Assuming that unmanaged devices are going to access your data anyway, what's the best way to protect the data? The simple answer is to prevent the data from being collected or stored, transiently or permanently, on the unmanaged device. Attackers will have a significantly harder time compromising data not on the device.
One way to do this is to use the traditional client-server solution. All the data remains on the server side and only the results are posted to the user -- typically, these days, in a browser. It's a good solution. The only problem is that it still gives a compromised computer direct access to the front-end-rendering system, which usually has code that links it to the middleware and back-end servers. If the unmanaged device is compromised, then the attacker can use that vulnerability to access and compromise all the computers in the chain from front to back.
The better solution for unmanaged devices is to render only screenshots of the data returns, giving the endpoint almost zero access to any of the computers in the chain of delivering the data. We already have tons of these solutions available, in the form of remote desktop presentation software, such as Citrix, Terminal Services, VNC, and so on. Each of these solutions simply presents a remote screen and transmits screen drawn updates in response to transmitted inputs.
If data can be accessed through an unmanaged device as a simple screen draw, there is little an attacker can compromise. Bad guys may be able to capture screenshots and all updates, but they can't obtain direct access to connection strings, HTML code, or other juicy bits of information that would allow them unfettered access to the back-end data.
Truth be told, I don't like remote desktop solutions as they are coded today. Most also give access to remote resources, such as storage devices, printers, shared folders, and so on. A better solution would allow only remote screen draws and inputs to be transmitted between the source and destination. Very little funny business could occur in that scenario.
Even if a bad actor (as in a hacker, not a celebrity) were to steal an unmanaged device, capture the remote connection log-on information, and begin accessing data like a legitimate user, they would get that data only one screen at a time. That's very laborious -- and represents a much less significant breach than a hacker gaining the sort of access that would allow the whole database to be copied with one command.
Currently I'm exploring VDI and other virtual app-rendering methods. They too show promise. I suspect that many readers have already come up with the same solutions, because we're all facing the same problems, and I don't consider myself to be brilliant.
What solutions have you come up with for solving the security problem of unmanaged devices? Share them in the comments below.
This story, "Data security in a BYOD world," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.