In fact virtualization vendors VMware and Citrix are working on hypervisors for mobile phones that create separate user profiles for business and personal applications and e-mail. But Nunez says this approach, while solving a security problem, may end up being cumbersome because it requires users to switch from one interface to another when they move from work to personal applications and vice versa.
In the future, perhaps an encrypted sandbox approach, or a cloud computing service that stores data remotely and makes it viewable on a smartphone on as-needed basis, could address the security and usability problems, Nunez speculates.
"Personally owned devices are quite challenging because the individual owns the asset and they want to do whatever it is they want to do with it," Nunez says. "But when you're interfacing with corporate environments, the corporation has certain rules of engagement they need to follow from a security and compliance perspective."
Just saying "no" to rank-and-file workers that want to use personal devices to access corporate systems doesn't address the problem, because users will find a way to get what they want. If you own an Android phone and want to avoid Exchange ActiveSync requirements such as PIN entry and remote wipe capabilities, you can download programs that remember your Outlook Web Access username and password and store e-mail in the phone's memory, which may not be encrypted.
You can use management tools to try to block such workarounds, but engaging employees in conversation may be even more effective in preventing unauthorized access. "If people know you're going to take a hard line right from the start, they're going to take a hard line," says Neil Clover, CTO of Arup Americas in New York, a design and engineering firm.
Instead, Clover and his IT team work with employees to educate them on which personal devices meet the corporation's security requirements and which do not. Intel takes a similar approach in a program it began in January 2010. Previously, nearly all smartphones connected to Intel's e-mail system were issued by IT. Now most e-mail-connected devices are owned by employees.
"We're approaching 15,000 devices in our environment and almost two-thirds of them are personally owned," says Intel principal engineer Dave Buchholz.
Intel tells employees which devices are eligible for corporate e-mail access. Some users even bring a printout of that list to the store when they buy a new phone.