Mobile Virtualization: Security Panacea?

— May 25, 2011

Ubiquitous smartphones, tablets, and other wireless devices increasingly enable mobile workers to access company assets from outside HQ—on the road, at home, anywhere there is connectivity. Accommodating this consumerization of enterprise IT—letting workers acquire and use their own devices—presents formidable challenges to the security of enterprise infrastructure and to business-critical data and applications that use it.
 
Mobile virtualization can ease the burden of enterprise mobility, simplifying life for IT staff while giving road warriors and telecommuters a safe and secure platform for running enterprise apps and working with company data. At the same time these mobile workers can continue enjoying the features and fun capabilities of their smartphones free from the boss’ scrutiny.
 
The Situation – Mobility with a Chance of Productivity
Since the 1980s, companies have supplied employees with personal technology—first desktop PCs, then mobile phones and notebooks, and most recently, smartphones and tablets. The motive for these capital equipment investments was to make employees more accessible and organizations more productive, extending contact by voice and e-mail, enabling access to enterprise information systems, and giving workers the tools to be as productive on the road as they are in the office.
 
Results of these programs have been mixed. Challenges to mobility ROI have included:
  • Access: Limited access to corporate systems due to security policies and the vagaries of remote network access (VPN, hotel-based broadband, etc.)
  • Upkeep: Costs to acquire and maintain remote hardware, to enable remote access, and to keep hardware and software up-to-date
  • Consumerization: Employee dissatisfaction with company-supplied computers, phones, and tablets has led to a preference for using worker-selected mobile hardware
  • Security: Risks to corporate networks and assets from malware and other exploits introduced through casual use of company-supplied equipment (employee Web surfing, downloaded content, etc.)
Improvements in VPN technology and ubiquitous broadband (Wi-Fi, 3G, etc.) today address most access issues. With increasing prevalence of consumer devices, employee satisfaction will rise and upkeep costs fall.
The remaining puncture in the tires of enterprise mobility is security.
 
The IT Challenge – Mission Impossible?
Corporate management has handed IT staff a mandate to support consumerized enterprise mobility: roving employees must be able to log onto corporate networks, access company databases and e-mail servers, and run business-critical applications. Not just from desktop PCs and notebooks, not from IT-vetted hardware, but from employees’ own Android-based smartphones and other wireless devices.

The mission—make end users productive (and happy) without compromising hard-won company security and make them mobile without exposing corporate secrets and customer information to the prying eyes of hackers, identity thieves, and other black hats.
 
Before tidying up their resumes and heading for the door, IT staffers will likely consider a series of unappealing responses:
  • Lock down mobile applications and blacklist all Web sites that are not work-related
  • Wipe employee phones and install clean and secure company golden masters (if even possible)Support only 1-2 handset and tablet models qualified for end users to buy and use
For technical and practical reasons, none of the options are really viable. So what’s a company to do?
 
The End-User Conundrum
This past year, after the winter holidays, workers in sales, support, marketing, engineering, accounting, facilities, and other departments returned to work with shiny new smartphones and tablets they received as gifts (or bought for themselves). These devices are not just for communication—they are lifestyle enhancers providing applications to manage diet and exercise, participate in social networks, coordinate schedules and track family members, educate, and entertain. And they also support Web browsing, e-mail, note taking, report writing, financial modeling—many or all productivity-enhancing activities previously hosted on PCs and notebooks—but in a friendly touch-driven form factor.
 
Around the proverbial water cooler, workers eager to leverage newfound mobility in (and out of) the workplace swap stories of their enterprise mobility experiences:
 
  • Joe from accounting let IT have his smartphone and now he can’t play the market on his own time (or play games or watch videos)
  • Wendy in sales had the support desk install company CRM and inventory management tools on her Web pad and now she can’t surf competitor Web sites and read popular blogs for industry
  • Developer Chad and even IT staffer Michelle had to remove network monitoring and console tools from their wireless devices to comply with mobile security policy
  • Fiona at the front desk could no longer display her favorite screen saver or use Facebook during coffee breaks
  • Each also realized that employer-installed software could probably also track online browsing and download habits. Via GPS-enabled phones and tablets, they could now add their physical locale to the list of privacy concerns.
Everyone lost something: familiarity, personalization, utility, privacy, and ultimately, productivity and freedom—freedom to use their own devices as they like.
 
The result? Potentially productive mobile employees either walked away from their company’s enterprise mobility rollout or ended up carrying (at least) two devices: one to meet company requirements and an additional personal smartphone or tablet of their own.
 
Enterprise Mobility Approaches
A set of technologies and solutions has emerged to meet the “dual persona” challenge of personal and professional mobility:
 
Cloud-Based Portals – Cloud computing has impacted the entire enterprise IT landscape, including mobility. Web apps and cloud-based (virtual) servers have moved enterprise assets and applications out of headquarters data centers and onto the World Wide Web.

