobile devices or browsers they’re trying to protect.

A more promising approach to on-device data security would be to use a bare-metal hypervisor to run separate operating environments for business and personal use (see “Business smartphone, personal smartphone: One device“). So far, though, this possibility exists only for Android, and it appears unlikely that Apple will ever consider it. Meanwhile, short of managing the devices and their use, the best way to protect sensitive data in a BYOD environment is to keep the data on the server and deliver it remotely via a display protocol such as RDP. If this approach doesn’t work for you, be aware of the risks.

This story, “Pick your strategy for BYOD,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.