Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
G00247134
Technology Overview of Mobile Application
Containers for Enterprise Data Management
and Security
Published: 24 J...
■ Assess the technical, financial and organizational viability of any container company, because
this is still an emerging...
Analysis
As mobile devices and network technologies advance, users need access to more complex data
beyond just email. Ent...
Table 1. Examples Policies That Can Be Enforced by Mobile Containers
Authentication Network Permis-
sions
Data Stor-
age
D...
Technology Definition
There isn't just one technology to consider when it comes to mobile containers. From an app
developm...
Operating Requirements
The challenge with any applications or services on mobile devices is that there is no standard.
The...
use of the native email application for personal usage. Containers for the iOS can support the
separation of data by appli...
tool as part of the container product, or often as part of an MDM system (MDM can only support the
containers it provides)...
Table 2. Major Container Vendors and the Features They Support
Vendor Primary Ven-
dor Category
Product Name Container Typ...
Kony MADP Kony Mobile Application Man-
agement library version 1.0
App-neutral No No Yes Yes
McAfee Security McAfee Secure...
Recommended Reading
Some documents may not be available as part of your current Gartner subscription.
"Using Managed Infor...
GARTNER HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headq...
Upcoming SlideShare
Loading in …5
×

Technology overview of_mobil_247134-1

198 views

Published on

overview of Mobile and security

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Technology overview of_mobil_247134-1

