MobileIron certainly continues to be busy. The mobile device management (MDM) vendor – and a vendor that more recently looked to embrace mobile applications management (MAM) – recently released MobileIron v5, which added some well-defined MAM capabilities to the company’s core platform.
The company is now moving the needle yet again, and toward giving enterprises the ability to not only manage mobile devices in the usual MDM sense, but also providing the ability to build data security directly into the mobile apps themselves.
Enterprise data security comes in several flavors of requirement:
- Enterprises need to ensure that any and all enterprise data – aka data-at-rest - is secure, protected from unauthorized use, malicious use (keeping in mind that more often than not “malicious” simply means “unintended” – where users may not even really know they are causing harm), mistaken use, and so on.
- Enterprises need to ensure that data that is being sent to/from the enterprise to/from the mobile user – aka data-in-motion - is also secure at all points.
- Enterprises, because of BYOD, are increasingly becoming concerned with both security issues and legal issues relative to the kinds of measures they may need to take when a user’s personal device becomes somehow compromised – if corporate data and personal data are not cleanly separated how does an enterprise control its huge need to ensure it can protect its data (possibly through a complete data wipe)?
- In most cases, a user’s personal data would likely be deleted as well.
The last point above is an interesting issue. Although many enterprises now require some form of written and signed document that states the user understands the consequences of a BYOD device being used to access corporate information – and that an enterprise reserves the right to wipe an entire device or otherwise render it unusable – there are legal concerns about actually being able to do so.
The best solution here is really the only legitimate solution – keep the user’s entire “personal phone profile” – all personal apps and all personal data – completely separate from the user’s “corporate phone profile.”
Ensuring that the two can easily coexist and that only the corporate profile can be entirely wiped by an enterprise is the only truly solution that should be employed.
Among others, vendors such as Research in Motion (News - Alert) (RIM) and Red Bend Software have introduced different approaches to solving this problem. RIM offers BlackBerry Balance, which keeps corporate and user data and apps separated (though RIM also requires its BES infrastructure and its Mobile Fusion MDM platform to do so). Red Bend has taken a virtualization approach, in which a smartphone uses Red Bend technology to create virtual software phones within the physical mobile device.
To address this collection of challenges, today MobileIron introduced its own complete “mobile app persona” technology for the enterprise. The new products provide MobileIron customers with secure data-at-rest and data-in-motion for business apps while preserving the native (BYOD) experiences their users demand.
An “enterprise app persona” includes all the apps and data used for business on any given mobile device. It is associated with a specific enterprise user, based on that enterprise user’s identity, and managed through enterprise security and management policies. By definition, an enterprise app persona is also not the personal user persona (the personal phone profile we noted above).
The MobileIron technology for establishing enterprise app personas delivers the ability to:
- Secure both app data-at-rest and data-in-motion.
- Support major app operating systems, including iOS and Android (News - Alert).
- Secure both internal and third-party apps.
- Provide containerization through both an app wrapper and/or a software development kit (SDK).
- Single Sign-On capability for all applications and data that are protected through AppConnect.
To deliver on these capabilities, MobileIron has announced two new products. The first is MobileIron AppConnect, used to “containerize” apps to protect enterprise app data-at-rest without ever touching personal user data. AppConnect securely populates the enterprise app persona. The second is MobileIron AppTunnel, which provides highly secure tunneling and access control to protect app data-in-motion without requiring the traditional use of a VPN. This allows apps in the enterprise app persona to securely connect to data stores behind the firewall.
I should note here that using a VPN on a mobile device is both the most secure means of data transmission, but also the most cumbersome and costly to set up and manage. MobileIron AppTunnel removes the VPN requirement, and should make it easy for both IT and the mobile user to deal with (IT should find setup and management easy, and a user should never even know it’s there). I’ll also note that the idea of single sign-on (SSO) is a key to ensuring that user security is as frictionless as possible.
Through SSO, a user only has to log on once in order to access any group of apps and data included within the SSO profile – a hugely convenient capability.
To date, enterprises and mobile app developers had to trade off user experience against security. MobileIron AppConnect and AppTunnel make security painless for the enterprise, IT and developers – together they strive to make the entire security chain invisible to the user.
AppConnect transforms an iOS or Android app into a secure container with clear data separation and protection from unauthorized access. Because each user will have multiple business apps, each app container is also connected to other app containers to allow the secure sharing of data, like documents, and of policies, like app single sign-on.
All app containers are connected to MobileIron for central policy management.
Any app can leverage AppConnect through an easy-to-use app wrapper or a simple SDK. App wrapping minimizes developer time and secures apps post-development and currently supports both iOS and Android. The wrapper approach works best for use with mobile apps that already exist. It is lightweight and does not provide any overhead that would otherwise make app use cumbersome.
The SDK will only support the creation of iOS apps in its first iteration. By using the SDK enterprise mobile app developers will be able to build AppConnect capabilities directly into the apps as they are developed, eliminating the need to use the wrapper.
Longer term, we can expect most, if not all new mobile apps to be built this way.
MobileIron will, in a future release, also support Android within the SDK. Windows Phone (News - Alert) 8 and Win 8 support will come to both AppConnect and AppTunnel at a later date, but MobileIron knows it will need to deliver on Windows support in the near future.
AppTunnel provides granular, app-by-app session security to connect each app container to the corporate network through a secure tunnel. Mobile apps can now use AppTunnel to access back-end enterprise data without opening a full VPN connection or altering perimeter network security settings.
AppTunnel uses MobileIron’s Sentry intelligent gateway, which is already installed at thousands of enterprises. This is a good point to note that the products are integral to the MobileIron 5.x platform – enterprises cannot use either AppConnect or AppTunnel without the full platform – available either on-premises or through MobileIron’s cloud services.
In combination with MobileIron v5.x AppConnect and AppTunnel enterprises will be able to implement:
- Authentication: Confirm user identity through domain username and password or certificates.
- Single sign-on: Enforce time-based app-level sign-on across secured app containers.
- Authorization: Allow or block app usage or data storage based on device or user risk.
- Configuration: Silently configure personalized settings such as user name, server name, and custom attributes without requiring user intervention.
- Encryption: Ensure that all app data stored on the device is encrypted.
- DLP controls: Set data loss prevention (DLP) policies, e.g., copy/paste, print, and open-in permissions, so unauthorized apps cannot access secure data.
- Dynamic policy: Update app policies dynamically.
- Reporting: Provide app usage statistics.
- Selective wipe: Remotely wipe app data without touching personal data.
The end result of all of the above is to be able to deliver a highly secure enterprise environment – the “enterprise app persona” without ever interfering with the “user app persona.” MobileIron has built the products we’ve elaborated on here with this express purpose in mind. In today’s BYOD world it isn’t enough to simply “kill the device” if something goes wrong – that is old school MDM. In today’s world of sophisticated high end smartphones and tablets – which are the ones most often deployed within the enterprise – keeping both the user and enterprise sides separate and safe is critical to running a 21st century mobile environment.
Availability for AppConnect and AppTunnel is as follows:
- Android AppConnect – November 2012
- iOS AppConnect – December 2012
- iOS and Android AppTunnel – December 2012
There are other vendors out there with platforms that are beginning to offer such capabilities. MobileIron, which has developed all of the technology in-house and is not partnering with other security vendors, is among those at the leading edge of MAM. Whether the company is the right one to deliver for any given enterprise is of course up to the enterprise – but the company should definitely be on the RFP list of any organization that needs to “go MAM.”
MobileIron has provided a very useful video that visually depicts how AppConnect and AppTunnel work.
Edited by Braden Becker