Securing Mobile App Data - Comparing Containers and App Wrappers



Similar documents
Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

5 Must-Haves for an Enterprise Mobility Management (EMM) Solution

Host-based Protection for ATM's

Cyber Security Services: Data Loss Prevention Monitoring Overview

SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION

Confidently Virtualize Business-critical Applications in Microsoft Hyper-V with Symantec ApplicationHA

Symantec Endpoint Protection

Symantec Enterprise Vault for Microsoft Exchange Server

Symantec Workspace Virtualization 7.6

SYMANTEC DATA CENTER SECURITY: MONITORING EDITION 6.5

Partner Technical Support Benefits Quick Guide

How to Unlock Agility by Backing up to, from, and in the Cloud

Top 5 Reasons to Choose User-Friendly Strong Authentication

Achieving Business Agility Through An Agile Data Center

Symantec Mobile Security

Symantec Messaging Gateway 10.6

Symantec Control Compliance Suite Standards Manager

Realizing the True Potential of Software-Defined Storage

SYMANTEC DATA CENTER SECURITY: SERVER ADVANCED 6.5

Backup Exec 2014: Protecting Microsoft SharePoint

Backup Exec 15: Protecting Microsoft SQL

Mobile App Management:

Backup Exec 2014: Protecting Microsoft SQL

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

Backup Exec 15: Protecting Microsoft Hyper-V

Delivering Performance and Value through Multiple Deduplication Pools

Choosing an MDM Platform

Symantec Mobile Management 7.2

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Symantec Server Management Suite 7.6 powered by Altiris technology

Symantec Mobile Management for Configuration Manager 7.2

Keeping GE Healthcare Universal Viewer Highly Available with Symantec ApplicationHA

Microsoft Office 365 Migrations with Symantec Enterprise Vault.cloud

CHOOSING AN MDM PLATFORM

PROTECTED CLOUDS: Symantec solutions for consuming, building, or extending into the cloud

The Symantec Approach to Defeating Advanced Threats

SOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite

Symantec Cyber Security Services: DeepSight Intelligence

Finding Security in the Cloud

What We Do: Simplify Enterprise Mobility

Asset Discovery with Symantec Control Compliance Suite

Enterprise Vault 11 Feature Briefing

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Symantec Mobile Management 7.1

How Drive Encryption Works

Payment Card Industry Data Security Standard

Instant Recovery for VMware

Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of- Sale Devices

Endpoint Management and Mobility Solutions from Symantec. Adapting traditional IT operations for new end-user environments

Closing the Vulnerability Gap of Third- Party Patching

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution

Mobile App Containers: Product Or Feature?

DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1

Symantec Enterprise Vault for Microsoft Exchange

Symantec Client Management Suite 7.6 powered by Altiris technology

Protecting Android Mobile Devices from Known Threats

Mobile Application Management with XenMobile and the Worx App SDK

Delivering a New Level of Data Protection Resiliency with Appliances

Symantec Mobile Management 7.1

Athena Mobile Device Management from Symantec

Comprehensive Enterprise Mobile Management for ios 8

How To Manage A Mobile Device Management (Mdm) Solution

Symantec Enterprise Vault for Microsoft Exchange

IT Self Service and BYOD Markku A Suistola

ENTERPRISE MOBILITY USE CASES AND SOLUTIONS

Symantec Client Management Suite 7.5 powered by Altiris

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Introduction to the Mobile Access Gateway

In-Depth Look at Capabilities: Samsung KNOX and Android for Work

Symantec Backup Exec.cloud

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

BYOD Guidance: BlackBerry Secure Work Space

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Datacane - When the bits hit the fan!

Symantec Messaging Gateway 10.5

JUNOS PULSE APPCONNECT

Data Sheet: Archiving Symantec Enterprise Vault for Microsoft Exchange Store, Manage, and Discover Critical Business Information

Beginner s Guide to SSL Certificates

Symantec Enterprise Vault and Symantec Enterprise Vault.cloud

Android for Work powered by SOTI

INFORMATION PROTECTED

Solution Brief: Enterprise Security

How To Protect Your Mobile Devices From Security Threats

Total Enterprise Mobility

Symantec Mobile Management Suite

How Endpoint Encryption Works

Securing Microsoft Exchange 2010 With VeriSign Authentication Services

Transcription:

WHITE PAPER: SECURING MOBILE APP DATA - COMPARING CONTAINERS............ AND..... APP... WRAPPERS.................... Securing Mobile App Data - Comparing Containers and App Wrappers Who should read this paper This white paper is designed to introduce partners and end users to key technologies and technical concepts related to Enterprise Mobility Management. For organizations exploring solutions beyond device management for more granular control of data and applications on mobile devices, this white paper will help you to understand the differences in advanced containerization technologies.

