"MDM can ensure that content, or full-device encryption, is enabled on platforms that support it, such as iOS and BlackBerry," he added. "However, Android devices offer no guarantees about whether encryption will be present or not, so we generally recommend retrofitting Android devices with a lightweight encrypted container app."
But Jaquith is not so enthused about NAC, which he calls "a fussy technology that doesn't work well in dynamic environments."
"The idea is noble: block any devices not known to IT from accessing the network," he said. "But in practice, NAC is very brittle because it presupposes that IT can somehow know all of the devices that should be allowed to be on the network. With BYOD, they can't -- indeed, that is the point of BYOD."
Jeff Wilson, principal analyst of security at Infonetics Research, said another problem with NAC is cost. "It's not a reasonable investment for all sizes of company -- it's mainly aimed at larger companies," he said. But he added: "Companies of all sizes do need to establish what devices are connecting to their network, and what they're doing when they're connecting."
John Prisco, CEO of Triumfant, calls all three Gartner recommendations "superficial security checks."
"We should be approaching BYOD security on a deeper level. What we really need is something that looks at the integrity of the endpoint," he said. "NAC alone, for example, just gives the device access to the network -- what good does this do on its own, especially when it has been easily spoofed by hackers in the past for entry?"
Wilson agrees with the notion that employee devices need to be assumed to be unsafe. He said many companies can add an SSL VPN client to employee mobile devices to allow for corporate connectivity. "I think that for smaller customers, or customers looking for some lighter-weight MDM and MDP solutions, the SSL VPN client will be the way," he said.
Prisco called for anomaly-based detection on mobile endpoints, like those on computer endpoints. "To do this, security professionals need to put an agent on the endpoint that will be able to collect all of the data entering the network no matter what kind of mobile device, tablet or laptop the employee brings to the enterprise," he said.
Jaquith said explicit BYOD "Acceptable Use Policies" should be added in addition to technological fixes. Among the security policies he suggests: Require encryption for sensitive company information.
"Protect each device with a five- or six-digit numeric passcode," Jasquith said. "When combined with a 10-wrong-tries auto-destruct policy, this is stronger than a typical desktop password policy, and easier to use as well."
Sign up for Computerworld eNewsletters.