New trend in BYOD security: contain the data, not the device

Credit: Jim Bahn via Flickr

Over the past eighteen months, the conversation about mobile management has changed dramatically.

Where the primary goal used to be to secure and manage individual devices, the BYOD trend has made organizations of all sizes and types reconsider what mobile security means. The goal for many IT departments today isn't to lock down devices, but to securely deploy business apps so that users can safely work with business data anywhere at any time.

This new focus has led to a major new mobile security concepts known as containerization. Containerization refers to a solution that creates an encrypted data store or container on a device. Access to data in the container requires secure authentication independent of any other device settings or restriction. The result being that even on a device with no unlock passcode, no whole device encryption, and no security policies of any type, the contents of the container remain inaccessible unless an authorized user enters valid  credentials. Securing data in a container also allows IT to wipe all business data from a personal device without wiping any personal data or apps.

That's a pretty attractive feature set for enterprises in itself and one that works well for organizations with BYOD programs, but containerization shouldn't stop at just encrypting business data.

To prevent data leaks, enterprises need to be able to manage the interaction between data in the secure container and the rest of a mobile device. That includes the ability to prevent unauthorized apps from opening business files stored in the container and the ability to disable copying and pasting between approved and unapproved apps. It can also mean disabling the ability of a device to print files that are stored in the container.

Early container tools were focused on securing specific data through a single enterprise app. Good Technology, one of the containerization pioneers, initially focused on providing a secure container for email, contacts, and calendar data. Good's approach in this area has been to offer an alternate enterprise app for access to corporate services like an Exchange server instead of using the stock apps included with iOS or Android. That approach works well in some respects, but it prevents users from interacting with enterprise data using the hundreds of thousands of apps available to them.

There are two solutions to that challenge.

The first is to develop a security framework that business and enterprise developers can integrate into their apps using a published SDK.

That allows developers to write apps that can securely access and store data in an encrypted container offered by a mobile management vendor. Good launched a program earlier this year known as Good Dynamics that takes this approach and other companies have followed suit, including Centrify, which recently launched its own enterprise authentication system for mobile devices, and MobileIron, which announced a pair of new solutions called AppConnect and AppTunnel earlier this week.

Although this approach is effective, it requires developers to build apps in partnership with one or more vendors. That can present challenges. The most obvious is that an organization will need to integrate mobile management tools from a specific vendor into their mobile strategy in order to take full advantage of container-based security.

Another key challenge is that existing apps may have already been built and deployed throughout an organization. To build in container security, these would need to be updated or rewritten to take advantage of a vendor's container SDK. That can be challenging if enterprise apps were created by a contractor or employee that is no longer working with/for a company. For publicly available apps, there's also the challenge of getting a secure version of an app through the review process of Apple's App Store in addition to an existing version that doesn't use any third-party functionality like that offered by an enterprise vendor's SDK.

The second approach, which addresses some of these issues, is app wrapping.

App wrapping does exactly what its name implies: it adds an enterprise wrapper to an app that creates a secure container for it. Ideally, that wrapper can be centrally managed to secure the data, require authentication for access, and offer protection against data leaks by disabling copy/paste, printing, and the ability to open files in unapproved apps -- essentially it extends all the container advantages to almost any app including private enterprise apps and apps publicly distributed through Google Play.

Beyond building the secure container, a goal for many organizations is to have secured business apps be able to share information between them. After all, if you have an app for mobile ordering/billing as well as CRM, it makes sense that you'd want them to be able to share contacts and other key customer data.

There are, of course, different ways that apps can share data -- copying and pasting content, using the option to open a file using an alternate app, and through integration with back-end systems or cloud services. Depending on the data, the app, and the individual user, it may be prudent or necessary to limit what data sharing is available on in the same way that you would set file permissions on a network share or SharePoint site. Secure containers, and apps integrated with them, require granular and flexible rights management options.

The final challenge of containerization is ensuring that these processes are as invisible and frictionless to the end user as possible. In the age of personal cloud services and mobile apps, users will find ways to work around a solution that they feel is limiting, clunky, or just plain confusing. They don't want to enter a username and password for each business app or hunt for specific functionality inside of large or complex enterprise apps or navigate around restrictive limits.

Many companies have begun to address these issues, but MobileIron and Good seem to be doing the best job of offering containerization in an effective but minimally intrusive way.

MobileIron has done a phenomenal job in its new AppConnect product in designing a powerful solution that makes containerization almost completely transparent to the user. The company ticks all the security boxes -- enterprise authentication, single sign-on, authorization based on the user account as well as the device and installed apps, and it offers flexible policies. Despite the container approach and app wrapping, users have virtually the same experience under AppConnect as on an unmanaged device. The companion AppTunnel solution also offers secure connections from secured apps to a corporate network without the use of a resource-heavy VPN infrastructure.

Good has also done an amazing job on this front as well with its Good Dynamics platform and its recent acquisition of AppCentral, which allows it to provide app wrapping as well as an SDK option to its customers. Good's overall on-device presence isn't as transparent to users as MobileIron's AppConnect, but it is still pretty user friendly and packs the security needed by most enterprises.

As I mentioned, Centrify has also recently stepped into this arena with its own Mobile Authentication Services (MAS) SDK that focuses on single sign-on and mobile authentication. The MAS SDK is available through a freemium model and focuses on securing mobile access to enterprise data systems and cloud services.

As mobile app management (MAM) becomes a companion to, and to some extent displaces, device management as the IT mantra for mobile management, we'll see a lot more evolution of the secure container -- and most likely a number of additional mergers, acquisitions, and partnerships to deliver the best container options. Overall, containerization looks almost certain to be one of the key mobile security technologies for a long time to come.  

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies