Mobile App Security through Containerization:

10 Essential Questions A Good Technology™ Whitepaper

Contents

Overview: Why Does Mobile Security Matter?

A New Strategy: Secure Your Enterprise Mobile Apps

Conclusion

About Good Technology™

3

3

7

8

Mobile App Security through Containerization: 10 Essential Questions | good.com 2A Good Technology™ Whitepaper

Overview: Why Does Mobile Security Matter?

Mobile devices present a unique dilemma to the enterprise. On the one hand, workers empowered with tablets and smartphones can transform the way they do business; they’re more agile, closer to customers, and more productive. Bring Your Own Device (BYOD) programs give users the freedom to work on the devices of their own choosing, while still allowing an enterprise to reap the productivity benefits of these always connected, readily accessible mobile devices.

On the other hand, these ubiquitous mobile devices represent increased security risks to the enterprise, especially with BYOD. Sensitive corporate and customer data can be stored on mobile devices that can easily fall out of pockets or be left at airports. Well-intentioned employees use popular cloud-based file sharing apps to make themselves more efficient, unknowingly taking corporate data out of IT visibility and control. Malware can access all data on or going through the device. Disgruntled employees can make copies of sensitive data and use it for their own. Without a comprehensive, thoughtful approach to security, mobility brings danger.

Mobile Device Management (MDM), an initial approach to mobile security, enables IT with device-level controls, such as enforcing a device password policy or being able to remotely wipe the device. But MDM provides only part of the solution, as it isn’t appropriate in all circumstances. For example. contractors, resellers, and other business partners are typically not under IT control within an MDM paradigm. So IT can’t provide security controls on employee devices, even if Lines of Business distribute their own mobile apps. Another example where MDM wouldn’t work is for an enterprise’s board of directors, whose members often sit on the boards of multiple companies. The members of the board need secure access to multiple enterprises’ corporate data, but can’t install multiple MDM agents — that’s another limitation of MDM. Employees are also pushing back on IT taking complete control over their devices — after all, the important thing is to keep enterprise data secure, not to control the user’s personal data, such as MP3 playlists or pictures of their kids.

A New Strategy: Secure Your Enterprise Mobile Apps

Enterprises need a different approach to mobile security that works for all users — i.e., employees and non-employees — who need access to corporate data. A better, more encompassing, approach is one that provides finer-grained application-level controls, not just device-level controls. With this approach of securing enterprise apps, organizations can focus on protecting their data — arguably their most important asset — on any device, without being too intrusive. At the same time, users get a better on-device experience, since any security restrictions are only experienced when the user interacts with the enterprise’s apps. The approach of securing enterprise mobile apps to protect corporate data might appear straightforward, but there are many factors to be considered. At Good Technology™, we’ve worked closely with hundreds of enterprises that have implemented mobile security solutions to protect corporate data. Listed below are the highest priority requirements that these companies focus on as they build out their mobile app security strategies. As you build out your own strategy, you should evaluate the importance of these requirements.

Mobile App Security through Containerization: 10 Essential Questions | good.com 3A Good Technology™ Whitepaper

Mobile App Security through Containerization: 10 Essential Questions | good.com 4

1. Can enterprise apps and data be segregated from personal apps and data?Given the prevalence of BYOD, there must be a way to securely separate corporate data on any device — whether it’s user owned or corporate liable. One approach — that has become the prevailing approach, recommended by industry analysts and gaining acceptance at many companies — is to use app containerization technology that provides each managed app, and its data, with its own secure runtime container. To be effective, app containerization must use a strong encryption algorithm1 that is separate from native device encryption, with the containerized apps secured by a strong password policy. The isolation provided by containerization reduces the chance of malware infection or privilege escalation from a malicious app on the device.

Containerization, typically delivered via a mobile app security platform, causes an app to transform in multiple ways: the app data is encrypted and segregated from all other apps; native OS runtime system calls are replaced with equivalent secure versions; and unique security functionalities — such as secure shared services and app-to-app secure workflows — become possible. Because of the containerization delivered by the mobile app security platform, an enterprise suddenly has all kinds of security controls over the app, and how it can or cannot interact with other apps in a combined workflow.

Containerized apps can coexist right alongside personal apps on the mobile device, but each containerized app’s data stays in its own container, and any connection to another containerized app or a corporate server is secured. True containerization is on an app-by-app basis, and shouldn’t be confused with virtualization, a less effective technique that creates a single shared environment for managed applications, and may not be supported by popular mobile devices or operating systems.

2. Is the user experience preserved? Before diving into technology, it’s important to step back and consider the user, the most integral part of the system we’re securing. It’s not enough to simply secure mobile apps; the user experience must be preserved as well. Otherwise, users will inevitably undermine security by trying to work around cumbersome implementations and the enterprise will not gain the benefits of mobilizing its worker base.