  1. 1. G00247134 Technology Overview of Mobile Application Containers for Enterprise Data Management and Security Published: 24 January 2013 Analyst(s): Phillip Redman As mobile device and network technologies advance, users need access to more complex data, often on devices the enterprise doesn't own. IT and network leaders must understand how containerization now supports the advanced security and management of enterprise and third-party applications and data. Key Findings ■ With support for new platforms and apps, containers are an emerging technology that can support managing and securing enterprise data on mobile devices with a closed (proprietary) file system. ■ Organizations can choose from various containers and container technologies, based on which mobile OS platform can be supported and which technology works best for them. Companies should make these decisions based on their required security levels and other policies. ■ The mobile container market is still emerging, with no standards or definitive technology leader. The market is an important technology, because of the unique architecture of proprietary mobile device file systems that prohibit single apps from controlling systemwide management and security functions. ■ Virtual containers are new, and are not often sold independently from desktop virtualization systems. Recommendations ■ Assess the use of containers for sensitive enterprise data and content supported on mobile devices, and create use cases based on employee profiles. ■ Develop user and data requirements before implementing them, even though many policies can be supported, and assess your strategies for desktop and mobile virtualization when considering a mobile virtual container.
  2. 2. ■ Assess the technical, financial and organizational viability of any container company, because this is still an emerging technology. ■ Test the impact of dual-persona-style container uses on the user experience. Table of Contents Strategic Planning Assumption...............................................................................................................2 What You Need to Know........................................................................................................................2 Analysis..................................................................................................................................................3 Technology Description.................................................................................................................... 3 Technology Definition....................................................................................................................... 5 Operating Requirements...................................................................................................................6 Uses.................................................................................................................................................6 Selection Guidelines......................................................................................................................... 7 Technology Providers....................................................................................................................... 8 Recommended Reading.......................................................................................................................11 List of Tables Table 1. Examples Policies That Can Be Enforced by Mobile Containers................................................ 4 Table 2. Major Container Vendors and the Features They Support......................................................... 9 Strategic Planning Assumption By 2017, 70% enterprises will support at least two different types of containers from the same provider. What You Need to Know As mobile smartphones and tablets become predominant and as network technology speeds keep increasing from kilobits to megabits per second, users can access more complex data beyond email. Enterprises want solutions to manage and maintain the security of enterprise data on their users' devices — both trusted and untrusted. Enterprises should assess their mobile strategies, and should include the use of the emerging capability of containerization to support the advanced security and management of enterprise and third-party applications and the data they contain on non-Windows x86 mobile platforms. Page 2 of 12 Gartner, Inc. | G00247134
  3. 3. Analysis As mobile devices and network technologies advance, users need access to more complex data beyond just email. Enterprises seek solutions to manage and secure enterprise data on their users' devices. This often occurs as a result of the bring your own device (BYOD) trend of devices enterprises do not own. Containerization, a still-emerging capability, is now able to support the advanced security and management of enterprise and third-party applications and the data they contain. This report covers the container strategy for closed file system devices, which include iOS, Android, Windows Phone 8 and Windows RT. Technology Description Today's mobile platforms consist of two basic file system philosophies: open file systems (Windows on x86) and closed file systems (iOS, Android, Windows Phone 8, BlackBerry 10 and Windows RT). Closed file systems do not permit applications to write to files owned by other applications. Any application that intends to manage or back up the entire device image is a violation of the closed architecture. Because traditional PC management tools cannot be used on closed architectures, two types of solutions have emerged to provide management of these platforms: policy managers (mobile device management [MDM]) and containers. MDM constrains user actions and enforces corporate policies. Containers go deeper into adding policies specifically to enterprise and third- party applications. They also can create a separate workspace for enterprise data, often referred to as a second or dual persona. Mobile containerization is the ability to partition, manage and secure data locally or virtually on a mobile device. Any application can be containerized, and a secure workspace can be designed for enterprise use, following corporate policies administered by a management tool. Although the primary effort is to prevent enterprise data loss on mobile devices, containers also can promote efficiency and operations for mobile users with increased management and remote support. Container app policies are still emerging, but various options are available, from adding the same policy to each app, to each app having its own policy. Allowing apps to communicate with each other for single sign-on or data sharing also is becoming available. Some containers will eventually allow telecom service providers to split their billing between personal and business usage. Container policies vary by type of container and vendor. Table 1 shows an extensive list of policies that can be enforced by mobile containers. Gartner, Inc. | G00247134 Page 3 of 12
  4. 4. Table 1. Examples Policies That Can Be Enforced by Mobile Containers Authentication Network Permis- sions Data Stor- age Data Policies Application Feature Phone Feature User-based Virtual private net- work (VPN) policies Maximum failed passwords Password strength Lock time Secure tunneling (no VPN) Single sign-on Allow network communications from device Force all HTTP communications to HTTP Specify domains Apply Wi-Fi access rule Geofencing External se- cure SD card (read) External se- cure SD card (write) Cut, copy and paste re- strictions, sharing docu- ments via email or social network Wipe — full and selective Data edit Attachment openings Encryption level Display of personal data in business mode Screen shot prevention Time-based delete Application idle timeout (minutes) Application expiry date (MM/DD/YYYY) Restrict application usage business hours Restrict application usage during busi- ness off days Application compliance Home screen policies App management Internet site blocking/filtering Home page management Email policies Blocking by device compliance rules Inactivity timeout App policy updates Time-based delete Allow SMS usage within the application Allowed phone numbers Allow email usage within the application Allowed email IDs Allow phone dialing Allowed phone numbers Allow camera access within the application Number ID restrictions Source: Gartner (January 2013) Page 4 of 12 Gartner, Inc. | G00247134
