Invisible Protection — The Evolution of Mobile Containers

When it comes to protecting corporate data on end user computing devices, there has always been a need to strike the right balance between security and productivity.

In a PC-dominated world, this balance has traditionally leaned toward security, reinforced by the fact that the organization owned the endpoint and could set the terms for how end users accessed and used it.

With the advent of smartphones and tablets, that balance has shifted away from security and toward productivity.  End users are bringing their devices into the organization, and they are accessing data in ways that work best for them with little regard for security.  We see this in many ways—lack of passcodes on personally-owned devices or the explosive growth of file sharing services like Dropbox and Box—that lend themselves to higher productivity, but also increase the risk of data loss or malicious activities.

One of IT’s earliest responses to these new risks has been the implementation of containers to protect corporate data.  The most common of these containers is an encrypted sandbox around email, contacts and calendars.

The history of email containers has been an uneasy relationship between IT professionals and the end user.  Even though end users despise containers because the user experience is disruptive- especially compared to the native email or calendar clients- and resent the fact that “someone else is trespassing on my property”, IT has basically imposed containers as a condition for accessing data on a mobile device.  The result is a relationship based on distrust.

If end-users dislike containers, IT dislikes them only slightly less.  This is especially true for iOS devices. Complaints are inevitable, an MDM is still necessary, and the containers will add additional support difficulties.

Containers, however, are still going to be around for a while.  There is still the fundamental need to separate and protect work data from personal data.  There are issues with malware on mobile devices–new vulnerabilities are being found on a fairly regular basis.  And while a case might be made for containers with extended capabilities to address additional use cases—data security or application management, for example—they must leave the end user’s experience largely intact.

Operating system vendors could be finally waking up to the needs of the enterprise.  Perhaps they simply hope to maintain a close relationship with end-users by enhancing the user experience.  Whatever the motivation, there are signs that the need for the traditionally heavy-handed container application may be changing.

Google is letting third parties address many elements of enterprise security. For example, device manufacturers and even telcos are customizing Android with advanced capabilities that limit the need for container applications.  Android has also made small steps in a similar direction.  The most notable is implementing encryption for data-at-rest in the 4.x versions of the operating system.  Other new features such as multi-user profiles, which are billed for family use, can potentially be extended to personal and work profiles to separate data in an enterprise setting.

Even more promising are the advances that iOS7 offers.  For example, the “Open in management” feature will allow IT managers to keep corporate data within their corporate applications as well as preventing personal data from being opened in managed corporate applications. This means that IT can now specify which applications are allowed to view, edit and share attachments.  So even though there is still the notion of an “encrypted sandbox” that separates the corporate and personal, Apple is moving back toward preserving the end-user experience without sacrificing IT’s need for security, visibility and control.

Similarly, the iOS7 “per app VPN” allows the IT manager to maintain much more control over corporate access by ensuring that the VPN connection back to the network is maintained for those third party apps that need access.

Another example is Apple’s third-party app protection which leverages the user’s passcode to create a unique encryption key, effectively protecting the data that a third party app may be touching or storing. The benefit of a feature like this is that if you or your users find that a third party app is productive, you can deploy it and still protect the data that it touches.

If the major mobile operating systems continue to add enterprise support in future releases the way Apple has with iOS7—and in the increasingly competitive OS market there’s no reason to think that they won’t—we’re all going to be reaping the benefits of better security of our data and protection based on identity rather than device.

So if you’re thinking about a BYOD program in your organization or even if you’ve already rolled one out, it’s worthwhile to step back and think about the problems you’re trying to solve, the access you want to provide, and your overall security posture.

Containers aren’t going to go away overnight.  In fact, they are still required for organizations with the highest security needs and likely will be for some time, but even now a better balance of security and productivity is being incorporated into the mobile operating systems.  The operating system vendors recognize that third party containers insert themselves between the OS and the end-user so they will work to reduce the need for them.  As this trend continues, non-native container applications will be replaced by increasingly mature and non-intrusive separations of work and personal applications.


Leave a Comment

5 × two =