Mobile App Containers: Product Or Feature?



Similar documents
Mobile Security Buyer s Guide

Breach Found. Did It Hurt?

In-Depth Look at Capabilities: Samsung KNOX and Android for Work

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Ensuring the security of your mobile business intelligence

MDM Mobile Device Management

Securing Office 365 with MobileIron

Internet Advertising: Is Your Browser Putting You at Risk?

Multiple Drivers For Cyber Security Insurance

SSL Performance Problems

AirWatch Solution Overview

BROWSER SECURITY COMPARATIVE ANALYSIS

ENTERPRISE EPP COMPARATIVE REPORT

Evolutions in Browser Security

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

What We Do: Simplify Enterprise Mobility

DATA CENTER IPS COMPARATIVE ANALYSIS

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

MAM - Mobile Application Management

Quick Reference. Good for Enterprise to Good Work Transition Guide

Ensuring the security of your mobile business intelligence

ZENworks Mobile Management 3.0.x Deployment Quick Start

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

BYOD Guidance: BlackBerry Secure Work Space

Total Enterprise Mobility

An Overview of Samsung KNOX Active Directory and Group Policy Features

Implement Mobile Device Management to Deploy HCSS Mobile Apps

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Security Guide. BES12 Cloud

A number of factors contribute to the diminished regard for security:

Oracle Mobile Security

User Manual for Version Mobile Device Management (MDM) User Manual

1. Introduction Activation of Mobile Device Management How Endpoint Protector MDM Works... 5

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Deploying iphone and ipad Mobile Device Management

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

Solve BYOD with! Workspace as a Service!

Cloud Services MDM. Overview & Setup Admin Guide

IT Resource Management vs. User Empowerment

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

CHOOSING AN MDM PLATFORM

End User Devices Security Guidance: Apple ios 8

perspective The battle between MDM and MAM: Where MAM fills the gap? Abstract - Payal Patel, Jagdish Vasishtha (Jags)

Compatibility Matrix. BES12 Cloud. July 20, 2016

How To Protect Your Mobile Devices From Security Threats

ipad in Business Mobile Device Management

Compatibility Matrix BES12. September 16, 2015

Sophos Mobile Control Technical guide

BES10 Self-Service. Version: User Guide

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Enterprise Mobility as a Service

iphone in Business Mobile Device Management

Compatibility Matrix. BES12 Cloud. December 14, 2015

Mobile App Management:

Statement of Direction

User Guide. BES12 Self-Service

Symantec Mobile Management Suite

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

MobileIron and Samsung Value Proposition

Company Facts. 1,800 employees. 150 countries. 12,000 customers and growing. 17 languages. 11 global offices

DATA CENTER IPS COMPARATIVE ANALYSIS

New Security Features

Key Requirements of Enterprise Mobility Management Solutions

Android for Work powered by SOTI

Choosing an MDM Platform

Welcome! Thank you! mobco about mobile samsung about devices mobileiron about mobile IT accellion on mobile documents hands-on devices and race karts

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

AnceroAir Mobile Device Management (MDM) Service Guide

Mobilize your Enterprise in 60 Minutes!

An Old Dog Had Better Learn Some New Tricks

Feature Matrix MOZO CLOUDBASED MOBILE DEVICE MANAGEMENT

BES10 Cloud architecture and data flows

PrinterOn Mobile Applications for ios and Android

Building a BYOD Program Using the Casper Suite. Technical Paper Casper Suite v9.4 or Later 17 September 2014

PULSE APPCONNECT. A Micro VPN That Allows Specific Applications on Mobile Devices to Independently Leverage the Connect Secure Gateway.

