For the past year many mobile device management software companies and some handset/tablet makers have been touting their ability to segment and encrypt business data from personal data on smart phones for protecting corporate information if the device is lost or stolen.
But a new report from Gartner says the effectiveness of these so-called container solutions depends on how they’re used. In particular, author and analyst Eric Maiwald says when managed properly containers provide a good level of control “if the risk to the enterprise of unauthorized disclose is low to medium.”
In particular, the strength of the protection depends on the operating system, he says.
In a blow to BYOD policies, he says if there is high risk to the enterprise if the mobile device is lost or stolen then employee-owned devices can’t be used.
For the best mobile protection, enterprise-owned devices that are heavily managed – meaning limited applications allowed, limited browsing and tight policy controls including strong authentication for accessing corporate data – has to be the rule.
“While containers provide security, they often do so at the cost of user experience and, therefore, are not appropriate for all users, use cases and devices,” he adds. Application user interfaces are often different for the protected workspace than the native app, which doesn’t appeal to employees.
As a result, enterprises should consider present container solutions as stop-gap or tactical rather than long-term solutions.
Arguably the best known of what he calls managed information container solutions is one of the first ones to market, BlackBerry Balance for BlackBerry devices (which needs BES 10. A similar BES 10 capability for Android and iOS devices is called Secure Workspace), but the report says Apple’s iOS and Android devices have now have base functionality at least.
In addition to BlackBerry Balance, Samsung has begun adding container capability to some of its Android-powered Galaxy devices that use a technology it calls Knox. Third party MDM providers like AirWatch (just bought by VMware), MobileIron, Fiberlink (about to be bought by IBM), Good Technology, as do vendors such as SAP (through its Afaria MDM solution), Citrix (through XenMobile), Oracle (by buying Bitzer Mobile), Symantec through its Mobile Management Suite, and VMware. The recently-released iOS 7 includes policies allowing IT greater control over managed applications. However, Mailwald says iOS7 is not a replacement for managed information containers if the enterprise needs to manage medium risks.
Containers create a space on the mobile device that is controlled by the enterprise. Base protection covers email, calendar, contacts, as well as a secure browser. For control IT administrators have the power to force users to authenticate before accessing the container, to encrypt data in the container, and to control copy and paste functions on the device, and to remotely wipe the device.
However, Maiwald notes that if the enterprise allows weak passwords or PIN numbers the power encryption is defeated. Look for MDM software that forces users to create strong passwords.
The ability to remotely wipe the device is good, but it can be defeated if the SIM card is removed of the device is in airplane mode. Another concern is the user jailbreaking or rooting the device’s operating system. While all container products attempt to check the integrity of the OS, some don’t divulge exactly how they do it, which Mailwald says “doesn’t improve confidence.”