  5. 5. Technology Definition There isn't just one technology to consider when it comes to mobile containers. From an app development perspective, there are three main types of mobile container technologies: ■ Application-Neutral (also known as application wrapping) — This adds policy outside the application logic. Code is added to an application binary that will allow the enforcement and management of mobile policies. The code is injected by running an app in a software tool that automatically encapsulates the binary and applies the policy. This takes a very short period of time — usually less than two minutes — to do. Policies may be controlled dynamically, usually through communications with a central server as part of an MDM tool. If apps are not connected to the network, their policies are fixed and can't be changed/updated until they are reconnected. ■ Application-Specific — The ability to create a specific container application to host data or provide a software development kit (SDK) to load policies within the application logic by building in proprietary APIs to a native application that will allow the enforcement and management of mobile policies. The policies are then managed by an administrative tool, which usually is part of the MDM system. ■ Virtual — This technology has three different types. The first is based on desktop virtualization, and extends a similar virtual ability onto mobile devices. The second and third use Type 1 and Type 2 hypervisors to support containers (see "An Update on Mobile Virtualization and Trusted Environments"): ■ Mobile Virtual Desktop Infrastructure (VDI)/Hybrid Mobile VDI — Similar to server-hosted desktop virtualization, this supports virtualization on mobile devices where the application runs and data is stored remotely on a server, not the endpoint. The use of a hybrid (meaning online and offline content) VDI system allows for offline content data stores in a secure container. ■ Hypervisor Type 1 — This is the ability to run a virtual machine (VM) on mobile devices. Type 1 runs directly on the host's hardware, and can run multiple OSs simultaneously. Type 1 hypervisors must be installed by the device manufacturer, and have limited availability across all mobile device platforms. Because of the limited models of devices available with Type 1 hypervisors, and because most industries don't need this level of security, the technology is not covered in detail in this research. The policies supported would be the same, however, although the separation between the phone systems adds a layer of protection. ■ Hypervisor Type 2 — This is the ability to run a VM on mobile devices. Type 2 runs on top of an OS. This is more of a software VM. Depending on the OS version, type and vendor, a Type 2 hypervisor may be installed after a device has shipped. This will make it much easier to use this technology on mobile devices. Gartner, Inc. | G00247134 Page 5 of 12
  6. 6. Operating Requirements The challenge with any applications or services on mobile devices is that there is no standard. There are numerous different platforms (mobile OSs), each with its own capabilities to support applications, and to enforce policies around the applications. Some OS providers, such as Apple and Microsoft, limit what can be supported on policies, and don't always offer the strongest solutions for the enterprise, their reasoning being to offer the best consumer experience. For example, restrictions on the iOS that allow background processing (multitasking) prohibit real- time agents and third-party applications that need to run continuously. This makes it impossible to enforce policy in the background on iOS devices. Apple also does not allow native applications to run inside native applications. Rather than containing multiple applications in a single location, each iOS app must have its own rules built in. Thus, the dual persona — the ability to have two distinct workspaces, one for personal, one for business — is not available on iOS products. However, Web- based apps can run inside a container app in the iOS, which is one way to design a dual-persona capability. As a result, containers can work on iOS devices, but separate workspaces are not yet possible. These issues are the antithesis of Android-based devices, which allow multitasking and dual personas. However, there are still many different versions of the Android OS, and versions generally under 4.0 have their own security and capability limitations based on policy enforcement and native encryption availability. Gartner recommends restricting enterprise mobile devices to Android 4.0 and above for container options. Research In Motion (RIM) will support its own container on BlackBerry 10 devices in 2013, updating its BlackBerry Balance capabilities. Since the Windows Phone 8 was recently launched, only mobile VDI containers are currently supported, with other container types to follow later in 2013. Mobile hypervisors also have limitations based on the OS. Apple does not allow hypervisors on its mobile devices, so this container technology is not available on the iOS. Gartner does not see this changing in the immediate planning horizon. However, hypervisors are available for the Android. Type 2 hypervisors will eventually work on most Android devices supporting version 4.0 or greater without having the device manufacturer build it in before shipment; it can be added later if needed. However, specific OS kernel modes must be present (see "An Update on Mobile Virtualization and Trusted Environments"). Uses Companies, regardless of industry, should assess the use of containers as part of their mobile data management and security strategies. Although over 80% of companies actively managing devices do not use a container technology, this will become particularly important to use when extending into more complex enterprise data stores, such as SharePoint or other file systems. Companies should gain control over where their data sits, especially data from email attachments. Any company supporting enterprise email with sensitive data should use containers to prevent accidental data loss. However, this means companies can't use the native email application on the iOS, because Apple does not allow the deep policy integration that companies need to secure email. Enterprise should enforce the use of secure email on mobile devices, but should allow the Page 6 of 12 Gartner, Inc. | G00247134
