• United States




Pick your strategy for BYOD

May 01, 20124 mins
CareersData and Information SecurityEndpoint Protection

You can't control everything -- nor should you try. To reduce the risk posed by mobile devices, focus on securing data

Two main schools of thought guide the adoption of BYOD in the enterprise. One is to reduce the risk of the devices themselves by managing them closely through policy and software. The other is to reduce the risk to data that may be exposed or lost through mobile devices.

The latter is happening by default in most companies while everyone considers whether the former can be done. All organizations need to decide on which overarching BYOD strategy will guide all their individual BYOD projects — or agree that different pockets will use different strategies (which usually isn’t optimal).

[ Also on InfoWorld: Data security in a BYOD world | Understand how to both manage and benefit from the consumerization of IT trend with InfoWorld’s “Consumerization Digital Spotlight” PDF special report. ]

The latter strategy, focusing on securing the data, separates the device from the data — which can be accomplished in several ways. Many different solutions are being developed, including using Web services, virtual machines, virtual desktop integration, and virtual application integration. Most of the “unmanaged BYOD” vendor offerings focus on one of these types of solutions.

I believe this focus on data security is the best strategy for many reasons, not the least of which is that keeping unmanaged devices off your network would stifle productivity. BYOD is inherently unmanaged, and in trying to control it, you’ll always be putting a square peg in a round hole.

At the same time, you don’t want end-users connecting to highly sensitive data via systems that are at major risk of being compromised, without any offsetting controls. That would be foolish.

This basic idea behind this data security strategy dates back to the 1960s and is known generally as the “red/green paradigm.” As you might expect, the green part is for low-risk systems, while the red system is supposed to be used for all high-risk operations. The two are logically or physically separated — but unfortunately, every previous attempt at this sort of differentiation has failed.

Most failures are due to imperfect separation and the very hard task of ensuring that the green part of the system stays green. For example, I’m often asked to review “browser protection” solutions that promise to keep Internet browsers free of compromise. They usually employ some sort of “sandboxing” that prevents unauthorized processes from permanently modifying the underlying system. Unfortunately, malware invariably slips right through. 

I have the same qualms about sandbox approaches to mobile device security as I do about sandbox approaches to browser security. Because the sandboxed application necessarily interacts with the operating system, the separation of the red and green zones is under constant threat. The problem with sandbox solutions is that if they became superpopular, they would likely be exploited just as much as the mobile devices or browsers they’re trying to protect.

A more promising approach to on-device data security would be to use a bare-metal hypervisor to run separate operating environments for business and personal use (see “Business smartphone, personal smartphone: One device“). So far, though, this possibility exists only for Android, and it appears unlikely that Apple will ever consider it. Meanwhile, short of managing the devices and their use, the best way to protect sensitive data in a BYOD environment is to keep the data on the server and deliver it remotely via a display protocol such as RDP. If this approach doesn’t work for you, be aware of the risks.

This story, “Pick your strategy for BYOD,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author