For BYOD Best Practices, Secure Data, Not Devices

When it comes to things that keep CIOs up at night, mobility, particularly bring your own device (BYOD), is at the top of the list or near it. Mobile device management (MDM) products and services are often the reflexive response to the need for more secure mobile computing, but in many ways that’s like using a chainsaw rather than a scalpel to perform surgery. A growing number of secure mobile solution providers say the answer to BYOD is not to control the device, but to control the data.

“It’s appropriate to manage the device if you own that device,” says Alan Murray, senior vice president of products at Apperian, a provider of a cloud-based mobile application management (MAM) solution. “If the corporation owns the device, it should manage that device. When is it valid to manage the application? Always.”

BYOD Sparks Data Loss Fears

Smartphones are now in the hands of hundreds of millions of employees around the world, and other mobile devices like tablets are a growing phenomenon as well. This influx of consumer-owned devices into the enterprise environment has sparked data loss fears within many IT organizations. And if you think it’s not happening in your company, think again.

“Even if you don’t think you’re doing BYOD, you’re doing BYOD,” Murray says. “It’s a matter of whether you’re doing it formally or like an ostrich.”

For the most part, organizations are adjusting to the new reality. According to the State of Mobility Survey 2012 by Symantec, 59 percent of the 6,275 respondents reported that their organizations are making line-of-business applications accessible from mobile devices, and 71 percent said their organization is looking at implementing a corporate “store” for mobile applications.

It’s not hard to see why. Organizations believe embracing mobile computing increases the efficiency and effectiveness of their workforces. Symantec’s survey found that 73 percent of respondents expected to increase efficiency through mobile computing, and all of them did realize that increased efficiency.

“Four or five years ago, it was all about the mobile elite,” says John Herrema, senior vice president of corporate strategy for Good Technology, provider of secure mobile solutions.

“They had company-owned devices to do some pretty basic things around email, browsers and PIM,” says Herrema. “Apps never really took off on that platform for a variety of reasons. But what we’re seeing now is these BYOD devices have a ton of corporate use. Users are self-reporting that they’re doing the equivalent of an extra week of work a month on their mobile devices by doing things like checking their email before they go to bed. The devices are out there. The users want this access. The more you give them access, the harder and longer they work. If you can’t find a way to overcome [the security concerns], you are leaving massive amounts of productivity on the table.”

Secure the Data With Mobile Application Management

Several different strategies are emerging to help organizations control their data in a mobile environment. One of the more popular strategies is MAM, often associated with the creation of curated enterprise app stores. The idea behind MAM is to focus enterprise resources on managing what’s really important to the business-its data-by taking charge of the apps that can access that data while leaving employees in control of the devices they own.

MAM allows organizations to mandate encryption, set and enforce role-based policies for applications including how they store and share documents and even remove data and deprovision apps when an employee leaves the company (or loses a device). In other words, you can ensure that sensitive data never leaves your customer relationship management app without preventing salespeople from playing Angry Birds on their own devices during their own time.

“I’m not going to access proprietary data by opening Angry Birds,” says Brian Duckering, senior manager of Enterprise Mobility at Symantec, which has also adopted the MAM approach. “So do I need to manage Angry Birds? Probably not.”

“We’ve always believed that ultimately security and compliance boils down to being able to control the data,” adds Herrema. “Trying to control the device, in a lot of cases, is neither necessary nor sufficient. A lot of the typical device management methods don’t work anymore in a BYOD world. You can’t tell a BYOD user who owns an iPhone 4S that they can’t use Siri or iCloud or that they can’t use the App Store. At the end of the day, if you have control of your own data and make sure that your data isn’t leaking off into personal applications and services, you don’t have to touch the rest of the device. I don’t have to tell the user that you can’t use Dropbox. I just have to make sure that none of my sensitive corporate documents wind up in Dropbox.”

“In many cases, you actually have great control over protecting that data than you would with a general MDM solution,” Symantec’s Duckering notes.

It should be noted that even when you manage applications rather than devices, special care is necessary for certain high-risk application types. For instance, in addition to providing the ability to manage internally developed apps and third party apps, Good also provides its own secure email app and secure browser app.

“The reason we have a secure email app and a secure browser app is that the native apps on these devices are inherently leaky,” says Good’s Herrema. “If you can’t actually secure and manage the core browser and the core address book and core email app, you’re still going to have data loss.”

Run a Second Virtual Phone with Hypervisors

Instead of MAM, Red Bend Software takes an alternative approach that is more reminiscent of MDM. It uses type 1 hypervisors on particular Android handsets to create what is essentially two virtual phones running simultaneously on the same physical hardware. One phone is the standard consumer device for use with Facebook and Twitter and other consumer-facing applications. The other is a phone running a dedicated Android operating system geared for the enterprise.

“We allow the enterprise to completely manage that part of the phone,” says Morten Grauballe, executive vice president of Corporate Development and Strategy at Red Bend.

Grauballe explains that by leveraging a type 1 hypervisor, Red Bend is able to achieve excellent performance because it runs directly on the phone’s hardware (as opposed to a type 2 hypervisor, which runs as a software layer above a device’s operating system). And, he adds, Red Bend achieves significantly better security because it doesn’t run inside the same OS as the other consumer-facing applications.

“The usability goes both ways,” he says. “It gives the IT organization better control, but gives the user the privacy and freedom they would like.”

One drawback of Red Bend’s type 1 hypervisor approach is that it can’t be implemented on just any smartphone. It requires the handset manufacturer or chipset manufacturer to architect the device to support bare metal virtualization. Red Bend is attacking that problem aggressively.

“We’re working with our customers, who are all the mobile device manufacturers-chipset manufacturers to ODMs and OEMs-to actually change the architecture and how the next generation of mass-market devices are designed and built so they are enterprise ready from the beginning,” explains Lori Sylvia, executive vice president of Marketing at Red Bend.

Red Bend is not alone. Virtualization juggernaut VMware has launched a similar project, called Horizon Mobile Virtualization, to allow the enterprise to deploy its own secure virtual phone images to employee-owned smartphones.

Put a Virtual Desktop on Your Phone

Desktop as a Service (DaaS) specialist Desktone is also using virtualization to solve the BYOD puzzle, but with an approach that differs from Red Bend’s. Rather than virtualizing the phone, Desktone is virtualizing users’ desktop computers and deliver them as a service, giving them the ability to access that virtual desktop via different devices, from a physical desktop or laptop to a tablet or smartphone.

“Rather than managing devices, it’s more about managing users,” says Danny Allan, CTO of Desktone and former directory of security research for IBM.

Desktone’s solution allows organizations to set policies for how services can be accessed and with which devices. For instance, it could allow a user to access a certain service from an iPad while on the road but not while in the office, or vice versa.

In the end, whichever strategy you adopt for dealing with BYOD, the vendors all agree that the key is to secure your sensitive data while still providing the end user the freedom and flexibility to use devices to enhance their productivity. If your solution is too onerous to use, end users won’t use your apps and you’ll fail to recognize the productivity gains mobile computing offers.

“If the solution that you apply is too restrictive, then as much as everyone wants BYOD, it’s simply not going to be a practical solution because no one will use it,” Duckering says.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com