This week, I participated in a great debate with our own Ryan Naraine about whether the network or the device was the best defense for mobile security. As both Ryan and I agreed, it wasn't really an either/or proposition: both devices and the network need security facilities.
My concern is that neither can really go it alone, and we certainly can't rely on device users to police themselves. Some users, when well trained, will go along with our guidelines. But when our users range from teenagers (with their level of immaturity) to our senior VPs (with their almost identical level of unwillingness to take direction), we need to protect our users from themselves.
For consumers, this protection falls squarely on the device makers, who can create some level of protective cushion for users. But even Apple, with all its app approval processes and restrictions, doesn't fully police its environment and has millions of users with jailbroken phones.
The carriers who host users are always fighting something of a losing battle, but they must protect the integrity of the network. It used to be that they'd only allow certain phones, with certain applications that they'd vetted thoroughly, onto their networks. Now, with millions of apps out there, carriers do their best to guard their pipes, but the challenge is huge.
For businesses and enterprises, the network vs. device debate is moot. They must protect both. The best approach is with good policy and training, and by specifically allowing only certain devices onto their networks. But even those approaches can run into snags, like when an employee with a BYOD device is terminated with cause — and some procedure must be followed to remove corporate data from a personal device.
In the long run, we're going to need to see protections on both sides. Networks will need to get more secure, intrusion protection systems will be necessary as BYOD devices waltz past the firewall. Devices, either with bare-metal hypervisors or features like the BlackBerry Balance and Samsung Knox, may be able to help keep their users just a little bit safer.
The bottom line, though, is this: device or network, we're still going to be under constant attack, constant threat of incursion, and we're still going to need to be almost preternaturally diligent to keep our enterprises and users safe.