Content Securing Mobile App Data Insights into App Containers................................................................... 1 Physical Containers.................................................................................................... 1 Virtual Containers...................................................................................................... 2 Per-App Containers..................................................................................................... 3 SDK versus App Wrapping............................................................................................ 4 App Wrapping with Symantec Mobile Application Management............................................................ 4 Securing and Simplifying Seamless BYOD................................................................................. 5

Securing Mobile App Data Insights into App Containers The realities of BYOD create significant challenges when it comes to securing the corporate data residing on your users' mobile devices. Mobile users want to use the latest technology with easy access to their apps and data. Regardless of the OS, make and model of their mobile devices, they want an easy transition between their personal mobile lives and their corporate mobile lives. With corporate apps and personal apps co-existing on their devices, how do you make sure there's no unapproved mingling of corporate data between those apps? How do you keep that corporate app data secure? While Mobile Device Management (MDM) is a critical component of a mobile security strategy, it's not sufficient when it comes to securing app data. Analysts agree that to secure corporate app data on your users' mobile devices, you need to employ a Mobile Application Management (MAM) strategy. MAM is all about creating secure divisions between mobile users' personal apps and corporate apps. It encompasses the development, deployment, and management of mobile apps in a secure manner. A central aspect of a MAM strategy is creating distinct lines of separation on users' mobile devices between their personal apps and corporate apps. This has come to be known as containerization, the securing of corporate apps and their associated data within digital containers that govern app behavior and prevent unwanted interaction with personal apps. With the rising number of container offerings, it can be difficult to understand the differences between the various solutions and figure out which one might best address your needs. Depending on who you talk to, a container could be a workspace, hub, stack, JVM, wrapper, portal, sandbox, shell, partition, mode, app store, persona, or some other term to describe what a container is or should be. In order to make an informed decision on a container strategy, you need a bit of clarity regarding your container options. While some crossover exists between categories with subtle differences between solutions within each category, at a high level, containers typically fall into one of the three following categories: Physical containers Virtual containers Per-app containers Physical Containers Physical containers work at the chipset or kernel level of a mobile device to separate corporate apps and their data from a user s personal apps. In essence, it creates hardware level segmentation between a mobile user s corporate environment and personal environment. Usually this means establishing from the kernel and up a complete and separate OS stack just for corporate apps to reside and operate. This OS stack is completely distinct from the mobile device s normal OS stack where the users regular apps reside. A key security aspect of physical containers is that the OS stack typically has to leverage processor-specific capabilities. Even though some vendors that fall into this category actually refer to their solutions as virtual containers, it s this reliance on physical chipset features as well as hardware level encryption that places them in the physical container category. One of the biggest benefits offered by physical containers is the top to bottom secure isolation that they offer between the corporate OS stack and the device s normal OS stack, ensuring that no interaction can occur between corporate and personal apps. However, this stack-level isolation also creates one of the major drawbacks inherent to physical container solutions disruption of the user experience. Whenever users are logged into the mobile devices normal OS stack, they have to exit and enter into the corporate OS stack anytime they want to use a 1