Kony Mobile Application Management (MAM)

ios Enterprise Deployment Overview

Securing Enterprise Mobility for Greater Competitive Advantage

Mobility Manager 9.5. Users Guide

Embracing Complete BYOD Security with MDM and NAC

Xperia TM. Read about how Xperia TM devices can be administered in a corporate IT environment

Dell World Software User Forum 2013

An Overview of Samsung KNOX Active Directory-based Single Sign-On

SAP Best Practices for SAP Mobile Secure Cloud Configuration March 2015

Secure, Centralized, Simple

Transcription:

ANALYST BRIEF Mobile App Containers: Product Or Feature? APPLE AND SAMSUNG HAVE TAKEN BIG STEPS WITH CONTAINERIZATION Author Andrew Braunberg Overview Secure workspaces, or containers, used for isolating corporate applications (apps) and data on mobile devices are becoming a mainstream approach to mobile security strategies. While software solutions have been on the market for several years, and have even been available as carrier services (as dual persona solutions), adoption has been slow. This is likely to change, however, because the two biggest players in mobile device markets, Apple and Samsung, have embraced the approach. Apple s recently released ios 7 supports multiple enterprise- friendly features, including several that allow for a richer capability to separate personal and corporate apps and data. Samsung has gone even further by embracing containerization within its Samsung KNOX framework. While the containerization features in ios7 are not nearly as comprehensive as the Samsung KNOX container capability, that fact that Apple plays so strongly in the enterprise has generated significant attention on those features. Interestingly, VMware believes that the release of ios 7 has eliminated the need for third- party container and wrapper technologies on Apple devices. VMware Workspace 1.5 shipped without the ios application wrapping capabilities that VMware had developed for the product. 1 Mobile OS vendors and device original equipment manufacturers (OEMs) might well subsume the secure workspace market over time, but Apple would have to continue to extend the features it has only recently introduced, and a broader set of Android device OEMs would need to move in this direction. Regardless of whether containerization eventually becomes a standard product feature, today, both Apple and Samsung rely on third- party solutions to provide the server side components of their container features, which leaves ample opportunity for pure- plays. Samsung has even coined a term for these partners: Mobile Container Management vendors. 1 http://cto.vmware.com/vmwares- strategy- for- ios- 7- and- industry- implications/

NSS Labs Findings Apple has introduced rudimentary containerization features in ios 7 that will meet the needs of some enterprise clients. Samsung s KNOX solution provides an integrated secure workspace on a small but growing number of Samsung devices. Apple and Samsung both are reviewing third- party mobile device management (MDM) vendors to extend and fully enable their secure workspace capabilities. Third- party secure workspace solutions will continue to find customers, but increasingly as components of much broader enterprise mobility management (EMM) solutions. NSS Labs Recommendations Organizations using Apple products are urged to leverage the new enterprise features in ios 7, particularly those that enable better app and data segmentation and isolation. Enterprises that have been hesitant to allow Android devices onto their networks should examine Samsung KNOX, which adds robust security features to a popular consumer device line. Enterprises that have fully embraced bring your own device (BYOD) policies should consider best- of- breed secure workspace solutions to augment the security of these devices. EMM vendors, the majority of which have been moving into the secure workspace market, should continue to expand their footprints with the expectation that client- side mobile security features will continue to be subsumed within mobile operating systems. EMM vendors should continue to work closely with device manufacturers to add value beyond basic device management in complementary gateway, server, and cloud products. 2

Analysis Apple ios 7 Apple ios 7 has introduced some techniques to better enable dual persona segmentation on iphones and ipads. These include the introduction of Managed Open In, and additional MDM configuration controls that make the availability of managed apps and managed accounts much more useful for creating secure workspaces. Volume Licensing Perhaps the most important new feature in ios 7 is the volume licensing support from Apple. This feature allows enterprises to take a more app- centric approach to security. Organizations can now order and deploy apps in bulk and they have the right to reclaim a license when an employee leaves the organization. There are also no longer geographic (national) usage restrictions on licenses. These improvements make it much easier for organizations to manage applications deployed on employee devices, regardless of who actually owns a device. Enterprise Management Features ios 7 includes several important new enterprise features. The encryption capabilities for app data at rest that Apple introduced in ios 4 are now automatically enabled on all devices that have passcode lock enabled. All third- party apps now automatically have data protection enabled. Data stored in third- party apps will be protected with the user s passcode until they unlock the device. This change has clear security benefits, and it simplifies the app development process. Also now supported by ios 7 are per- app virtual private network (VPN) connections that enable specific VPN controls on individual managed apps. The ability of administrators to configure, or reconfigure, VPN settings is just one example of a broader capability to enforce managed app provisioning and configuration changes within ios 7. This ability to push, delete, and update managed apps on Apple devices provides much richer control to administrators. The distinction between managed (i.e., corporate) and unmanaged (i.e., personal) apps that ios 7 allows is most useful in its new Managed Open- In feature, which restricts data sharing between managed and unmanaged apps. As the name implies, the Open- In feature controls which apps are used to open documents. Managed Open In will not allow a document from a managed app to be opened or shared in an unmanaged app. This restriction can also be enforced the other way, providing additional privacy enforcement for personal data on a device by not allowing it to be opened within a managed app. An app or account is managed when it is provisioned on the device by a mobile device management (MDM) server. Third- party MDM solutions remain an important adjunct to ios as they are the mechanism for leveraging enterprise device APIs. Managed ios devices (and accounts) are by definition provisioned and managed by MDM solutions. Apple s maturing MDM framework supports the following features: Managed accounts: Installation, management, and removal of accounts that provide access to corporate services. Managed configurations: Configuration of settings such as passcodes, restrictions, and voice and data roaming policies. Managed apps: Installation, configuration, management, and removal of App Store and custom in- house apps. 3

