Anthony Perkins wants employees at BNY Mellon to bring their personal smartphones to work and use those instead of company-issued BlackBerries to access business email, applications and data.
But there's a catch: Not all employees are comfortable with the prospect of having their personal phones locked down and controlled as tightly as the BlackBerries that Perkins would like to phase out. That's where the notion of containerization comes in.
A bring-your-own-device (BYOD) strategy is good business, says Perkins, CIO for BNY Mellon's Wealth Management business. It reduces the time and expense involved with maintaining and managing company-owned BlackBerries. "We'd like to be in the business of managing software, not hardware. In the RIM world, you manage hardware," he says, referring to BlackBerry maker Research In Motion.
On the downside, today's popular mobile devices were developed for the consumer market, and third-party management tools don't offer the same degree of control over user devices that RIM systems have over BlackBerries. RIM designed and controls the BlackBerry client architecture and has been especially responsive to the needs of corporate customers.
Because corporate apps and data are often mixed in with the user's personal content, mobile device management (MDM) tools tend to be very strict when it comes to managing corporate resources on users' phones. Usage policies often apply to the entire device, covering both personal and professional apps and data. Users may not be willing to give up control of their personal phones in exchange for the privilege of using them for business.
To get around such user resistance, Perkins is turning to containerization, an emerging class of management technology that carves out a separate, encrypted zone on the user's smartphone within which some corporate apps and data can reside. Under such an arrangement, policy controls apply only to what's in the container, rather than to the entire device.
Containerization tools are typically complementary to MDM software, and an increasing number of MDM vendors are incorporating containerization functionality.
But as great as containment is for safeguarding corporate data, it doesn't necessarily prevent personal data from being lost in a wipe by the IT department if a phone is lost or stolen. Some IT shops recognize that some users may not know how to properly back up their personal data and apps and are helping them set up backup systems.
Ryan Terry, division CIO and chief security officer at University Hospitals Health System in Shaker Heights, Ohio, turned to containerization because he sees the use of traditional MDM tools to control the entire device as a liability issue. The hospital needs to have apps or data delivered securely to clinicians without interfering with the users' ability to access their personal apps and data. "We can't afford to delete things of a personal nature or impede their ability to use their personal asset," he says.
Alex Yohn, assistant director of technology at West Virginia University, is also wary. "I don't want my guys doing settings on the personal side that could come back to haunt us," such as accidentally deleting data or making configuration changes that affect how the users' personal apps run, he says.
For companies in highly regulated industries that need strong security policies and face strict compliance mandates, containerization can be especially helpful in making the BYOD experience more palatable for users, IT leaders say.
Choose Your Container
Vendors offer, in essence, three different approaches to containerization: creating an encrypted space, or folder, into which applications and data may be poured; creating a protective "app wrapper" that creates a secure bubble around each corporate application and its associated data; and using mobile hypervisors, which create an entire virtual mobile phone on the user's device that's strictly for business use.
All of these approaches offer more granular control over corporate applications and data on users' devices than whatever security comes standard with smartphones currently. And with containerization, users aren't limited to using devices on an approved list of smartphones that have been certified and tested by IT, because corporate apps and data reside inside a secure, encrypted shell.
However, the need to switch back and forth between the business and personal environments may be perceived as inconvenient and affect overall user satisfaction, says Phillip Redman, an analyst at Gartner.
Neither Apple nor Google offer containerization technology, and neither would comment for this story, but each company did point out some resources that might be helpful (see sidebar, below).
The most mature containerization approach is the use of an encrypted, folder-based container, Redman explains. AirWatch has such an offering, and Good Technology is an early market in sales to organizations that have adopted containerization enterprisewide, particularly within regulated industries.
For basic mobile access, BNY Mellon uses Good for Enterprise to create an encrypted space on smartphones within which users can run Good's email and calendar client and use a secured browser. "It's a secure container with an app that can send and receive corporate email that's encrypted," says Perkins. All communications are routed through Good's network operations center, which authenticates mobile users.
Good has been offering its basic email and calendaring tools for several years. Late last year, it added the capability for other apps to run within its protected space using the Good Dynamics Platform, but each app must be modified to run in Good's proprietary environment. So far, about a dozen commercial apps are available, including QuickOffice, which is typically used for reading and editing downloaded Microsoft Office file attachments.
Perkins is using Good only for email and calendar -- the "killer apps" for most employees, he says -- and accessing internal, browser-based apps using Good's browser.
For users who need complete access to the corporate network, SharePoint and other services, BNY Mellon uses Fiberlink's MaaS360, a cloud-based MDM system that can take complete control of a user's device. MaaS360 monitors what gets written to and from the operating system, and it blocks access to some personal apps, such as Yahoo Mail and Gmail, when the device is accessing corporate resources.
"When it's on our network, we own it and control it," says Perkins. When used in personal mode, individuals have control over which apps they can use.
