Buckle up — here comes the hard part of mobile

At most businesses, it’s now an accepted fact that at least some employees use personal smartphones and tablets for at least some work purposes or use work-provisioned mobile devices for at least some personal purposes. Just as the separation between work hours and personal hours has disappeared for whole swaths of worker roles, so too is the line between work and personal devices and — more important — work and personal information for many information workers.

This intermingling raises questions in areas for which there are no easy answers. The methods for the first line of security and information management were easy: a mobile device management strategy coupled with a role-based policy on who pays for and owns what. Although the next set of issues have no set answers, it is time for IT, business managers, and employes to start thinking about them.

[ Read Galen Gruman’s framework for a mobile information management strategy. | See how iOS 6, Android 4, Samsung SAFE, BlackBerry 10, and Windows Phone 8 compare for key mobile security features. ]

I was reminded of these tricky issues in preparing a panel on device heterogeneity for last week’s CIO Global Forum and in subsequent discussions with CIOs in multiple industries at this invitation-only event where I’ve been a regular part of the moderator team. These smart CIOs are way beyond the “should we?” phase and are now dealing with these messier questions.

Managing information access When people first started bringing iPhones to work, many IT organizations freaked out over allowing a new conduit to corporate data, with fears of lost smartphones compromising corporate secrets. If you check the national database of reported privacy breaches (a decent benchmark for breaches of all sorts), you’ll see this fear has not been proven. But the fact that mobile devices have not led to a mass loss of corporate information does not mean businesses shouldn’t be concerned about information leakage. They should — no matter what device employees use.

In mobile management circles, you’ll hear lots of talk about mobile information management, but there really is no good way to walk that talk. The reason: Information privileges are not embedded with the information itself. Plus, applications have no way of knowing — much less honoring — what those permissions are even if the data carried those rights details.

Yes, there are products that let you embed rights management into a custom app, as well as some information access apps that provide an IT-managed container. But they don’t allow users to work on the information; most are read-only and/or require a live Internet connection for what is essentially remote access to the data. Even those that allow users to do real work can work only on a small subset of files on a subset of devices. It’s not a scalable approach.

Operating systems vendors, app vendors, development tool vendors, and management tools vendors need to get together to figure out a common protocol to enable true information management, as Microsoft Exchange ActiveSync protocol and the API extensions from Apple and other vendors have largely done for device management.

In the meantime, all you have to work with is the notion of determining who you trust and when, along with managing initial information access accordingly. Intel has a good model for approaching the information management question, one based on access privileges to keep information away from unsecured environments in the first place.

Wiping devices When BlackBerrys ruled enterprise mobile, one key capability that set businesses at ease was the ability to remotely wipe a lost or stolen device, if it was managed by BlackBerry Enterprise Server (BES). iOS added support for remote wipe in 2010, using Microsoft Exchange native EAS protocol, with both Android and Windows Phone following in 2011. BlackBerry 10 also supports remote wipe via EAS, so you don’t need to have BES deployed to get this basic protection.

The universal support for remote wipe from the major mobile platforms removed a lot of IT angst. But remote wipe may not do what you expect. It erases the device’s flash memory, but that erasure is similar to erasing a hard drive — with the right tools, a determined thief could recover some or all of that wiped data. That might matter if your users are storing supersecret data on their mobile devices.

On a hard drive, there are tools that write nonsense data over the entire medium multiple times to inhibit such recovery, but I’m not aware of such tools for mobile devices today. Plus, flash memory doesn’t tolerate such repeat writes as well as magnetic disks, so a truly obscured mobile device may not be stable enough to be reused. It probably makes sense to destroy the device to wipe its data where you need assured access prevention.

Encryption is the usual solution to this issue, but when you wipe a mobile device, you also clear its encryption so that the device can be set up as a new device or restored from a backup, such as from iCloud, Google Play, Windows Store, or iTunes. That’s why several vendors offer encrypted application containers for managing apps developed with their APIs: They can more securely wipe their containers without affecting the rest of the device, leaving its encryption enabled.

For most people, the standard remote wipe is sufficiently secure — there aren’t cyber thieves shadowing them to steal their unattended device and recover its data.

But wiping a device does delete all its data. Given that a tool like Quickoffice or Box can be used for both personal and work data, it’s reasonable to expect IT to wipe the whole device, just to be safe, if there’s a loss or theft or when a person leaves the company. If you have an iPhone or iPad, your personal iTunes or iCloud backup means you can restore your personal data after such a wipe — it’s a simple task. Other devices don’t have such a simple backup capability.

But some companies block use of iCloud, which means your personal data — photos and any data in iCloud-compatible apps like GoodReader and iWork — is not backed up for you. That can be problematic for workers on the road, as one CIO discovered when his draconian remote-wipe policy caused him to lose his vacation photos.

If an employee backs up via iTunes at home (a process Apple has largely automated), the employee is OK. But of course work data is backed up to that computer running iTunes — including any work data stored with apps on the device. Yes, iTunes has an encryption option for those backups, but if a company wants to wipe all company data that an employee may have, such as when an employee leaves the company, there’s no surefire way to do so.

The lack of backup on other mobile devices in a way reduces the risk, but you can expect users on those devices, as well as on iOS, to use cloud storage — Windows Phone and Windows 8 even come with SkyDrive storage by default — so you still have the possibility of corporate data in the the wild. Without true information management, you’re left to best-efforts methods and a need to trust — or provide no access at all.

Managing e-discovery If you’re dealing with a lawsuit’s discovery motion, the use of mobile devices complicates the already complex e-discovery process. If you use server-based email such as Exchange or Google Apps, you have the emails received and sent from the user without needing to access the employee’s mobile device. But if an employee used a personal email address to communicate something being sought through discovery, you may need to get that device and review its contents. This raises all sorts of messy issues related to user privacy.

The law around such access is murky, though courts have more often than not decided that work information on personal devices is subject to e-discovery. Realistically, that means users’ devices could be taken for legal discovery and all the contents rifled through. Making that clear in employee policies is probably a good idea. For employees who don’t want their personal devices accessed by their company or opposing lawyers, the one true option is to use a work-only device for work and not mix personal and work to begin with.

These mobile questions extend beyond mobile By now, I bet most readers have realized that all these issues could apply just as well to personal computers, such as home PCs. In fact, they can.

Whether you use home email on a home computer, a personal smartphone, a work computer, or a work smartphone, the e-discovery issues and privacy-invasion possibilities are the same. Whether you work with information on a home computer, a personal smartphone, a work computer, or a work smartphone, the deletion and backup are the same.

When it comes to information access, most companies give their own devices a pass, assuming they are safe and trusted. I think that’s naive in the day of work and personal blending of hours, location, and tasks, especially for workers who travel frequently. It may be best to apply whatever segregation and access policies you can regardless of whose device is in use — because the notions of “mine,” “yours,” and “ours” are further blurring.

This article, “Buckle up — here comes the hard part of mobile,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.