corporate app. When they want to use a personal app, they have to reverse the process. The constant switching between physical containers not only creates a user inconvenience, but over an extended period of time it can cut significantly into user productivity. Another major benefit provided by physical container MAM solutions is that they are typically delivered on devices with certified hardware grade security. Additionally, the OS stack for the corporate-level apps has been hardened with security checks at every level of the stack. However, the hardware-specific nature of physical container offerings also creates major disadvantages for organizations considering this type of solution. The foremost of these is that physical container solutions are inherently not BYOD friendly. They are currently only available on Android devices, from only a few device manufacturers and only on a limited number of device models. Any organization that employs and administers a MAM strategy that incorporates a physical container solution, but still wants to support BYOD, will have to employ and administer an additional MAM strategy that accommodates ios, and Windows Mobile devices, as well as the majority of Android devices that have been designed and manufactured without physical container capabilities. The difficulty and added work that third-party and internal software developers have to undergo to develop apps that support a physical container model creates another challenge for organizations considering adopting this model. This difficulty results in a limited number of corporate apps that organizations can choose from to provision to their mobile users. Application Containerization Models Virtual Containers Virtual containers segment corporate apps within an encrypted workspace inside the operating system. It can be compared to a single sandbox or Java Virtual Machine (JVM) with multiple apps running inside it. Since there is no physical separation between the apps on the inside and those on the outside, the same operating system and kernel control the operations and interactions of all the apps on the mobile device regardless of whether those apps reside inside or outside of the virtual container. Even though all apps on the device share the same operating system kernel, the virtual container employs policies to govern what types of interactions may occur among apps inside the virtual container. This is one of the main security benefits provided by virtual containers, that all interactions between corporate apps in the container stay within the container. Likewise, all of the data associated with the virtual container s apps remains secure within the confines of the virtual sandbox. 2

However, a downside of virtual container offerings is that they make the assumption that all apps deployed within the container will be wellbehaved. The policies that govern virtual container interactions typically lack fine-grained controls that would allow administrators to govern behavior on a per-app basis. Rather, policies are typically applied equally to all apps within the container. As a result, the container as a whole can become compromised if a malicious app is unknowingly deployed within the container. Policies also govern if and how interactions may occur between apps on the inside and outside of the container. Any communications that extend beyond the borders of the virtual container, such as network communication, must rely on the secure nature of the kernel. In terms of the user experience, similar to physical containers, virtual containers create a separate location for accessing corporate apps. Some view this as a benefit, since they can go to one place to find all of their corporate apps. However, many view this as a disruption to the user experience, since users have to continually enter and exit the virtual container to switch between their personal and corporate apps. Compared to physical container offerings, virtual container solutions are generally more BYOD friendly. The degree of actual BYOD support will vary between vendors. Virtual container solutions require third-party and internal software developers to develop or modify their apps to support a vendor-specific container environment. As a result virtual container solutions often offer organizations a very limited selection of apps that can be made available to their mobile users. Additionally, virtual container strategies can require significant administration effort to support and manage. Per-App Containers As the name implies, per-app container offerings create a self-contained sandbox to secure each individual app and its data. This application level segmentation provides security benefits similar to that of both virtual and physical containers, but through its more granular approach it offers administrators greater flexibility in how apps are secured, while presenting users a more seamless user experience. Under the per-app container model, policies still govern interaction between contained apps and non-contained apps, but it doesn t force a one-size-fits-all policy implementation. Administrators can choose to configure general policies that apply to all apps, specific policies for individual apps, or a combination of both. For example, a general policy might exist that prevents any copying and pasting between any apps, while allowing certain contained apps to share documents with each other and then preventing other contained apps from sharing. They can also granularly control the directional flow of data for each app, such as inbound and outbound communications. Per-app container solutions often provide granular control over interaction with non-contained apps. Organizations can choose to not allow any interaction between contained apps and non-contained apps or decide that certain contained apps can have limited interaction with noncontained apps. Additionally, since each contained app s data is individually encrypted and secured by policy, it ll remain protected if a malicious app happens to infect the mobile device. While per-app contained apps do rely on the operating system kernel to handle these interactions, the individual containers don t trust the kernel with their encryption keys. The combination of the per-app policy governance and application-level encryption gives organizations the added level of security they need to keep their corporate apps and data safe. As another major benefit, of all the different container models, the per-app container model offers the most seamless and user friendly experience. Since users enjoy the same native app experience they re accustom to, they generally require no training or learning curve. While vendor implementation differs, users typically don t have to constantly enter and exit contained and non-contained environments to switch between personal apps and corporate apps. 3

