Emergent containerization technologies create a separate work
zone that is protected on employee’s personal smartphone.
Emergent
containerization technologies create a separate work zone that is protected on
employee’s personal smartphone
Anthony Perkins wants employees at BNY Mellon carrying
personal smartphones to company and use them instead of provided BlackBerries
to enter emails, apps and business data.
But there is an obstacle: not all employees feel comfortable
with the view in which they have personal phones locked and strictly monitored like
BlackBerries that Perkins wants to be gradually less used. That is where the
term ‘containerization’ jumps into.
BYOD (Bring Your Own Device) project is good, according to
Perkins, CIO for BNY Mellon's Wealth Management business. It reduces time and
cost involving maintaining and controlling company-owned BlackBerries. “We
prefer managing software not hardware. In RIM world, you have to manage the
hardware”, he says, referring to BlackBerry maker RIM (Research In Motion).
On the downside, common existing mobile devices are
developed for consumer market, and third-party management tools don’t offer
similar control level to user devices that RIM have over BlackBerries. RIM
designed and controlled BlackBerry client’s structure and fast reacted to business’s
customer demand.
As business apps and data are often mixed with user’s
personal information, mobile device management (MDM) tools are often strict
when mentioning managing business resources on user’s mobiles. Usage policies are
commonly applied onto the whole device, including apps and data of both
individuals and careers. User may not be ready to give up the right to control personal
phones in exchange for the privilege of using them for work.
To get over such resistance of user, Perkins is moving to
containerization, an emerging class of management technology that creates a
separately encrypted area in user’s smartphone where some business apps and
data may be within. Under such arrangement, policy controls only apply to what
inside the container instead of the whole device.
Containerization tools are complementary to MDM software,
plus more and more MDM providers are incorporating containerization functions.
Despite great policies that guarding corporate data, it is
unnecessary to prevent personal information from being lost in a wipe done by IT
department in case the phone is lost or stolen. Some IT firms realize several
users may not know how to back up personal data and apps properly and are
helping them to configure back-up systems.
Ryan Terry, division CIO and chief security officer at
University Hospitals Health System in Shaker Heights, Ohio, has turned to containerization
tech because he sees using conventional MDM tools to take full control of the
device as a liability issue. The hospital needs apps or data that are securely
provided to clinicians without interfering users’ access to their own apps and
personal data. “We can’t remove everything of an individual or impede their
ability to use own assets”, he says.
Alex John, assistant director of technology at West Virginia
University, also appear prudent to say “I don’t want my people to make personal
settings that could return to haunt us”, such as accidentally deleting or
making configuration changes that affects the way user’s personal app runs, he
says.
For companies in highly regulated industries which need powerful
security policies and face missions requiring strict following, containerization
can be useful in making BYOD acceptable for users, IT leaders says.
Choose your own container
Basically, providers offer 3 different approaches to
containerization: creating an encrypted space, or folder, where apps and data
can be poured into; creating an app wrapper that creates a secure bubble around
each corporate app and associated data; and using hypervisors which create an
entirely virtual mobile in user’s device that is specifically for work.
All of these solutions provide stricter control over apps
and data in user’s device than any standard solution for existing smartphone. And
with containerization, user is not limited to using devices in the list of
smartphones that have been tested and confirmed by IT department, because corporate
apps and data lie inside a secure and encrypted shell.
However, the need of switching between corporate and
personal environments back and forth can be seen inconvenient, affecting
general satisfaction of users, according Phillip Redman, Gartner’s analyst says.
Either Apple or Google offers containerization, and there’s
no comment for this story, but each corporate points out to some useful resources.
Encrypted folders
Redman explains: the most mature containerization is using a
container based on an encrypted folder. AirWatch has something like that, and
Good Technology is a firm leading in selling to businesses that accept
containerization all over the enterprise, especially in regulated industries.
Encrypted folders
For simple mobile access, BNY Mellon uses Good for
Enterprise to create an encrypted space on smartphone within where user can run
Good’s email and calendar clients and use a safe browser. “It is a secure
container with an app that can send and receive encrypted corporate emails”
Perkins explains. All communications are routed through Good’s
network-operating canter that authenticates mobile user’s right.
Good offered basic email and calendar tools several years
ago. By the end of last year, it added an ability for other apps to run within
its secure space by using Good Dynamics Platform, but each app must be edited
to run in Good’s exclusive environment. Until now, nearly a dozen of commercial
apps available, including QuickOffice, which is often used to read and edit attached
Microsoft Office downloads.
Perkins is using Good only for email and calendar – “killer apps”
for most of the employees, he says – and enters local browser-based apps
through Good’s browser.
For user needing full access to corporate network, SharePoint
and other services, BNY Mellon uses Fiberlink’s MaaS360, a cloud-based MDM
system that can take full control over user’s device. MaaS360 keeps track of what
is written and from OS, and it blocks access to some personal apps, such as
Yahoo! Mail and Gmail when the device is entering corporate resource.
“When it’s on our network, we own and control it”, Perkins
says. When used in personal mode, persons have the right to control over apps
they can use.
Besides, BNY Mellon can remove devices – including all apps
and personal data – lost or stolen, though MaaS360 and most of other important
MDM tools allows for selective wipe. Citing security concerns, Perkins refuses
to tell how many times his corporate had to wipe phones.
On the contrary, only corporate container is removed from
lost or stolen devices which just have email access and calendar via Good technology.
