For BYOD best practices, secure data, not devices

One of the more popular strategies is MAM

When it comes to things that keep CIOs up at night, mobility, particularly bring your own device (BYOD), is at the top of the list or near it.

Mobile device management (MDM) products and services are often the reflexive response to the need for more secure mobile computing, but in many ways that's like using a chainsaw rather than a scalpel to perform surgery.

A growing number of secure mobile solution providers say the answer to BYOD is not to control the device, but to control the data.

"It's appropriate to manage the device if you own that device," says Alan Murray, senior vice president of products at Apperian, a provider of a cloud-based mobile application management (MAM) solution. "If the corporation owns the device, it should manage that device. When is it valid to manage the application? Always."

BYOD Sparks Data Loss Fears

Smartphones are now in the hands of hundreds of millions of employees around the world, and other mobile devices like tablets are a growing phenomenon as well. This influx of consumer-owned devices into the enterprise environment has sparked data loss fears within many IT organizations. And if you think it's not happening in your company, think again.

"Even if you don't think you're doing BYOD, you're doing BYOD," Murray says. "It's a matter of whether you're doing it formally or like an ostrich."

For the most part, organizations are adjusting to the new reality. According to the State of Mobility Survey 2012 by Symantec, 59 per cent of the 6275 respondents reported that their organizations are making line-of-business applications accessible from mobile devices, and 71 percent said their organization is looking at implementing a corporate "store" for mobile applications.

It's not hard to see why. Organisations believe embracing mobile computing increases the efficiency and effectiveness of their workforces. Symantec's survey found that 73 per cent of respondents expected to increase efficiency through mobile computing, and all of them did realise that increased efficiency.

"Four or five years ago, it was all about the mobile elite," says John Herrema, senior vice-president of corporate strategy for Good Technology, provider of secure mobile solutions.

"They had company-owned devices to do some pretty basic things around email, browsers and PIM. Apps never really took off on that platform for a variety of reasons. But what we're seeing now is these BYOD devices have a ton of corporate use.

"Users are self-reporting that they're doing the equivalent of an extra week of work a month on their mobile devices by doing things like checking their email before they go to bed. The devices are out there. The users want this access. The more you give them access, the harder and longer they work. If you can't find a way to overcome [the security concerns], you are leaving massive amounts of productivity on the table."

Secure the Data With Mobile Application Management

Several different strategies are emerging to help organizations control their data in a mobile environment. One of the more popular strategies is MAM, often associated with the creation of curated enterprise app stores. The idea behind MAM is to focus enterprise resources on managing what's really important to the business-its data-by taking charge of the apps that can access that data while leaving employees in control of the devices they own. MAM allows organizations to mandate encryption, set and enforce role-based policies for applications including how they store and share documents and even remove data and deprovision apps when an employee leaves the company (or loses a device). In other words, you can ensure that sensitive data never leaves your customer relationship management app without preventing salespeople from playing Angry Birds on their own devices during their own time.

"I'm not going to access proprietary data by opening Angry Birds," says Brian Duckering, senior manager of Enterprise Mobility at Symantec, which has also adopted the MAM approach. "So do I need to manage Angry Birds? Probably not."

"We've always believed that ultimately security and compliance boils down to being able to control the data," adds Herrema. "Trying to control the device, in a lot of cases, is neither necessary nor sufficient. A lot of the typical device management methods don't work anymore in a BYOD world. You can't tell a BYOD user who owns an iPhone 4S that they can't use Siri or iCloud or that they can't use the App Store. At the end of the day, if you have control of your own data and make sure that your data isn't leaking off into personal applications and services, you don't have to touch the rest of the device. I don't have to tell the user that you can't use Dropbox. I just have to make sure that none of my sensitive corporate documents wind up in Dropbox."

"In many cases, you actually have great control over protecting that data than you would with a general MDM solution," Symantec's Duckering notes.

It should be noted that even when you manage applications rather than devices, special care is necessary for certain high-risk application types. For instance, in addition to providing the ability to manage internally developed apps and third party apps, Good also provides its own secure email app and secure browser app.

"The reason we have a secure email app and a secure browser app is that the native apps on these devices are inherently leaky," says Good's Herrema. "If you can't actually secure and manage the core browser and the core address book and core email app, you're still going to have data loss."

Run a Second Virtual Phone with Hypervisors

Instead of MAM, Red Bend Software takes an alternative approach that is more reminiscent of MDM. It uses type 1 hypervisors on particular Android handsets to create what is essentially two virtual phones running simultaneously on the same physical hardware. One phone is the standard consumer device for use with Facebook and Twitter and other consumer-facing applications. The other is a phone running a dedicated Android operating system geared for the enterprise.

"We allow the enterprise to completely manage that part of the phone," says Morten Grauballe, executive vice president of Corporate Development and Strategy at Red Bend.

Grauballe explains that by leveraging a type 1 hypervisor, Red Bend is able to achieve excellent performance because it runs directly on the phone's hardware (as opposed to a type 2 hypervisor, which runs as a software layer above a device's operating system). And, he adds, Red Bend achieves significantly better security because it doesn't run inside the same OS as the other consumer-facing applications.

"The usability goes both ways," he says. "It gives the IT organization better control, but gives the user the privacy and freedom they would like."

One drawback of Red Bend's type 1 hypervisor approach is that it can't be implemented on just any smartphone. It requires the handset manufacturer or chipset manufacturer to architect the device to support bare metal virtualization. Red Bend is attacking that problem aggressively.

"We're working with our customers, who are all the mobile device manufacturers-chipset manufacturers to ODMs and OEMs-to actually change the architecture and how the next generation of mass-market devices are designed and built so they are enterprise ready from the beginning," explains Lori Sylvia, executive vice president of Marketing at Red Bend.

Red Bend is not alone. Virtualization juggernaut VMware has launched a similar project, called Horizon Mobile Virtualization, to allow the enterprise to deploy its own secure virtual phone images to employee-owned smartphones.

Put a Virtual Desktop on Your Phone

Desktop as a Service (DaaS) specialist Desktone is also using virtualization to solve the BYOD puzzle, but with an approach that differs from Red Bend's. Rather than virtualizing the phone, Desktone is virtualizing users' desktop computers and deliver them as a service, giving them the ability to access that virtual desktop via different devices, from a physical desktop or laptop to a tablet or smartphone.

"Rather than managing devices, it's more about managing users," says Danny Allan, CTO of Desktone and former directory of security research for IBM.

Desktone's solution allows organizations to set policies for how services can be accessed and with which devices. For instance, it could allow a user to access a certain service from an iPad while on the road but not while in the office, or vice versa.

In the end, whichever strategy you adopt for dealing with BYOD, the vendors all agree that the key is to secure your sensitive data while still providing the end user the freedom and flexibility to use devices to enhance their productivity. If your solution is too onerous to use, end users won't use your apps and you'll fail to recognize the productivity gains mobile computing offers.

"If the solution that you apply is too restrictive, then as much as everyone wants BYOD, it's simply not going to be a practical solution because no one will use it," Duckering says.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline and on Facebook. Email Thor at

Read more about hardware in CIO's Hardware Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts