Keep your eye on data : While VDI can be a good alternative in some cases, it is not an efficient or even practical solution for others; especially disconnected users who require corporate data access. In those cases, VPNs protect data in transit but must be paired with endpoint measures (e.g., device PINs, remote wipe, disk encryption) to protect data at rest. This is why IT departments have long devoted so much effort to securing the laptops used for remote access and why the specter of devoting similar effort to lock down smartphones and tablets looms so large.

Before heading down this all too familiar path, evaluate secure access alternatives that compartmentalize business applications and data from the rest of the endpoint. Products like Good for Enterprise, NitroDesk Touchdown and Enterproid Divide create encrypted sandboxes on mobile devices, giving IT a cleanly segregated work environment to configure, monitor, and delete when the device is retired or lost.

For personal or public laptops PCs, a conceptually similar approach is a bootable secure environment such as MXI Stealth Zone. These alternatives still employ conventional over-the-air protection (i.e., VPN tunnels, SSL-encrypted ActiveSync) but terminated at more manageable and trustworthy "virtual endpoints."

Build for mobility : Forrester recommends adopting a "mobile-first" mindset when planning new content and collaboration tools. Extending this sage advice to security, perhaps it is time to stop thinking of secure access as "remote." Today's endpoints are mobile, roaming from home to office to hotel throughout the business day. Expecting all "remote" access traffic to enter the corporate network through a perimeter device (VPN or messaging gateway) is no longer a given. Moreover, risks vary as devices roam between public and private networks so consistent, gap-free protection must be ensured.

When evaluating any secure access expansion or alternative, consider how well an approach will work both on- and off-premise. For example, VPN clients like Cisco AnyConnect and JunOS Pulse are location-aware; transparently switching between security policies appropriate for each network (e.g., maintaining an always-on VPN tunnel unless connected to the corporate WLAN).

When roaming occurs, minimize security impacts on usability, using mobility aids to keep users logged in through coverage gaps. Finally, fragmented and duplicated policies not only frustrate users they're costly to maintain and lead to mistakes. Look for unified policy management that can help IT enforce consistent access rights as users roam throughout the enterprise.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28 year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.