Enterprise Strategy Group
Published: 07 Jun 2013
Doing a selective mobile device backup that separates work data and personal data can't be done, says analyst Jason Buffington, but perhaps not for the reasons you think.
Before I get started, let me define the two basic types of endpoint devices: consumption devices and creation devices.
Consumption devices are like e-readers that fetch data from a cloud repository. As long as there's a log-in screen that keeps someone who finds a lost device from ordering every book in the store, there isn't much risk in losing a consumption device. If it breaks, you replace it and re-sync the content. Even if the device is used for business, the corporate documents likely come from Dropbox, GoogleDocs, SkyDrive or a similar service that typically doesn't require explicit backups.
Creation devices can be used to create new content that might not exist elsewhere. Like consumption devices, creation devices often leverage online file-sharing services that can ensure data survives even if the device doesn't. In addition to the data files, the configuration of the device itself usually requires protection.
Depending on how you use a tablet, it may be a consumption device, a creation device or both, and you might use it for business and personal work.
It's the blending of personal and business data (from a content-creation perspective) that breaks all current approaches to bring-your-own-device (BYOD) protection. Here's an example: I use one device for work (ESG) and when I volunteer with Boy Scouts. My mobile device backup options include:
- Self-managed backups. I have the option of purchasing external storage (personally or through my company) and configuring built-in or third-party backup tools to regularly protect my data as well as the device's OS/app configuration. But frankly, if typical users did that, endpoint backup problems would have been solved years ago.
- Self-managed cloud backups. I could use a combination of online file sharing and online backup services to ensure my data is synchronized to at least one cloud-based repository. These services usually don't protect the entire machine, so I risk running into problems because of a bad application or OS patch. More importantly, if I pay for the service myself and then leave the company, my employer won't have the original data on my machine or any of the backups. If my employer pays for the service, they'll likely have access to the backups of my work data and my personal data. I don't care if my employer sees pictures of my family or hears my favorite songs, but they shouldn't have access to information about the kids in the Scout units I serve.
- Corporately managed backups. I could have my backups done through my company's data center backup software or its cloud-based services. This option presumes the company offers a capability to back up not only corporate-owned devices, but devices purchased by employees. And while it would be noble of my employer to back up a device it didn't pay for, the same issue of a company having access to personal or non-company data still exists. In addition, many IT-controlled endpoint services include the ability to remotely wipe my device if it's lost or stolen -- and you can't just wipe corporate data directories while leaving the rest intact.
To be clear, a company has the right and responsibility to ensure that its data is backed up; but it equally should not have the right to the personal data on that same device. There are niche scenarios that try to address this, such as remote desktop connectivity, in which a device has no corporate data on it. Instead, the user connects to a virtual machine within the company and works within a confined window. But that method negates why most employees choose to purchase their own device: to increase their productivity. Radically changing one's work style between opening a personal Word document on a device versus laboriously connecting to a remote desktop and launching Word inside of one window is a "non-starter" for most BYOD users.
The bad news is that your backup vendor may never be able to solve this BYOD backup problem for you (not alone, anyway). What's needed is a set of multiple personas or other means of differentiating data during a mobile device backup so business data is protected one way, and personal data is protected in another.
Perhaps backup vendors will develop better ways of selecting data directories within a device. But that will probably require a device-by-device configuration, where users or IT select the data manually -- and that isn't likely to happen. Years ago, laptop backups forced users to change their work styles with a promise of "If you put your data here, IT will back it up." But most users felt that was inconvenient, so the data didn't get protected. Over time, many of those offerings evolved so they can now discover and back up "My Documents" wherever that directory may be. But most tablet OSes don't offer even that granularity, and laptops running today's newer OS versions often have just a single MyDocs directory for data.
The real work needs to be done by Apple (iOS), Google (Android) and Microsoft (WindowsRT/Phone) to enable a file-system or directory structure with top-level directories that can be predictably identified by backup software. These directories would look something like "My Work Docs" or "My Personal Docs" without affecting the rest of the user's experience. Clicking a .doc file should open Word, regardless of which directory the file is in. The backup software client would then have the option of offering to protect work files, personal files, both or the whole machine.
Until then, your company will either have to trust you to back up its data for them or you'll have to trust the company not to read your personal data. Of course, you could just carry two devices. But who wants to Buy Your Own Device twice?
About the author:
Jason Buffington is a senior analyst at Enterprise Strategy Group. He focuses primarily on data protection, as well as Windows Server infrastructure, management and virtualization. He blogs at CentralizedBackup.com and tweets as @Jbuff.