Both containerization and virtualization — creating a separate, secure environment on the device — can keep data secure. But considering the user experience makes a powerful case for containerization, rather than virtualization. With containerization, the core look and feel of a user’s device stays the same; it’s just that certain applications are secured. Virtualization, on the other hand, requires that users do a hard cutover to a separate environment to use enterprise apps, which breaks the experience that end-users expect from their devices. This will reduce adoption, at best, and may even encourage users to try to work around the officially sanctioned solutions. Sometimes, the word “containerization” is casually applied to virtualization, so be sure to check whether a solution uses per-app containers, or an unwieldy shared virtual environment.

A Good Technology™ Whitepaper

Mobile App Security through Containerization: 10 Essential Questions | good.com 5A Good Technology™ Whitepaper

3. Are containerized ISV apps readily available?Enterprises shouldn’t have to build all the mobile apps they need just to be secure. So one approach to mobile app security is to take advantage of a community of independent software vendors (ISVs) who are developing containerized enterprise-ready apps that share a common mobile app security platform. Commercial off-the-shelf apps provide functionality at a fraction of the cost and time required for custom development. Of course, when considering these ISV apps, it is important that the security certification for these apps is serious, not just a checkbox. For example, some questions that need to be answered are: Do the ISVs get help from the vendor when testing their software? Do the solutions use FIPS 140-2 certified cryptography for data at rest on the device? Can these ISV apps securely communicate with other apps built on the vendor’s mobile app security platform? How do they securely communicate to behind-the-firewall application servers?

4. Can custom-built enterprise apps be containerized?There will be many cases where there is a need to build apps to meet specific business requirements. That’s where custom app development comes in. Those apps could be built in-house or outsourced to a 3rd party developer, but should use a common mobile app security platform — ideally the same one that is being used by ISVs who are building enterprise-ready apps that address the more general use cases. Enterprises that are building custom enterprise apps and incorporating mobile app security into those apps use two approaches:

• Appwrapping. For rapid time-to-value, organizations can choose to simply wrap their applications with the platform-provided security functionality without having to do any additional development work.

• Codeintegration. For advanced functionality that is not possible via app wrapping (e.g., secure inter-application communication, etc.), developers can use the API calls and software libraries in a Software Development Kit (SDK) to incorporate capabilities of the mobile app security platform into their apps.

5. Can containerized apps securely connect to the enterprise?Unnecessary inbound connections to enterprise servers and controllers increase risk and complexity. A better option is for these containerized apps to make a persistent connection to a secure network infrastructure, which relays encrypted traffic.This works best when a proxy server inside the firewall concentrates traffic to and from enterprise servers and controllers on a shared, secure link. As a result, data moving in and out of the mobile app is always encrypted. An added benefit is the ability to securely push data to the device, such as a policy update or a notification, without requiring the device to accept a connection from a server.

Sharing a persistent secured connection is much more scalable and supportable than having each container on a mobile device open a VPN connection into the enterprise2. While VPNs are a common approach to secure access, they’re far from ideal. VPN access is a significant driver of service desk incidents; many companies have reliability and supportability issues with VPN. Further, when multiple mobile devices per user and multiple containers per mobile device connect to the network, it can require costly VPN client access license purchases, hardware upgrades, and network usage. Lastly, app-specific VPNs require that ports be dedicated to each connecting app, creating a change management nightmare. And, of course, the more ports IT is forced to open on the firewall, the greater the increase in security risks.

6. Will IT be able to centrally manage security policies for all containerized apps? A very basic requirement is that enterprise IT administrators should have a single user interface for managing policies and security for all mobile apps. While there will be general security policies that can be implemented for all apps —such as data loss prevention, ensuring password strength, frequency of password updates,etc. —there will also be cases where app developers will create policy controls that are unique to their apps. For example, your organization might outsource the development of a mobile HR app that provides more functionality to a manager-level employee user than to an individual contributor-level employee user. App developers should be able to take advantage of the centralized policy control user interface to enable, customize, or lock down app functionality for specific groups and individuals.

As you build out the mobile app security strategy, consider solutions that provide the flexibility of managing these app-specific policies from the same interface that is used for all the other security policies. If each mobile application has its own control interface, this will increase administration complexity exponentially, making it more likely that IT admins will make mistakes. Separate control interfaces will also increase management costs and compliance burdents.

7. Can containerized apps be distributed to any device?Enterprises need a scalable way for all their users to easily find and download the containerized apps that are relevant to the user’s role, while still providing IT with the necessary security controls. This disqualifies consumer app stores. However the user experience matters here as well, so choose a distribution mechanism that mirrors the experience provided by a consumer app store. An enterprise app store is a viable option that is of interest to many companies, because it enables them to service the needs of both employees and non-employees.

Enterprise app stores allow for the distribution of both apps curated from a public app store, as well as an enterprise’s secured apps, and provides that consumer-level experience that users have come to expect – e.g., browse, ratings & reviews, etc. At the same time, an enterprise app store provides the controls that IT needs – e.g., requiring authentication into the store, controlling app visibility based on a user’s role, etc.

