Technical Brief Containerization approaches for mobile security Digital containers for valuable assets Mobile devices now carry increasing amounts of corporate data in email, documents and apps. We are used to containing valuable physical items under lock and key, but what approaches can be used for containing digital valuables? Three approaches for containerization are described below: App level containerization A security layer is added to the app as part of Mobile Application Management, which provides an encrypted A security layer is added to the app as part of Mobile Application Management, which provides an encrypted storage area partitioned from the rest of the app memory. The security layer also enables a central server to implement security policies such as: Disabling cut-copy-paste Forcing communication only over secure https / secured Wi-Fi networks Geo-fencing to disable app usage outside corporate locations Time / date restrictions on usage of app Application timeout and data fading Logs user out after period of inactivity. If app is not launched for set period of time the data is automatically removed Disabling app install / launch on jailbroken or rooted devices which have higher risk of malware
A mobile compliance policy isn t useful unless it can be effectively enforced. Kony EMM Further, the app can be disabled if the device is deemed lost or in hands of a malicious owner, rendering its data locked forever. Most importantly, security policies can be set granularly for each app, thus giving fine control to administrators without affecting user s data in anyway. MAM Container DOWNLOADS LDAP Authentication MAM SERVER Enterprise App Store Policies Cut-copy-paste Geo-fencing More Reporting Policy Violation Actions Data Wipe Enterprise Apps USER Data / Apps LDAP SERVER MAM solutions also provide an enterprise app store with the ability to distribute public or private apps to employees based on their group / level access permissions based on corporate Active Directory (LDAP) integration. The app store can also be integrated with Apple s Volume Purchase Program allowing administrators to keep track of corporate licenses for paid applications. Some MAM solutions include single sign-on which makes secure app access easier for employees. Finally, reporting and rule-based actions on policy violations full control to administrators. Device level containerization The device itself can be wrapped in a management layer which lets a central administrator monitor and control the device. Common features of Mobile Device Management solutions include : Setting passcode requirements Pushing public and private apps to the device Updating device Wi-Fi / VPN profiles Page 2
Restricting access to corporate data if the device is jailbroken or rooted Restricting installation of listed apps on the device Tracking the device and wiping the business data off the device if it is lost or stolen Self-serve enrollment with corporate Active Directory / LDAP integration MDM solutions may or may not include secure email via a proprietary email app. Advanced MDM solutions also create a secure container for corporate data, providing the ability to selectively wipe only business data, thus leaving user data intact. This provides greater assurance to employees signing up for a BYOD program. The secure data container can also be used for providing a secure file-sharing mechanism with restrictions and policies for editing, forwarding or copying a particular document. Note that most MDM solutions don t provide the ability to manage app security at a fine-grained level, even if some of them do include a basic enterprise app store for app distribution. MAM Container DOWNLOADS LDAP Authentication MAM SERVER Enterprise App Store Policies Cut-copy-paste Geo-fencing More Reporting Policy Violation Actions Data Wipe Enterprise Apps USER Data / Apps LDAP SERVER OS level containerization In this upcoming approach, two OS instances run on the same device. One OS partition is used for business access and the other for personal use. While the business OS partition requires regular security protocols the main benefit is that user-space malware can t get into the business OS, and the personal / business data split is kept sacrosanct. The two OSes can run in parallel, or one can host the other in a virtual configuration. Page 3
As this requires considerably higher processing power and battery life than currently available this approach will take some more time to mature and become popular, but it s worth keeping an eye on. Conclusion Device management is the most popular containerization approach at present, but the finegrained control of app management is rapidly becoming the method of choice for enterprise mobility management. Look for solutions that integrate both MAM and MDM features to give you the best of both, such as Kony s Enterprise Mobility Manager. OS virtualization is yet to mature given its high-end hardware requirements but it bears watching over the next few years. Page 4
About Kony, Inc. Kony is the fastest growing cloud-based mobile application development platform (MADP) in the industry with over 600 live multi-channel apps, serving over 20 million end users across 45 countries, and generating over 1 billion sessions. The Kony Experience Platform is an integrated software development lifecycle (SDLC) platform to define, design, develop, test, deploy, and manage multi-channel applications from a single code base. With Kony, you can deliver stunning user-first experiences, get to market faster, and lower your application TCO. Kony also offers a suite of more than 33 ready-to-run B2E and B2C apps that enable customers to quickly extend their business. For more information, please visit www.kony.com and connect with Kony on Twitter, Facebook, and LinkedIn. 2013 Kony Solutions, Inc. All rights reserved.