The salespeople at financial services firm Vanguard Group need on-the-go access to presentations, client data and meeting details from wherever they are without a lot of hurdles. That doesn\u2019t mean, however, they need to access the complete suite of Vanguard applications and all of its data. So access is built around determining what users need in order to be productive without jeopardizing security by giving them too much access, says John Marcante, managing director and CIO at Valley Forge, Pa.-based Vanguard.\u201cThat\u2019s the challenge. You have to figure out how to make things usable and at the same time secure. That\u2019s the world we\u2019re in today,\u201d he says.The mobile workforce is here. A perfect security system isn\u2019t. That leaves enterprise technology departments scrambling to keep up with employees\u2019 demands for access that\u2019s as seamless as what they get with their personal apps yet secure enough to meet organizational and regulatory requirements.\u201cA focus by IT teams on tools and solutions that provide a good user experience while meeting their enterprise security requirements is really vital \u2014 if [a tool is] too painful or annoying for users to adopt, they\u2019ll be less productive, more unhappy and more likely to break the rules \u2014 bringing potentially more risk into the enterprise,\u201d says Nisha Sharma, managing director at Accenture Mobility, part of Accenture Digital.Sharma says IT leaders need a combination of tools to strike the right balance between access and security.\u201cSecurity solutions need to be unobtrusive and offer the excellent user experience that people are so used to from their mobile devices \u2014 they don\u2019t need to know how complex all the integration is at the back end, just so long as they can access what they need in as few taps as possible,\u201d she says.Here\u2019s a look at how several CIOs are working toward that.Decide what specific users needAt Vanguard, Marcante says salespeople now can use apps to access marketing presentations and business documents or work on meeting prep and wrap-up. Because the systems used for these activities are housed in a password-protected, encrypted container, workers can access them either online or offline. The setup supports immediate access even if there\u2019s no Wi-Fi, and access is easier and quicker than it would be if users had to connect to applications through a secured network.Vanguard\u2019s approach to meeting its salespeople\u2019s needs highlights a key principle of its mobile security policy: Enable and secure what each team needs rather than giving everything to everyone \u2014 or blocking everyone from all but basic functions, Marcante says.\u201cDifferent business needs are going to be equipped with different solutions, and our approach is less about giving them access to corporate information and more about designing solutions specific to them,\u201d he says.That approach doesn\u2019t just ensure that the sales folks get what they need, Marcante says; it helps IT better balance ease of access and security requirements. Some people need to view material but don\u2019t need to download it to their devices; others might need access even when offline. That means two access requirements with different security needs.\u201cThere\u2019s a dozen different personas throughout the company, so we\u2019re trying to look at those individual personas to see how we can meet their specific needs,\u201d explains Mimi Heise, a senior manager in Vanguard\u2019s IT division.She says Vanguard relies on mobile device management (MDM) and containerization software, which allow the company to encrypt information, create separate areas on a device for work and personal data, and remotely wipe data off the device if it\u2019s lost or stolen.More important, Heise says, such software also allows IT to implement security layers at the device level and at the application level. \u201cIt means we don\u2019t have to have a one-size-fits-all policy,\u201d she says. That allows easier access for those whose workloads don\u2019t demand the heaviest layers of security \u2014 which can create a cumbersome experience.Still, it\u2019s not perfect, she says.\u201cThe latest is better than we had four years ago. And a few years from now, it will be even better. But there are still areas of opportunity\u201d for giving users a smoother, yet more secure, experience, she says.\u201cAreas of opportunity\u201d that Vanguard is exploring include the possibility of using digital rights management (DRM) technologies, deploying software that supports single sign-on and using tools that would make it possible to adopt a \u201cbring your own identity\u201d (BYOID) approach to digital authentication.A multipronged approachWes Wright, CIO at Seattle Children\u2019s Hospital, is also balancing ease of access and security. His IT operation serves about 6,500 employees, 4,000 of whom want to use mobile devices for at least some of their work. Those employees can use either company-issued devices or their own laptops, smartphones and tablets.Wright says his approach to mobile security is based on the same five objectives that drive the rest of his IT operations: stability, security, simplicity, speed and safety.\u201cThat\u2019s how we approach everything in the IT implementations we do,\u201d he says. \u201cIf you miss any of those, your chances of failure go up. But if you can get a little piece of each of those, you\u2019re chances of success are pretty high.\u201dAs Sharma would advise, Wright doesn\u2019t rely on a single security solution.Seattle Children\u2019s uses Microsoft enterprise tools to enforce the requirement that every device must be password-protected and to remotely wipe lost or stolen devices.Wright\u2019s team also uses software from vendors Accellion and Proofpoint, which offer tools that allow users to click to encrypt confidential information being sent via email.Best PracticesHere are some best practices for creating a secure and seamless mobile experience for end users:\u2022 Implement multiple levels of security that meet the needs of specific groups of users rather than adopting a one-size-fits-all approach. \u201cMost organizations try to address all users with a single solution and that creates a very bad user experience for certain populations of users,\u201d says Gartner analyst Dionisio Zumerle.\u2022 Store as little data as possible on the devices themselves \u2014 and no sensitive data whatsoever.\u2022 Bake security into applications and devices rather than adding it as an afterthought.\u2022 Go beyond MDM. Use technologies that offer more sophisticated capabilities than mobile device management systems. Possibilities include wrapping applications and secure network gateways. \u201cApply security as close to the data as possible so hurdles are pushed away from the user,\u201d says Forrester analyst Tyler Shields.