Users can easily see and access all the apps they are authorized to use whether they are personal or corporate apps. Depending on the specific product offering, corporate and personal apps might be located in separate views or mingled within the same view. Some per-app container solutions even provide single sign-on, which makes the secure transition from a non-contained app to a contained app even easier. In spite of the easy access and transition to the contained apps, the individually encrypted container encompassing each of the different apps ensures their protection. Two main methods exist for implementing per-app containerization: the SDK method or app wrapping. The vendor s chosen implementation method will determine in large part the amount of effort required by app developers and IT administrators to support a mobile strategy that takes advantage of the per-app container model. SDK versus App Wrapping A vendor that employs a SDK method to containerize individual apps requires app developers to modify or recompile their existing code according to specifications in a vendor-specific SDK in order to support the vendor s unique offering. For third-party software developers this often means creating and maintaining multiple versions of the same app to support multiple vendor solutions. When OS updates occur, developers might also have to update each of those different versions of their app to remain operative. Due to the requirements and efforts involved in supporting a per-app container implementation via a SDK, some software vendors will choose to only support a few such offerings or none at all, limiting the app choices available to an organization. Similarly, for any internally developed apps, the organization will have to expend development resources to alter their app code to comply with the vendor s specifications. Conversely, app wrapping methodologies do not require any changes to the app s code. Third- party or internal developers simply upload the app to an online tool provided by the vendor, and in minutes they have a secure app wrapped in its own individual container. One benefit of the SDK method is that it does give software developers the added option to choose to use custom components or methods prescribed in the SDK for securing the app. This flexibility can help developers both in their development and testing efforts. Still, the proper employment of the methods and calls specified in the SDK assumes a certain level of expertise from the developer. Improper or incomplete application of security measures provided by the SDK can leave an app vulnerable. Whereas with an app wrapping offering, there s a greater guarantee that encryption and security measures will be applied to all apps as expected. App Wrapping with Symantec Mobile Application Management Symantec Mobile Application Management utilizes app wrapping to provide a secure separation of corporate and personal data on users mobile devices. In addition to being able to wrap a layer of security and per-app policy management around corporate apps without requiring source code changes, Application Management offers a number of benefits in addition to those provided by both SDK and other app wrapping solutions. Application Management provides tamper proofing for the policies on every wrapped app to prevent unauthorized modifications to app policies and make sure only entitled users can access a device s corporate apps. Every time an app is updated or a new version installed, Application Management verifies the legitimacy of the policy. If it detects that a policy has been wrongfully altered, the app won t launch. Additionally, all third-party apps that go through the Symantec Sealed Program s certification process are tamper-proofed as well. Each sealed app is fingerprinted with a hash code. So, each time an app is launched, the app s fingerprint hash code is verified. If it doesn t match, the solution knows the app has been tampered with and won t load it. 4

The granular per-app policy controls and protection provided by Symantec include user authentication, document sharing, copy/paste controls, offline access, control over local data storage and encryption, AirDrop and AirPrint blocking, secure app connectivity and SSL connection certificate management, centralized policy management and more. Symantec Mobility: Application Management provides dynamic policy updates. So, if an administrator modifies the policy for a certain corporate app, not only does the app not have to be rewrapped, but it doesn t require the user to re-download the app. Whenever the app launches, it automatically checks in with the organization s App Center server for updates and automatically applies any policy changes. In addition to tamper proofing and per-app policy protection, Symantec gives organizations the ability to have a series of compliance checks execute every time an app attempts to launch. For example, it can check to see if the mobile device is MDM compliant or verify that the device hasn t been jail-broken or rooted. If any of the specified compliance checks fail, the corporate app won t launch. Symantec also gives organizations the added ability to encrypt the bundle information of their internally developed corporate apps. This includes encryption of in-transit and at-rest data, as well as resource, graphics and other collateral data required by the app. Securing and Simplifying Seamless BYOD Encrypted segmentation or containerization of users corporate apps from personal apps has proven to be the preferred strategy among analysts and organizations for securing corporate apps and associated data on corporate users mobile devices. Still, organizations have a variety of app container models and solutions to choose from when it comes down to actual implementation. Taking advantage of a per-app container model that employs app wrapping enables organizations to secure, simplify and facilitate a userfriendly BYOD strategy, while providing a seamless user experience, reduced development and administration effort, and comprehensive, fine-grain policy controls for each individual corporate app. 5

About Symantec Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses, and governments seeking the freedom to unlock the opportunities technology brings anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company operating one of the largest global data-intelligence networks, has provided leading security, backup, and availability solutions for where vital information is stored, accessed, and shared. The company s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more go to www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Copyright 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 7/2014 21333969

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information