Where Apple and Google Stand on Mobile Device Management
Spokesmen for Apple and Google wouldn't comment for attribution in this story, but both pointed Computerworld to resources that might be helpful and offered clarifications by email.
Google Apps for Business, Government and Education administrators can use the Google Apps Control Panel to manage end users' Android, iOS and Windows Mobile devices at the system level. The panel allows the device to sync with Google Apps, encrypts data and configures password settings.
Another tool, called Google Apps Device Policy, enforces security policies such as device encryption and strong passwords, and can also locate, lock and wipe a device. It can also block use of the camera and enforce email retention policies. However, partial wipes of just corporate data are not supported.
MDM vendors can use Google's Android Device Administration API to provide similar controls outside of Google Apps.
As to Google's position on the use of containerization/app wrapping technologies that require access to binaries to create a policy wrapper around enterprise-specific apps, Google does not offer such a tool itself and declined to comment further.
Apple says it supports third-party MDM tools. It allows MDM servers to manage in-house apps and third-party apps from the App Store and supports the removal of any or all apps and data managed by the MDM server.
In practice, however, MDM servers are limited. While most tools allow for selective deleting or blocking of specific enterprise apps, there's no automated way to identify and erase all of the associated data. "No IT manager can sit around and go through thousands of files that may be on each user's phone," says Phillip Redman, an analyst at Gartner.
As to Apple's position on the use of containerization/app wrapping technologies that require access to app binaries to create a policy wrapper around apps that are enterprise-specific, Apple does not offer such a tool itself and declined to comment.
What's more, BNY Mellon may wipe devices -- including all personal apps and data -- that are lost or stolen, although MaaS360 and most other major MDM tools do allow selective wipes. Citing security concerns, Perkins declined to say how many times the company has had to wipe phones.
In contrast, only the corporate container is wiped from lost or stolen devices that just have email and calendar access via the Good technology.
A newer, more granular approach is to enclose individual apps in their own encrypted policy wrappers, or containers. This allows administrators to tailor policies to each app. The market for tools that support app wrapping is dominated by small vendors with proprietary products, including Mocana, Bitzer Mobile, OpenPeak and Nukona (which was recently acquired by Symantec).
For its part, RIM is working on adding this capability to its BlackBerry Mobile Fusion MDM software. (Mobile Fusion works with Android and iPhone devices in addition to BlackBerries.) Peter Devenyi, senior vice president of enterprise software at RIM, says the company's offering will be "a containerized solution where one can wrap an application without the need to modify source code so you can run it as a corporate application and manage it as a corporate asset."
With app-wrapping tools, "you can put together a pretty complete, fully wrapped productivity suite that's encrypted and controllable," says Jeff Fugitt, vice president of marketing at mobile integrator Vox Mobile. But the technology has not been widely adopted.
Forrester analyst Christian Kane describes app wrapping as an "application-level VPN" that lets administrators set policies to determine what the app can interact with on the user's device or on the Web, and what access the app has to back-end resources. It also allows for remote wiping of the container, including the app and any associated data.
"Application wrapping is not mature," and the existence of competing architectures in this nascent market is holding back growth, says Gartner's Redman. But, he adds, app wrapping will eventually be more widely adopted when the technology is integrated into the larger and more established MDM platforms.
The downside to app wrapping is that each application must be modified, which means administrators need access to the app's binary code. That means some apps that come preinstalled on Android or iOS phones may not be supported. Also, implementations may work more smoothly with Android devices than with iOS because of problems getting binary code for apps sold via Apple's App Store. For this reason, wrapping tools tend not to work with iPhone apps. For example, Mocana's Mobile App Protection product doesn't support the email client on the iPhone -- or other built-in apps, for that matter.
Users can get access to the binary code for free iOS apps, but for App Store wares that must be purchased, IT needs an agreement to buy direct from the provider and bypass Apple's store.
Apple currently turns a blind eye to users who employ app wrapping or change apps bought from its App Store, "but by their rules, you're not supposed to do that," says Redman. "They could clamp down and not allow that, although so far they haven't." Apple declined to comment.
Cloud-based MDM Services on the Horizon
Mobile device management typically involves installing agent software on each user's device and setting up a server-based management console. Don't want to do it yourself? Service providers that help IT manage mobile devices and software are plentiful.
For example, integrator Vox Mobile offers a "managed mobility" service that includes comprehensive monitoring and reporting, Fiberlink offers MaaS360 for corporate email and documents, and mobile carrier AT&T introduced its cloud-based Toggle mobile management service last year.
With Toggle, AT&T installs a "work container" on each smartphone, which the user logs in to with a password. Administrators can then manage container policies by way of a cloud-based portal and app store called Toggle Hub. In the third quarter, AT&T plans to add the ability to run antivirus scans on all managed devices, as well as the ability to lock or wipe the container.
"More and more of this will move into the cloud. But today, it's still a small percentage," says Phillip Redman, an analyst at Gartner.