\u2022 Use risk-based mobile management systems. Shields says these tools take users\u2019 risk profiles into account to determine what people can and can\u2019t access. They\u2019d make it possible to, for example, ban a user from the network if he downloaded a questionable app.\u2022 Deploy enterprise mobility management control at the application layer. This allows an enterprise to control its data without locking down smartphones and tablets, Zumerle says.\u2022 Consider fingerprint-based authentication at the device level rather than passwords.\u2022 Never rest. It\u2019s difficult to take a long-term approach to mobile security because devices, operating systems and security tools themselves are evolving so quickly. \u201cIt is therefore fundamental to choose solutions that do not keep you locked in,\u201d Zumerle says.\u2014 Mary K. PrattAnd his team implemented virtual desktops so workers can securely access enterprise applications and data by firing up a browser and going through a two-factor authentication process from whatever device they\u2019re on \u2014 be it a tablet, a smartphone or a home desktop. The virtual desktop keeps everything in the hospital\u2019s data center \u2014 not on the user\u2019s device. \u201cIt presents the end user with the exact same look and feel as they have at work, regardless of the device they\u2019re on,\u201d Wright says. \u201cThey do appreciate that. It\u2019s pretty responsive, and it\u2019s pretty quick.\u201dWright admits that while these technologies are straightforward, the system isn\u2019t flawless. For example, the hospital\u2019s approach to encryption relies on users recognizing that information is confidential and remembering to encrypt it, and recipients outside Seattle Children\u2019s must be registered in order to get the protected information. Meanwhile, the virtual desktop doesn\u2019t allow users to toggle from applications housed on the virtual desktop to those outside it. Moreover, setting up a virtual desktop is complicated and costly, he notes.\u201cIt\u2019s not as seamless as I\u2019d like it to be, but it\u2019s the best we have out there now. And with the virtual desktop, I think we\u2019re really, really close,\u201d Wright says.Many layers of securityRoger L. Neal, vice president and CIO at Duncan Regional Hospital, is in a similar situation.\u201cEverybody wants it to be seamless. I want this, too. I want to be on my phone and easily jump over and work on my spreadsheet or check my email. And I\u2019d like to have all those sync up and have one password,\u201d Neal says. \u201cThe problem is, unfortunately, I don\u2019t know if there\u2019s a perfect solution to make that happen. It\u2019s a combination of things.\u201dNeal and his staff at the Duncan, Okla.-based healthcare provider face several challenges. For example, certain groups of users need access to applications and data that must be protected with varying degrees of security. Some 3,000 people in the organization have to use enterprise applications, and 80% to 90% have some mobile needs. Workers must use hospital-issued devices to access clinical information, but they can use their own devices to access nonclinical applications.Neal says he starts with a solid foundation, with policies stipulating who gets access to what and rules that require employees to use complex passwords and take security training. Then the IT group deploys technologies to enforce those requirements without overly burdening users.It starts with credentialing within the active directory, so a user\u2019s level of access is determined by his or her job. There\u2019s also a single sign-on system, with devices that read workers\u2019 RFID-equipped badges any time they\u2019re within 2 feet of a device for more than two seconds. (Workers also can manually enter their usernames and passwords if they don\u2019t have their badges.) The system automatically signs out workers after a set amount of time or when it detects that a badge has moved out of range. Duncan Regional Hospital also uses virtual desktops, giving mobile users access while keeping data secure within the data center.Neal says implementing these technologies has increased both the degree and ease of mobile access in the past few years, but he acknowledges that there are still challenges, such as occasional disconnects or systems that don\u2019t work exactly as they should on the virtual desktop.\u201cFrom a mobility standpoint, over the past several years, we\u2019ve committed a lot of dollars and resources to make it work because we know it\u2019s the best model for what we do. We want the information at the bedside or at the patient,\u201d Neal says. \u201cAnd I think we do a really good job. Is it perfect? No. Will it be in another five years? No. But we\u2019re always trying to figure out the best way to do it.\u201dImproving accessGetting better is what drives IT at the Idaho National Laboratory.The federal research organization is deploying technologies that leaders believe will make mobile access much easier for employees, says Hortense K. Nelson, director of program integration in the Idaho National Laboratory\u2019s information management section.The lab employs about 4,000 people, and its IT department supports 1,300 mobile devices \u2014 a combination of smartphones and tablets that are both government-issued and employee-owned \u2014 and about 8,000 government-owned laptops. For years, the INL has used LANDesk software to secure its laptops, and it uses MDM software to secure tablets and smartphones.But INL employees can currently access only emails, contacts and calendars on their mobile devices, Nelson says.But that will change this year. The lab deployed Google Apps over the past two years, and the cloud-based suite of tools allows workers to work from any location at any time, though Nelson says security concerns have kept the lab from opening up its entire environment to mobile access.To address those concerns, the INL is deploying AirWatch\u2019s enterprise mobility management platform, which complies with the guidelines set down in Federal Information Processing Standard (FIPS) Publication 140-2, according to Nelson. The AirWatch system allows for easy provisioning, and it will have two-factor authentication, remote-wipe capabilities, containers to keep work and personal data separate, and application-level controls.And because Google Apps resides in the cloud, neither the applications nor the data they use stays on the device.Nelson emphasizes that not all systems and data will be open to mobile access: \u201cWe have some data sets that will always be off-limits to anything other than highly secure networks,\u201d she says, but the tools being deployed this year will allow workers to access about 90% of INL work processes.Nelson says INL workers will have wider and easier access via their mobile devices by the end of the year. But that\u2019s hardly the end of the story. She says her team will continue to evaluate technologies because she, like IT leaders everywhere, knows that mobile demands will continue to grow \u2014 as will the risks and the types of security measures needed to mitigate them.