Jul 25 2014

Using Containers to Secure Mobile Apps

To boost security, run mobile apps in their own, dedicated spaces.

BYOD presents sticky security problems. The “OD” stands for “own device,” but IT managers are more worried about “our data.”

When users bring their own devices to work, personal and enterprise data mix. Suddenly, no one is happy because remotely “wiping” a compromised device deletes budget information and graduation pictures. And a lost device lets the finder into Facebook and the staff directory.

One solution is containerization: creating barriers in the device that separate corporate data from private information. With containers, enterprise apps have their own encrypted storage, separating and securing organizational data from unauthorized users and other device apps. Mobile device management (MDM) tools that support containerization have made it a popular approach by combining the benefits of device management with improved security. Here are some tips to keep in mind to ease mobile container deployment.


The percentage of BYOD programs that will fail by 2016 due to restrictive MDM policies

SOURCE: “Predicts 2014: Mobile and Wireless” (Gartner, January 2014)

Containerization requires containerized applications. Containers operate at the application level, meaning each application is containerized or it’s not. If you already develop your own applications and run your own app store, that’s fine because it’s easy either to “wrap” the application to create a container or to use your MDM vendor’s software development kit to make the application “container-aware.”

If you use off-the-shelf applications, such as customer relationship management or enterprise resource planning clients — or even cloud storage systems — things can get complicated because your application vendor has to offer a “containerized” version that you can put in your own enterprise app store. This means you need to start with a list of critical applications and work backward to find out whether containerization will work for you and which MDM vendors are supported.

Some applications are dual use. Either an application is containerized or it isn’t; you can’t have it both ways. This means that dual-use apps — those common to both enterprise and personal use, such as web browsers and email clients — may need special containerized versions to maintain data security.

MDM vendors offer different approaches. Some encourage duplication — namely, their own browsers and email clients running alongside the clients. Others prefer control measures, allowing data to mix in these tools (opening them to greater risk of loss or breach), while enforcing certain controls, such as requiring email attachments to be opened only in containerized, secured viewers. Of course, larger vendors will let you mix and match the two approaches as needed to fit your own security policy and risk tolerance.

Data in transit is as important as data at rest. Containerization is about keeping data secure once it’s on the mobile device. But moving data on and off the mobile device securely is also key.

Ensure BYOD users can get to agency applications only after they’ve brought up a valid virtual private network (VPN) tunnel and proved their identity. By allowing only incoming connections to the VPN system and reducing the attack surface to a bare minimum, overall security is increased without significantly affecting performance or connectivity. In some cases, MDM and containerization vendors have proprietary VPNs; in others, the standard enterprise VPN protects the connection.