How Security Containers Protect Mobile Data
Smartphones and tablets go missing all the time. More often than not, those devices contain a treasure trove of sensitive corporate information.
When workers lose devices, can the IT department be confident that organizational data will remain safe? And when people leave the company, can IT administrators successfully remove enterprise data from personally owned devices?
Security containers promise to provide businesses with this peace of mind. Containerization isolates corporate data from other components of a mobile device, effectively putting a bubble around it. The system strictly controls the use and dissemination of sensitive data and enforces strong security measures to protect it. Container systems typically support the major mobile operating systems and can be deployed on both enterprise and personal devices.
How Containers Work
Most secure container systems are simply mobile apps that can be added through the standard OS-based app installation processes. Opening the container launches a virtual environment from which users can access corporate email, calendaring and other business applications. Administrators control the applications that appear within the container and typically configure the container’s appearance through an administrative console.
All of the interaction between users and corporate applications takes place within the container and its encrypted data store. Mobile apps that reside outside the container cannot access the data store. For example, a user wouldn’t be able to cut and paste information from an email received in the container to an email being composed through the device’s native email client.
In this way, container products provide businesses with a secure way to enable remote access to enterprise data without putting the data at risk.
The Benefits of Containing with Containers
The primary benefit of container products is that they enable the separation of business and personal use of smartphones and tablets in a secure fashion, particularly for bring-your-own-device (BYOD) initiatives.
Security administrators can prevent personal applications from accessing corporate data, and users can be confident that the organization won’t access the personal information that they store on the device outside of the container.
Container products provide this separation and protection using four critical security controls:
Two-factor authentication: When a user attempts to access a container, the container software may require that he or she authenticate in some manner. This is completely independent of the device’s authentication settings. In the simplest case, the process requires the user to provide a passcode or authenticate with a corporate account password.
Some systems provide more complex authentication capabilities, including integration with an organization’s multifactor authentication system. Two-factor authentication guards against unauthorized users who might find or steal the device. It also prevents employees who leave the organization from accessing the data. Once their enterprise accounts are terminated, they can no longer access the container.
Encryption: The use of encryption to build the secure container ensures the data can’t be accessed from outside the container. Most container products use the Advanced Encryption Standard, which is mandated for use in federal government applications.
Remote wipe: While many mobile device management products offer remote wipe capability, container-based products allow this remote wipe to be highly targeted. Individuals who have left a company would certainly object if IT managers attempted to remote wipe all content on their personal devices.
Container solutions allow administrators to remove only that information stored within the container itself, leaving personal data and applications untouched. Remote wiping may also be triggered by policy-based conditions, such as exceeding a specified number of unsuccessful login attempts.
Data leakage protection: Containerization allows organizations to retain control over their data by strictly limiting the flow of information into and out of the container. Administrators may create policies that limit the use of cut-and-paste functionality as well as the use of external applications to view and edit enterprise data.
The Impact of Containers on Native Apps
A primary drawback to container products is that they often prohibit or restrict the use of the native applications included with the mobile OS. In many cases, users choose their mobile device based upon their comfort level with those applications, and they may be reluctant to use the container-based alternatives. Users often perceive these non-native apps to be clunky or out of date, lacking the familiar features to which they’ve grown accustomed.
For this reason, the IT department must gain user acceptance for a container solution before rolling it out.
One way to achieve this is to involve users in the product selection process. There are a wide variety of container products on the market. Test several using different cross-sections of the user community. Allow users to try the applications and provide feedback. Explain to users the security benefits of containerization and how the container provides personal privacy benefits as well.
The mobile container market is fairly new, but growing rapidly. Products available from cellular carriers and third-party makers offer a wide range of capabilities. This is a good time for IT managers to evaluate the marketplace and determine whether container technology has a role in their enterprise security toolkit.
To support bring-your-own-device initiatives that involve a variety of devices, container products typically support several major mobile operating systems. Nearly every product supports Apple iOS and Google Android, and some support less common OSs such as Windows Phone and BlackBerry. It’s incumbent upon administrators choosing a container product to ensure that it works on the range of mobile devices used throughout the organization.
In addition to ensuring that the container solution is compatible with all of the device types supported by the company, take the time to confirm the availability of containerized applications that meet the company’s business requirements. For example, a sales force must be able to use the container to interact with the customer relationship management system. Similarly, IT workers will need access to an incident management system.
Although there are a limited number of containerized applications available for most platforms, the saving grace is that many of these enterprise tools offer web interfaces that can be accessed through a containerized browser.