MobileIron and Good break new ground with secure containers on mobile devices

Over the past 18 months, the conversation about mobile management has changed dramatically.

Where the primary goal used to be to secure and manage individual devices, the BYOD trend has made organizations of all sizes and types reconsider the meaning of mobile security. The goal for many IT departments today isn’t to lock down devices, but to securely deploy business apps so that users can safely work with company data anywhere at any time.

[ InfoWorld’s Galen Gruman explains the landscape of mobile management tools. | Also from CITEworld: Cisco and the Zen art of BYOD — how Cisco handles more than 60,000 users bringing their own devices to work. ]

This new focus has led to a major new mobile security concept known as containerization: a solution that creates an encrypted data store or container on a device. Access to data in the container requires secure authentication independent of any other device setting or restriction. As a result, even on a device with no unlock passcode, no whole-device encryption, and no security policies of any type, the contents of the container remain inaccessible unless an authorized user enters valid credentials. Securing data in a container also allows IT to wipe all business data from a personal device without affecting personal data or apps.

That in itself is an attractive feature set for enterprises and one that works well for organizations with BYOD programs, but containerization shouldn’t stop at encrypting just business data.

To prevent data leaks, enterprises need to be able to manage the interaction between data in the secure container and the rest of a mobile device. That includes the ability to prevent unauthorized apps from opening business files stored in the container and the ability to disable copying and pasting between approved and unapproved apps. It can also mean disabling a device from printing files stored in the container.

Early container tools were focused on securing specific data through a single enterprise app. Good Technology, one of the containerization pioneers, initially focused on providing a secure container for email, contacts, and calendar data. Good’s approach in this area has been to offer an alternate enterprise app for access to corporate services like an Exchange server instead of using the stock apps included with iOS or Android. That approach works well in some respects, but it prevents users from interacting with enterprise data using the hundreds of thousands of apps available to them.

There are two solutions to that challenge.

The first is to develop a security framework that business and enterprise developers can integrate into their apps using a published SDK. That allows developers to write apps that can securely access and store data in an encrypted container offered by a mobile management vendor. Good launched a program earlier this year known as Good Dynamics that takes this approach, and other companies have followed suit, including Centrify, which recently launched its own enterprise authentication system for mobile devices, and MobileIron, which announced a pair of new solutions called AppConnect and AppTunnel earlier this week.

Although this approach is effective, it requires developers to build apps in partnership with one or more vendors. That can present roadblocks. The most obvious is that an organization will need to integrate mobile management tools from a specific vendor into its mobile strategy in order to take full advantage of container-based security.

Another key consideration is that existing apps may have already been built and deployed throughout an organization. To build in container security, these would need to be updated or rewritten to take advantage of a vendor’s container SDK. That can be vexing if enterprise apps were created by a contractor or employee no longer working with/for a company. For publicly available apps, there’s also the question of getting a secure version of an app through the review process of Apple’s App Store in addition to an existing version that doesn’t use any third-party functionality like that offered by an enterprise vendor’s SDK.

The second approach, which addresses some of these issues, is app wrapping, which does exactly what its name implies: It adds an enterprise wrapper to an app that creates a secure container for it. Ideally, that wrapper can be centrally managed to secure the data, require authentication for access, and offer protection against data leaks by disabling copy/paste, printing, and the ability to open files in unapproved apps. Essentially, it extends the container advantages to nearly any app, including private enterprise apps and apps publicly distributed through Apple’s App Store and Google Play.

Beyond building the secure container, a goal for many organizations is to have secured business apps that can share information with each other. After all, if you have an app for mobile ordering/billing as well as CRM, you’d want them to be able to share contacts and other key customer data.

There are, of course, different ways that apps can share data: copying and pasting content, using the option to open a file using an alternate app, and through integration with back-end systems or cloud services. Depending on the data, the app, and the individual user, it may be prudent or necessary to limit what data sharing is available on in the same way that you would set file permissions on a network share or SharePoint site. Secure containers, and apps integrated with them, require granular and flexible rights management options.

The final challenge of containerization is ensuring that these processes are as invisible and frictionless to the end-user as possible. In the age of personal cloud services and mobile apps, users will find ways to work around a solution that they feel is limiting, clunky, or just plain confusing. They don’t want to enter a username and password for each business app or hunt for specific functionality inside of large or complex enterprise apps or navigate around restrictive limits.

Many companies have begun to address these issues, but MobileIron and Good seem to be doing the best job of offering containerization in an effective but minimally intrusive way.

MobileIron has done a phenomenal job in its new AppConnect product in designing a powerful solution that makes containerization almost completely transparent to the user. The company ticks all the security boxes: enterprise authentication, single sign-on, authorization based on the user account, as well as the device and installed apps. It also offers flexible policies. Despite the container approach and app wrapping, users have virtually the same experience under AppConnect as on an unmanaged device. The companion AppTunnel solution also offers secure connections from secured apps to a corporate network without the use of a resource-heavy VPN infrastructure.

Good has also done an amazing job on this front as well with its Good Dynamics platform and its recent acquisition of AppCentral, which allows it to provide app wrapping and an SDK option to its customers. Good’s overall on-device presence isn’t as transparent to users as MobileIron’s AppConnect, but it’s user-friendly and packs the security needed by most enterprises.

As I mentioned, Centrify has also recently stepped into this arena with its own Mobile Authentication Services (MAS) SDK that focuses on single sign-on and mobile authentication. The MAS SDK is available through a freemium model and focuses on securing mobile access to enterprise data systems and cloud services.

As mobile app management becomes a companion to, and to some extent displaces, device management as the IT mantra for mobile management, we’ll see a lot more evolution of the secure container — and most likely a number of mergers, acquisitions, and partnerships to deliver the best container options. Overall, containerization looks almost certain to be one of the key mobile security technologies for a long time to come.

Ryan Faas is a contributor to CITEworld, where he covers Apple, mobile device management, and BYOD policy and practices. Read more of his work on CITEworld.

This article, “MobileIron and Good break new ground with secure containers on mobile devices,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.