  7. 7. use of the native email application for personal usage. Containers for the iOS can support the separation of data by application (through wrapping or an SDK), but cannot support a separate workspace or dual persona, both of which Android devices can support. The idea of dual-persona systems, where all enterprise content is separated from personal content, is becoming possible on Android devices. Gartner recommends the use of dual-persona systems to separate enterprise data from personal data, and to enable more secure and easier management. Although the user experience can diminish through the use of a dual persona, it allows the best use of management and security by IT. Selection Guidelines Companies can choose from different container technologies, and the device the company can support, the level of security the company requires and the policies it needs to enforce will all guide product selection. Because companies are expected to support a variety of devices, Gartner predicts that 70% enterprises will support at least two different types of containers from the same provider by 2017. Some container products also support multiple types of containers, to provide the widest capability. For example, virtual containers often include neutral or specific apps for offline access to data. Application-neutral technologies, which implement policies outside the application logic, have an advantage over application-specific technologies, which implement policies within the application logic. Application-neutral technologies can be implemented quickly, offer dynamic policies, work on most mobile platforms, work on enterprise and third-party apps, and can alter policies by application depending on security and other requirements. Application-specific containers also work across platforms and varied policies, but are best used when the application is developed. Existing applications will need recompiling, and perhaps even rewriting. Third-party application providers would be responsible for application-specific container support. This causes delays, and limits the number of apps that can be supported. Enterprises can directly license with third-party app providers and wrap the apps themselves. Enterprises that need both third-party and their own apps managed should choose an application-neutral technology for containers, as this offers the greatest flexibility. However, enterprises should be aware of the restrictions of wrapping third-party apps, and should follow the legal guidelines set by app developers and stores. Companies with a virtual desktop strategy should assess emerging mobile VDI vendors. Although VDI typically is limited to online access only, these vendors understand that mobile users won't always be within network range, and that they will need access to view and alter content. Many vendors are looking at a hybrid virtual initiative that enables offline access, using the native wrapped applications in a secure container the VDI uses. This became available when Citrix Systems launched its CloudGateway 2 server in 2012, although the number of apps supported by mobile VDI is limited, including those by third-party providers. With any container, an administration tool is needed to implement and manage the related policy, even if it is only for the business information on a partitioned device. This can be done by a specific Gartner, Inc. | G00247134 Page 7 of 12
  8. 8. tool as part of the container product, or often as part of an MDM system (MDM can only support the containers it provides). Container technologies will increasingly become a standard part of MDM products, which will offer a more integrated approach to managing enterprise applications and content. MDM products will merge with PC management tools, mobile device OSs, security products and application development products. Because of this trend, it is important to consider all separate container products as tactical investments that will likely need to be retired in two to three years. Technology Providers Containerization technology comes from numerous providers in and outside the mobile space. MDM vendors are one of the most prominent providers of container technology, as many of these vendors are looking to expand beyond simple policy management to provide deeper support of application and content management and security. MDM providers will have the most likelihood of success in promoting containerization technologies, as wide-scale adoption of MDM continues, and since containerization is a natural complement to MDM. However, organizations still need to set and manage a container policy, one that fits well within the MDM providers' administrative tool. A subset of MDM is mobile application management (MAM). These providers, some of which also offer mobile application development platforms (MADPs), provide limited MDM functionality with their containerization technology, and are being subsumed by MDM and other providers (see "Hype Cycle for Wireless Devices, Software and Services, 2012" and "Vendor Groups Step Up Differentiation in Mobile Application Management"). Other technology providers entering the mobile market are those that offer desktop virtualization. Since many users are replacing their PCs with mobile devices, it's only natural that these companies extend their capabilities to mobile devices. Although these products are the newest on the market, many emerging only in the past 12 months or still to become generally available, the opportunity is strong for these vendors, because in the past they have worked on enabling any data on any platform (PC or Mac). They also have created strong clients that are easily managed on devices, and have proprietary protocols to reduce latency and increase performance on a wireless network. These vendors will face the key challenge of optimizing desktop applications for performance on mobile devices. Table 2 lists most major container vendors and the features they support. Page 8 of 12 Gartner, Inc. | G00247134
  9. 9. Table 2. Major Container Vendors and the Features They Support Vendor Primary Ven- dor Category Product Name Container Type(s) Supported Provide Email/ Personal In- formation Management (PIM) Con- tainer Dual-Per- sona Sup- port* Dynamic Policy Change Secure Data Sharing** AirWatch MDM Application Wrapper as part of MDM version 6.3 App-specific App-neutral Yes: Touch- Down Yes Yes Yes for pro- prietary apps, no for third party on de- vice AppSense MAM DataNow App-specific No Yes No Yes Bitzer Mobile MAM Bitzer Enterprise Application Mobility (BEAM) App-neutral Yes Yes No No Cellrox Virtualization ThinVisor Virtual No Yes Yes Yes Citrix Virtualization MDX Interapp for CloudGate- way version 2.5 Virtual/hybrid Yes Yes Yes Yes Enterproid MAM Divide App-specific App-neutral Yes Yes Yes Yes Fixmo Security SafeZone Workspace Edition App-specific No Yes Yes Yes Framehawk Virtualization Framehawk Platform Virtual Yes No NA No Globo MAM GO!Enterprise Mobile Client App-specific Yes No Yes Yes Good Technolo- gy MDM Good Dynamics AppGuardian App-specific App-neutral Yes Yes Yes Yes Gartner, Inc. | G00247134 Page 9 of 12
  10. 10. Kony MADP Kony Mobile Application Man- agement library version 1.0 App-neutral No No Yes Yes McAfee Security McAfee Secure Container App-specific No Yes Yes No MobileIron MDM AppConnect App-specific App-neutral Yes: Touch- Down Yes Yes Yes MobileOps MAM AppVisor App-neutral No No Yes Yes MobileSpaces MAM Workspace version 1 Virtual/hybrid Yes Yes NA Yes Mocana MAM Mobile App Protection (MAP) App-neutral No No No Android only OpenPeak MDM Advanced Device and Appli- cation Manager (ADAM) Sec- tor App-neutral Yes Yes Yes Yes Symantec Security AppCenter version 4.0 App-neutral No No Yes No Thales MAM Teopad App-specific Yes Yes Yes TouchDown MAM TouchDown App-specific Yes Yes Yes Yes VMware Virtualization VMware Horizon Mobile App-neutral Virtual Yes Yes Yes Yes Zenprise MDM Zensuite App-neutral No Yes Yes No * Android only. ** Within the container or wrapped apps. Source: Gartner (January 2013) Page 10 of 12 Gartner, Inc. | G00247134
  11. 11. Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Using Managed Information Containers to Protect Information on Mobile Devices" "An Update on Mobile Virtualization and Trusted Environments" "An Overview of Workspace Aggregators" "Vendor Groups Step Up Differentiation in Mobile Application Management" Evidence The product information for this research was gathered directly from each vendor. Gartner, Inc. | G00247134 Page 11 of 12
  12. 12. GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit http://www.gartner.com/technology/about.jsp © 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ ombudsman/omb_guide2.jsp. Page 12 of 12 Gartner, Inc. | G00247134

×