In the IT community, there's a lot of consternation about the "bring your own device" (BYOD) phenomenon. The arguments start simply enough: IT doesn't like the loss of control, but the business units see it as a way to save money and/or enable their workers. It quickly becomes an argument about security, which is IT's way of exerting control and winning any argument. "Who knows what will happen to the data on a device someone brings in from home? And what if they lose it?" The same issues arise when companies issue employees mobile devices or computers on which they're allowed to install personal apps or use for personal purposes.
The real way to handle BYOD is to move to managed BYOD (MBYOD). That doesn't mean mobile device management (MDM), which is a basic, first-line defense, akin to locking your front door at home. In MBYOD, you start with securing your data at its source, then move on to securing it at rest and in transit between the device and your internal systems. Your goal is to manage the enterprise data without interfering with the personal data.
[ Intel's CIO explains how she implemented a managed BYOD program. | Subscribe to InfoWorld's Consumerization of IT newsletter today. ]
In other words, MBYOD means building a tiered system for access to your corporate ecosystem. You create your tiered system of access, then associate different devices with each level of access. The final piece is to publicize this system to everyone in the company.
The Holy Grail for mobile users is complete access to the corporate ecosystem. This means they can use their device to function as if they were working at a computer while sitting at their office desk. They have complete access to where their files are stored, they can move about the internal network, they can get their email, and they can access the intranet. This level of access is what you give to devices that have the best built-in information controls, managed by your information-savvy mobile management tool of choice. You know that if the device is lost or stolen that you can wipe all the corporate data from the device. Let's call this Tier 0.
You then have another tier where you might allow users to access on-premises resources but without any (or very little) data actually residing on the device. Users might be granted access to server-based computing, virtual desktop infrastructure (VDI), or one of the many server-based application-provisioning tools like Framehawk. You have some controls built into these devices, but it is very difficult to fully protect your data on them. Let's call this Tier 1.
The next layer is where you give only minimal access to users who have devices with few if any security controls. The only way to give users access to data at this level is to rely on a trusted app that can protect your data. This is where you see product like Good Technology's Dynamics or NitroDesk's Touchdown where the client app has its own encrypted container for email and other corporate resources. The app controls the connection to the email service and encrypts the data on route to the device as well as on the device itself. Let's call this Tier 2.
The final tier is where you don't give any access at all to your users. Their devices lack all conceivable controls, and there are no apps that work reliably to help you secure your data on the device. This is Tier 3.