Device queries: Scheduled querying of device, network, application, and security information. Security commands: Ability to clear a user s passcode, and remotely lock or wipe a lost or stolen device. Third- Party Integration MDM systems interact with ios devices through the Apple Push Notification Service (APNs). If an MDM server must communicate with an iphone or ipad, it must first notify the APNs, which will then alert the device to check in with the MDM server. All communication between the device and the MDM server is via an encrypted SSL/TLS connection. The MDM server performs all provisioning and configuration of the managed apps and accounts. These controls are maintained in configuration profiles (XML files), which are signed and encrypted before being installed on the device. ios 7 has added several important enterprise features that can be leveraged by MDM partners to create better data isolation for corporate apps on Apple devices. These include: Control of Open- In With ios 7, Apple has introduced a new API that allows information technology (IT) administrators to dictate which apps users can use to open attachments. These controls currently only enforce policy based on whether an app is managed (installed through an MDM system) or unmanaged (installed directly by the end user). Per- application VPN ios has supported device- level encryption for some time; however, with the release of ios 7, the OS now supports application- level VPN connections. To be functional, the organization s server side VPN hardware must also support this capability. Single sign- on With ios 7, Apple has also enabled application- level Kerberos authentication. Configure application settings ios 7 allows administrators to configure settings for individual apps. This includes installing and deleting apps, as well as specific configurations within the app or managed accounts (for example, server names, Lightweight Directory Access Protocol (LDAP) credentials, and certificates). Additional Considerations These features make the devices that are running ios 7 more secure and useful in the enterprise, with the Managed Open- In feature in particular providing basic containerization capabilities. Unfortunately, it does not allow fine- grained policy controls. Administrators can ensure that corporate documents are opened only in managed apps, but they cannot limit Open- In to particular managed apps. For example, any managed app can open any document that is attached to a corporate email account. The only real restriction is that a corporate email attachment cannot be opened in an unmanaged app. (A policy can also be set so that an attachment in a personal email cannot be opened in a managed app.) Clearly, some corporate documents are more sensitive than others. However, beyond the distinction between managed and unmanaged, there are no supported restrictions that are based on document type. Enterprises currently using third- party secure workspace solutions will find the ios 7 features fairly rudimentary, while organizations that have yet to deploy broader EMM solutions likely will find them a positive and useful evolution in the Apple s products. The new ios 7 features are, of course, limited to (up- to- date) Apple devices but in fact may be used only on Apple devices where users have allowed some degree of management of the device. Samsung KNOX In early 2012, Samsung signaled an interest in expanding the target market for its Android devices to enterprise customers with its introduction of the first Samsung Approved for Enterprise (SAFE) devices. SAFE devices support 4

