- No silver bullets for mobile application controls
- No single metric for success
Galen Gruman had an interesting article in InfoWorld last week, “Virtualization No Silver Bullet for Macs or Mobile” that got me thinking. While the article is actually chiefly about virtualization on non-Windows PCs/laptops it does make some important points about what is needed (and not needed) on mobile devices. To cut to the chase, what is needed is data/application partitioning. That is not news, of course, but the more interesting question that Gruman tackled is whether virtualization is the way to achieve partitioning of personal and corporate data and applications on mobile devices. He sees partitioning as one of the more compelling use cases for virtualization on mobile devices and I agree with that. But it is important to keep in mind that virtualization is just one of numerous techniques that are currently being developed to handle privacy, compliance and security concerns associated with dual-use devices.
All of the techniques provide some level of isolation on the device. Virtualization creates two big sandboxes: one for work and one for play. Inside those sandboxes basically anything goes. Containerization (or application hardening) is another technique that creates a sandbox for individual applications. The data in these sandboxed applications is basically walled off from the rest of the device. A third general approach to keep in mind is data loss prevention (DLP) tools. DLP has been a hot segment in security for several years. Mature products are in the market that target, endpoints, servers and gateways. Moving the technology to mobile devices, however, is a relatively new idea. As relates to portioning, DLP would be used to flag and encrypt any data on the device that was deemed corporate sensitive. Data could also be blocked from leaving the device.
I suspect all of these technologies will find a home on mobile devices. But vendors need to consider a few key attributes as they bring products to market. The most obvious is efficiency. That is, does the product in fact keep corporate and personal data separated? Can this separation be verified? And if a divorce is needed, can the corporate data (and just the corporate data) be deleted from the device? Ok, so the product works but at what cost? And the chief cost from my perspective is the negative impact on end user experience. Nothing is going to doom a partitioning scheme as quickly as a large and negative impact on end user experience. Does virtualization affect device performance? Does sandboxing limit functionality? Does DLP require end users to make too many security decisions? After the end user, the next biggest community to worry about is developers. How many hoops, if any, do mobile application developers need to jump through to leverage these products. And what about the carriers? Several carriers are currently trialing third-party virtualization products that they plan to offer as services. Expect carriers to keep an open mind of these various technologies however as they continue to mature and some of the questions about how (and who) they impact are answered.