8. Is there a need for secure app-to-app collaborative workflows? A well-designed mobile app is typically built to solve a very specific problem, very unlike the behemoth general-purpose desktop apps. It stands to reason that constellations of mobile apps that interoperate seamlessly are more powerful. But they need to be able to work together only with explicit permissions, and without the risk of data loss, which is often the result of commingling corporate and personal data. So, your mobile app security strategy must also account for a way to allow these apps to send encrypted information between each other in collaborative workflows. By collaborative, we mean the ability to both view and edit this encrypted data, typically documents, within these containerized apps — the way many companies use their containerized apps. The mobile app security platform used to segregate business apps should provide IT with the ability to control data sharing capabilities, such as copy and paste, between containerized apps through a secured path, so data never leaves a secured state.

Workflows aren’t only about sharing documents but also about the ability to invoke other apps with the requisite parameters or about discovering and using services published by other apps. Just as web services have created new ways of combining functionality from multiple systems into a whole that’s more powerful than the sum of its parts, so too will secure enterprise app workflows unleash new possibilities for mobile workers. Secure apps that provide specific services can even register themselves for dynamic discovery. This future-proofs your mobile app security strategy: as new custom or secure ISV applications provide enhancements, they can be dynamically plugged in to the mobile ecosystem.

Mobile App Security through Containerization: 10 Essential Questions | good.com 6A Good Technology™ Whitepaper

9. Can users authenticate once across all containerized apps?It’s a given that multiple enterprise-ready apps will be made available to users. But requiring users to enter login credentials for each app is a no-no, especially if you consider enterprise IT typically requires strong passwords that can be a challenge to type on a small glass screen. Single sign-on for the containerized apps is a must have to preserve the user experience and to ensure usage of the apps. IT should be able to designate that if a user authenticates successfully to one app, that app will delegate the user’s authentication to other containerized apps. That user will then not be required to authenticate into any of the enterprise’s other mobile apps on that device. Again, app-level control is the central requirement.

10. Is your app development platform native or hybrid?Today most mobile apps are native, i.e. developed for use on a particular mobile OS platform such as Apple® iOS or Google® Android™. Native apps can take advantage of OS features, such as GPS, typically available on the mobile. However industry analysts predict that the app development platform of the future is hybrid HTML53 which allows enterprises to harness much of the power of the underlying mobile OS platform without requiring the specialized development expertise needed for native app development or the investment required to support multiple native code bases. To prevent your organizations from being locked into any app development platform, make sure to choose a mobile app security platform that supports equivalent containerization for either native or hybrid app development.

Conclusion

Enterprises must secure mobile apps and the data they use. Device-level security isn’t enough, especially with BYOD. The approach to security must be comprehensive, and it should be based on an end-to-end strategy that has accounted for the above requirements. By doing so, the enterprise will have a comprehensive mobile app security experience that can keep corporate data secure and prevent data loss. Accounting for the user experience, which permits the user’s device to operate just as it always did, along with advanced features such as single sign-on across apps and secure app-to-app workflows, allows the organization to accelerate the business transformation possible with mobility.

Mobile App Security through Containerization: 10 Essential Questions | good.com 7A Good Technology™ Whitepaper

F T L Y

Mobile App Security through Containerization: 10 Essential Questions | good.com 8

About Good TechnologyTM

Mobility is here, and business is changing. Your employees need to be productive on devices they bring from home. And you need to provision, monitor, and secure the mobile apps and services that allow them to collaborate anytime, anywhere. It’s how people work now.

Good TechnologyTM is transforming how mobile work gets done, through secure app-to-app workflows that include integrated email, communications, document management, business intelligence, social business, wireless printing, and more. We also offer complete enterprise mobility management solutions, including device, app, data, and service management; as well as analytics and reporting. We complete our stack with professional services that include mobile deployment rollouts, BYO onboarding constructs, and platform transition consulting. Only GoodTM offers a complete mobile solution that puts IT back in control.

All of Good Technology’s secure solutions work to keep employees productive and corporate and personal data secure, and accessible. Established in 1996 and headquartered in Sunnyvale, California, Good Technology’s services are used by 3,800+ major organizations worldwide, including nearly half of the Fortune® 100. Good TechnologyTM has partnerships with industry leaders including Apple®, Google®, LG®, HTC®, Microsoft®, Nokia® and leading systems integrators.

Want to know more? Visit good.com.

A Good Technology™ Whitepaper

©2013 Good Technology Corporation and its related entities. All use is subject to license terms posted at www.good.com/legal. All rights reserved. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR ENTERPRISE, GOOD DYNAMICS are trademarks of Good Technology Corporation and its related entities. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. Good’s technology and products are protected by issued and pending U.S. and foreign patents. iPad and iPhone are trademarks of Apple Inc., registered in the U.S. and other countries. Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions.

Global Headquarters+1 408 212 7500 (main)+1 866 7 BE GOOD (sales)

EMEA Headquarters+44 (0) 20 7845 5300

Asia/Pacific Headquarters+1 300 BE GOOD

good.com