The mobile management fever is about to break

I don’t know about you, but I am so sick of getting product pitches for yet another new way to deny users the ability to get their work done in the name of security.

Here’s a sample of these dubious claims:

[ InfoWorld’s Galen Gruman walks you through the taxonomy of mobile security technologies available. | Looking to adopt Windows Phone 8? See InfoWorld’s detailed comparison of how it stacks up against iOS and Android for mobile security. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. ]

• Dozens of vendors offer private app storefronts, though they’re usually little more than a combination of an index to the Apple App Store and Google Play store mixed with a delivery and auditing mechanism of homegrown mobile apps. Apple’s Business App Store already provides this, and Google does the same for Google Apps customers.
• At least a dozen offer all sorts of ways to wrap or isolate apps — usually via proprietary technologies that commit you forever to their product — to keep the apps’ contents safe. Another half-dozen want you to separate your users’ smartphones into virtualized personas, in a sort of user virtualization.
• At least a dozen are selling VDI and other Windows terminal emulation approaches as a way to bypass iPads and Android tablets completely, even though no one buys an iPad to run Windows — in fact, they buy it to not run Windows.
• There’s a wave of encryption providers seeking to encrypt the data on your mobile devices and cloud storage, even if those platforms are already encrypted.
• Never mind the telecom expense management vendors that keep flogging products that cost more money than they will save you.

It’s endless!

The good news is that IT doesn’t seem to be buying, and much of the enterprise community is starting to find its BYOD fever break, the cold sweats subsiding.

Two years into the BYOD scare story, fewer than 15 percent of enterprises have deployed an MDM tool beyond Microsoft Exchange’s native capabilities, according to the 451 Group research firm. Better yet, they’re buying even less of the remaining malarkey. Why? They’ve realized that the encryption and password requirements, coupled with the remote lock and wipe capabilities, provided by Exchange are all the MDM that most companies need, notes 451 analyst Chris Hazelton. Those who have stricter rules have bought the higher-capability MDM tools to satisfy their guidelines.

Then there’s that pesky detail that all the dire warnings about BYOD bringing down the enterprise simply haven’t come to pass. I remember CIOs and CSOs saying, “When a CEO goes to jail because of the iPhone, then maybe people will get the message,” to justify their paranoia. But the breaches we’ve seen have been the old-fashioned kind that IT allegedly has under control: lost (unencrypted) laptops, lost thumb drives (because cloud storage is blocked), and old-fashioned inside jobs, plus the phishing phenomenon for which there is no tech cure.

Clearly, business should practice basic security hygiene — passwords, encryption, backup, remote lock and wipe — on any endpoints, as should users. It’d be even better if companies did this with their PCs, before freaking out over mobile and cloud. Some industries may also have valid reasons to control specific aspects of a mobile device or regulate and audit the flow of some data as it moves through a business process or workflow. There are solid tools from capable vendors to do that.

But much of that information management can and should happen at the back end, limiting access to sensitive data in the first place, rather than let it out and worry about it once it’s left the data center. Electronic medical records systems point the way: They use browsers on PCs and tablets to interact with patient data and medical systems’ information, so the data is never retained on the device to be lost, stolen, or compromised. We’ve had such Web apps for a good decade, but seem to have forgotten that approach.

Instead, we’ve had a period of “buy, protect, buy some more” decisions by an IT community surprised and shaken up by the consumerization of IT. It started with Salesforce.com’s “no software” campaign a decade ago but didn’t really shake the foundations of the data center until the iPhone kicked the BlackBerry out of the enterprise. It’s time for “assess, buy, protect” instead.

Throwing products at the problem — assuming there is a problem — won’t solve it. Rather, it creates a new problem: a cacophony of tools that overlap and don’t integrate, creating huge management costs and new risks due to the gaps.

We can see the effects of this security overload in the market. As far back as May 2010 — just before Apple’s iOS 4.2 made MDM possible on iPhones — SAP bought Sybase, partly to create a fuller mobile strategy using Sybase’s Afari MDM platform. In late 2011, thin client maker Wyse Technology bought MDM vendor Trellia, then Dell bought Wyse (and Trellia) a few months later, adding it to Dell’s (so far) unintegrated stable of management technologies. In early 2012, Symantec bought up a variety of mobile content managers, such as Nukona and Odyssey Software. In October, Good Technology bought mobile app security firm AppCentral. Last week, Citrix Systems bought old-line MDM vendor Zenprise, hoping it could find a relevant toehold in the new consumerized mobile market that passed them both by.

Although dozens of MDM vendors are still jockeying for position, three — Good, MobileIron, and AirWatch — have emerged as the clear leaders in terms of market adoption (per 451’s research) and thought leadership. All three are pushing hard to get out of device-oriented security and into broader information security.

Plus, there’s a movement to erasing the artificial division between mobile and desktop management. MobileIron’s MDM tools can now manage Macs, as can AirWatch’s MDM. Symantec and Centrify have extended their Windows management tools to Macs and iOS devices.

The consolidation hasn’t stopped the flow of new companies targeting IT with security solutions they didn’t know they needed.

Of course, some of that new blood is healthy, providing new ideas and perhaps more effective approaches to a security industry whose perimeter mentality has utterly failed in the connected Internet age. Bromium’s concept of microvirtualization at the task level is intriguing, for example. And there are specialty needs in some industry segments that can’t be fully satisfied by the mainstream products; specialty vendors can fill those needs.

There are real issues to resolve, namely around establishing information management policies that work across apps and platforms, so we don’t get a never-ending set of silos, each with a different mix of apps, policies, and platforms. That will require something akin to Microsoft’s Exchange ActiveSync, which brought to device management a core standard that Apple adopted and set as the baseline for all — then extended to meet deeper security needs. Google, Samsung, Motorola Mobility, and Microsoft followed to a lesser extent. That made the notion of MDM both viable and useful.

For information management, all we have today are proprietary, ad hoc tool sets. An information management API created or adopted by Apple would instantly change the game in a good way. Hazelton believes this will ultimately happen: Apple will come up with such APIs so that its platform can remain entrenched.

What we need more than anything is a rationalized approach to digital management, one that doesn’t treat mobile devices in a vacuum. Or cloud services. Or PCs. One that doesn’t confuse the endpoint with the information being used or acted on. One that understands personal and work boundaries are largely gone, so context matters greatly — and is variable.

As IT’s BYOD security fever breaks and the knee-jerk response to block or bind anything gives way to a thoughtful, holistic assessment, we’ll all be better for it. We can then move to more value-creating enablement under a reasonable security framework — and get healthy again.

This article, “The mobile management fever is about to break,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.