Most failures are due to imperfect separation and the very hard task of ensuring that the green part of the system stays green. For example, I'm often asked to review "browser protection" solutions that promise to keep Internet browsers free of compromise. They usually employ some sort of "sandboxing" that prevents unauthorized processes from permanently modifying the underlying system. Unfortunately, malware invariably slips right through.
I have the same qualms about sandbox approaches to mobile device security as I do about sandbox approaches to browser security. Because the sandboxed application necessarily interacts with the operating system, the separation of the red and green zones is under constant threat. The problem with sandbox solutions is that if they became superpopular, they would likely be exploited just as much as the mobile devices or browsers they're trying to protect.
A more promising approach to on-device data security would be to use a bare-metal hypervisor to run separate operating environments for business and personal use (see "Business smartphone, personal smartphone: One device"). So far, though, this possibility exists only for Android, and it appears unlikely that Apple will ever consider it. Meanwhile, short of managing the devices and their use, the best way to protect sensitive data in a BYOD environment is to keep the data on the server and deliver it remotely via a display protocol such as RDP. If this approach doesn't work for you, be aware of the risks.
This story, "Pick your strategy for BYOD," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.