Samsung On Device Encryption (ODE) and a software development kit (SDK) that allows partners to leverage a richer set of security and management APIs than is found in the base Android build. In February 2013, Samsung further extended its security differentiation with the introduction of KNOX. Containerization is a core component of Samsung s enterprise security strategy and KNOX framework. The main security features in KNOX 2 are: Trusted Boot: a hardware- assisted feature that ensures that the device boots only from an authorized kernel TrustZone- based Integrity Measurement Architecture (TIMA): provides a continuous security check of the integrity of the kernel Security Enhancements (SE) for Android: leverages the SE for Android kernel, which allows the use of Mandatory Access Control (as opposed to Discretionary Access Control) Secure Workspace: provides a secure container for work apps, and widgets. The Samsung KNOX Application Container is a virtual Android environment within the mobile device. Samsung KNOX Application Container The Samsung container is managed through a third- party MDM system. KNOX secures apps and data within its container through the following features: separation of data file systems used by the personal space and the KNOX container; encryption of all data within the KNOX container; isolation of apps and data within and without the KNOX container. A separate, dedicated encrypted file system is employed for data stored within the container. The data is encrypted using an Advanced Encryption Standard (AES) cipher algorithm with a 256- bit key (AES- 256). Apps that are installed in the container must be wrapped first. Wrapping apps for use in Samsung KNOX devices is a two- part process. Samsung s web- based, automated app wrapping service unpacks an app s original Android application package (APK) file in order to extract the app certificate then repackages the app with additional files to further secure it, and finally adds a new digital signature and KNOX container- specific certificate. Samsung also offers a quality assurance service. Wrapped apps are checked for device compatibility and basic function and are also inspected for malware or risk behaviors. Apps that pass the testing may be distributed and deployed through the Samsung KNOX App Store or enterprise app stores. These third party and custom apps can be installed either by enterprise IT administrators via MDM or by the end user from the container app store. The KNOX container has the following apps preinstalled: personal information manager (PIM), email, web browser, and device utilities. These are essentially the same apps with which consumer users of Samsung devices are already familiar, but the containerized versions enforce several use restrictions. For example, users cannot copy- and- paste text or images from the container into the personal space, nor can they access container data (i.e., browser bookmarks) from the personal space and move files from the container to the personal space. With KNOX, Samsung now supports more than 500 policies that IT administrators can use to configure devices through an MDM console. This is in addition to the almost 300 policy controls available through Samsung SAFE. All told, Samsung has exposed more than 1000 APIs, which can be leveraged through third- party MDM solutions. Samsung s current KNOX partners are: Centrify, AirWatch, SOTI, Fixmo, MobileIron, Famoc, and SAP. 2 For additional detail, see https://www.nsslabs.com/reports/building- enterprise- ready- android- devices- 0 5

Market Impact While the Samsung approach to providing a secure workspace offers a more comprehensive solution than do the containerization features found in Apple s ios 7, it also requires more from end users and thus has more impact on the user experience. For example, the Samsung approach requires the use of two versions of several core apps, including the native PIM. This may confuse some users. For example, the native calendar found on the personal side of the phone cannot view all events in the PIM on the container side of the device. KNOX is also a value- added feature, whereas the Apple container capabilities are standard features in ios 7. Current KNOX pricing is per device and licensing is available on a monthly (USD $3.60) or annual (USD $43.20) basis. Clearly, enterprise requirements are being paid considerable attention by Samsung and Apple, the two largest mobile device manufacturers. It is also likely that other Android device OEMs will also introduce enterprise- friendly features, particularly since Google has shown little interest in baking enterprise- specific features into the core Android kernel. Secure workspaces, enabled by container and app wrapping techniques are emerging as viable solutions to solving the dual persona requirements of enterprises that are adapting to the world of consumerized IT. Enterprises should expect that both Apple and Samsung will continue to mature and extend their containerization capabilities, but on a refresh cycle that is considerably slower than third- party providers. Enterprises can find utility in the Apple and Samsung features today, but they should consider their ability to restrict device choice to one device vendor to fully exploit these solutions. It is expected that third- party vendors will continue to thrive in the secure workspace market for some time. Even as these vendors are pushed off the endpoint as more container features are baked into the devices, there will continue to be opportunity for managing heterogeneous device ecosystems from the server side. 6

Reading List Need for Data Isolation Drives Innovation. NSS Labs https://www.nsslabs.com/reports/need- data- isolation- drives- innovation App Hardening to Protect Mobile Device Data. NSS Labs https://www.nsslabs.com/reports/app- hardening- protect- mobile- device- data Building Enterprise- Ready Android Devices. NSS Labs https://www.nsslabs.com/reports/building- enterprise- ready- android- devices- 0 7

Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief. 2014 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information