The mobile phone has, for many, become no longer a “nice to have,” but a “must have” capability. Not only do we make and receive calls most anywhere, but we can access our calendars, check email, surf the web, update social media status, take pictures, play music, store contacts, play games, check scores, get directions, find restaurants … you get the idea. In a word it’s “indispensable.”
It is precisely because these mobile devices are easily portable, always connected and do about everything, but make toast for you in the morning, that they have also find themselves squarely in the middle of both our personal and professional lives. Most people are unwilling to carry separate phones for each persona because:
- it’s cumbersome
- it’s expensive (multiple wireless contracts, hardware acquisition costs)
- it’s not necessary — since we know a single device can handle the chores of the workplace as well as the household seamlessly.
The problem from a security standpoint is that these handy devices, which most people already own and want to connect to the corporate network, represent a significant loss of control over traditional computing platforms.
So how do you keep “bring your own device” from becoming “bring your own disaster” from an IT security standpoint?
There are basically three different approaches to reign in what would have seemed to us 30 years ago as a data center in your pocket:
- Mobile Device Management: install a client on the device which enforces security policies for things like password strength, encryption, remote device wiping, blacklisting and whitelisting of apps, etc.
- Containerization: Install a client which includes APIs that app vendors can leverage to create isolated versions of email, calendar, contacts, etc. so that threats to the personal side (e.g. Facebook, SMS, etc.) won’t impact the business side (e.g. corporate email).
- Virtualization: Install a client which essentially divides the device into multiple, virtual devices — meaning you basically have a personal phone with its apps and a business phone with its apps and never the twain shall meet.
Mobile device management provides the most seamless experience with virtualization providing the most isolation, which helps from both a security as well as privacy standpoint.
For the most part the vendors in this space fit into one of these three categories. But what about a hybrid/best of both worlds approach?
I’ve been espousing this tactic for a while so I was especially pleased to see an example of just such a union. In this case it’s between IBM’s Endpoint Manager (mobile device management) and Enterproid’s Divide (virtualization).
Now you don’t have to choose either/or but can do both/and. This way you get the isolation that guards against personal apps stealing business data while keeping the big brothers at corporate HQ from keeping tabs on your Angry Birds addiction. The mobile device controls can be added to the business container/virtual device for finer-grained policy enforcement so that the company gets to insist on your use of that irritatingly long and complicated password to secure their data while you can choose the security policy of your choice for your own personal data, which may or may not be more valuable to you.
For more info on this hybrid approach, take a look at:
http://www-01.ibm.com/software/tivoli/beat/07162013.html
You can download trial versions of the tools and try it out for yourself. I suspect we will see more of this sort of integration moving forward in order to gain back some of the control that corporate IT is losing when BYOD enters the picture.
There’s a spy in your pocket (or pocketbook or backpack). It’s so well camouflaged that you could stare directly at it and still not realize it’s there. Hiding in plain sight, as it were. In fact, if you are like most people according to a 
Inside Internet Security 