"Where this is leading is dual data plans on the same device," says Mobeen Khan, executive director of advanced mobility solutions at AT&T. "You will have a phone number for the container and one for your personal device."
Anthony Perkins, CIO for BNY Mellon's Wealth Management business, is excited about that prospect. "We're talking with Verizon and AT&T about phones with a SIM that has two phone numbers," he says. Those devices are currently in development, and Perkins says that carriers are telling him they will be available in just a few years -- AT&T declined to comment on availability. But whether the time frame is two years or 10, he says, "that's probably the direction we'll go."
The third approach to containment is to create a virtual machine that includes its own instance of the mobile operating system -- a virtual phone within a phone. This requires that the vendor work with smartphone makers and carriers to embed and support a hypervisor on the phone. Such technology isn't generally available yet, but devices that support a hypervisor may eventually allow users to separate personal and business voice and data.
VMware is developing an offering called VMware Horizon. It will support Android and iOS, and function as a Type 2 hypervisor, which means the virtual machine runs as a guest on top of the native installation of the device's operating system.
Having a guest OS run on top of a host operating system tends to consume more resources than a Type 1 "bare metal" hypervisor that's installed directly on the mobile device hardware. It's also considered a less secure approach, since the host operating system could be compromised, creating a path of attack into the virtual machine.
Another vendor, Open Kernel Labs, offers a Type 1 hypervisor that it calls "defense-grade virtualization." Open Kernel's technology is currently used mostly by mobile chipset and smartphone manufacturers that serve the military. The company has yet to break into the commercial market, says Redman.
Developing a Type 1 hypervisor that interacts directly with the hardware is impractical, says Ben Goodman, lead evangelist for VMware Horizon. "We moved to a Type 2 hypervisor because the speed at which mobile devices are being revised makes it nearly impossible to keep up," he says.
As for security, VMware is working on an encryption approach similar to the Trusted Computing Group's Trusted Platform Module standard. It's also researching jail-break detection.
Performance won't be a problem, says Goodman, vowing that "VMware Horizon is optimized to run extremely well." But VMware declined to provide the names of early adopters who could discuss the product.
Israeli startup Cellrox offers its own twist on virtualization for Android devices. The technology, called ThinVisor, was developed at Columbia University. It's neither a Type 1 nor a Type 2 hypervisor, but "a different level of virtualization that resides in the OS and allows multiple instances of the OS using the same kernel," says Cellrox CEO Omer Eiferman. The vendor offers ThinVisor to cellular service providers, smartphone manufacturers and large enterprise customers.
Problems and Promise
One problem with containerization is that not all products support iOS, which powers iPhones, the smartphones most commonly found in enterprises. While Apple has a 22% share of the worldwide smartphone market, compared with 50% for Android devices, those figures are reversed in the enterprise: The iPhone has 60% of that market, versus 10% for Android devices, according to Gartner.
Apple's legendary secrecy about operating system enhancements means containerization vendors receive no advance notice and must scramble every time the vendor releases an update. The bottom line: Users may have trouble accessing corporate systems if they upgrade their personal iPhones too quickly. At University Hospitals, says Terry, "iOS changes often cause service interruptions while Good Technology's products are modified, tested, then released."
Directory integration is another area where tools are still evolving. "We'd like to see more integration with Active Directory and with PeopleSoft or whatever the source of record is to control user profiles -- ideally, tighter integration that would disable access automatically or restrict access to published applications based on a user's role," Terry says. Today, businesses may need to turn to integrators such as Vox Mobile to provide that level of integration.
Containerization can also make it difficult to provide tech support for users' personal devices if IT doesn't have visibility into the performance of the total device, says Steve Chong, manager of messaging and collaboration at Union Bank, which uses Good for Enterprise. He notes that there are a number of questions that are difficult to answer with containerization: Is the problem related to signal strength? Has the user run out of storage space? Is there a way for IT to remotely access the phone to diagnose issues?
"Having agents on the phone means that it needs to be constantly on all the time for data gathering, but that means that it will consume phone resources," Chong says. Also, it's "software that now needs to be managed and updated on users' phones."
Today, organizations with BYOD programs either aren't using MDM or are using basic tools like Microsoft's Exchange ActiveSync, which allows mobile access to users' Exchange email and calendars. "The next phase is getting to MDM. Then [IT] can look at application security and management," Redman says.
At CareerBuilder, a jobs website and staffing firm, employees who want to use their own phones can connect to the enterprise via ActiveSync, but downloaded data is not encrypted unless the user does so at the device level. Further, IT doesn't offer support for users connecting with their own smartphones.
CareerBuilder users can also install, on their own, apps to access SaaS applications such as Concur and Salesforce.com. "We defaulted to that," says Roger Fugett, senior vice president of IT. But with nearly half of the company's 2,600 employees now bringing their own devices, Fugett says he's taking a hard look at the potential risks and how to mitigate them. Containerization and general MDM tools are on his radar.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about mobile/wireless in Computerworld's Mobile/Wireless Topic Center.