Cloud-based mobility most commonly supports e-mail (Webmail), help desks, and database-driven applications (CRM, etc.) but can also support *aaS (“anything as a Service”) paradigms. On the down side, *aaS greatly alters user experience, especially for legacy mobile and PC-native apps.
 
Application-Level Containers – A short path to deploying enterprise mobility is to encapsulate/protect only key assets. Stand-alone “container” applications (meta platforms) project and segregate corporate presence on mobile devices by offering dedicated, secure mail clients and other applications (but not expected native apps or legacy enterprise applications). 
 
Encryption – Not an enterprise mobility solution per se but a means to protect on-device content and data in transit. Other solutions can leverage platform-native encryption (when present) or carry their own encryption engines.
 
Mobile Device and Software Management (MDM/MSM) – Suites of software components and services residing partly on mobile devices and partly on back-end servers, offering device management, provisioning, tracking, locating, and wiping. MDM suites often integrate technology from multiple sources.
 
System-Level Solutions – Using mobile virtualization (Type I hypervisors) to isolate business-critical enterprise software and data from open end-user environments by hosting each in secure virtual machines.
 
Three Pillars of Enterprise Mobility
The success of enterprise mobility rests upon three pillars: security, privacy and freedom. Security for corporate communications and assets and privacy and freedom for the actual device users.
 
In the following table, let’s examine how some leading technical approaches enhance enterprise mobility and can impact security, privacy, and freedom. Note that these approaches are not mutually exclusive and in many cases complement one another.
 
 
SECURITY

PRIVACY

FREEDOM

Cloud-Based
Portals
+
Authenticated access
Accessible on-the-go
Flexible, Web-based
-
Open to social engineering, key logging, Web-based cracking
Data in cloud open to employer scrutiny
May require specific browsers; not application-based (Web)
Application-Level Containers
+
Easy deployment (application)
 
Preserves outward look & feel
-
Non-standard APIs, closed environment, open to DoS attacks
User content visible to employer
Forces user/IT into proprietary environment, applications
Encryption
+
Secures all technologies.
Protects data locally, in transit.
Enhance user privacy (especially Public Key Encryption)
Secure communication with employer, family, friends
-
Platform-based encryption subject to root-level exploits.
Employers may retain passwords, keys, and backdoors
Adds complexity to user experience (not always transparent)
Mobile Device
and Software Management
(MDM/MSM)
+
Can combine multiple security measures for apps and data
 
 
-
Focus on provisioning, wiping and tracking, not protection
Monitors / tracks users virtually and physically (LBS)
Changes device personality.
Blacklists apps and sites
System-Level
Solutions (with
Virtualization)
+
Fully isolates user and enterprise personas maximum assurance
Gives users 100% private partition for data and applications
User persona preserves original device capabilities
-
 
User can still trash own partition!
 

Mobile Virtualization
Virtualization provides a secure, isolated, and robust run-time environment for programs (including Android and other OSes) that is indistinguishable from actual “bare” hardware. This virtual machine (VM) environment mimics actual computer hardware and isolates guest software stacks from one another. Providing the virtual machine environment and managing VM resources is a software layer called a hypervisor.
 
Mobile virtualization, like its data center cousin, runs underneath OSes and other software visible to applications and end users. It builds on Type I “bare metal” virtualization, as distinct from Type II hypervisors, which themselves run as applications over an OS (Type II virtualization is common on desktop systems (e.g., VMware Workstation/Fusion and Parallels).
 
Not only does mobile virtualization provide an ideal foundation for enterprise mobility, it is also deployed in mobile devices for other purposes—to host/partition legacy baseband radio software, to support cost reduction through chipset consolidation, and to implement military-grade security for ultra-secure and certified “superphones.”
 
Conclusion
Of the various options for implementing enterprise mobility securely while preserving end-user privacy and freedom, only mobile virtualization consistently balances all three pillars. Other solutions attempt to implement the form of dual persona functionality, but miss the substance of underlying security of preserving privacy and freedom. 
 
Built on widely deployed, hardware-based hypervisor technology, mobile virtualization isolates personal and corporate environments architecturally, from the hardware upward through the software stack. When security is not an afterthought, it can be tailored also to accommodate and enhance user privacy and preserve the end-user experience.
 
Rob McCammon is vice president of product management at Open Kernel Labs.

POST A COMMENT

comments powered by Disqus

RATE THIS CONTENT (5 Being the Best)

12345
Current rating: 4.1 (7 ratings)

MOST READ STORIES

topics

Must See


FEATURED REPORT

Who Owns Mobility

Less than one decade ago, smartphones and tablets changed workplace technology—virtually overnight. IT lost "control" and users became decision makers. Is it any wonder we are still trying to figure things out, and that the question of  "who owns mobility" remains? This research examines the current state of mobility in an attempt to answer that question.