The future of mobile application containers in the Security space and possible impacts to Fiberlink evolution
firstname.lastname@example.org 270002R60H Visits (4174)
Current approach to Mobile Application Management (MAM) leverage container technologies in order to allow a separation of personal and corporate content on mobile devices; in addition to this containers are also responsible to prevent data leakage out of the container.
The speed in the evolution of the technology raise some questions.
Security threats to containers
In particular the evolution seems to be very fast in the security space.Containers cannot prevent external apps to violate the containerization. Jailbreak enforcement policy is effective only if the device remains online, while malicious apps can always jailbreak the device when the container is offline, when the user can do unauthorized changes, restore the device and go back online.
More important, Social Engineering scenarios, referring to manipulation of people behaviors, are typically not covered by Containers. Social engineering is more dangerous on Smart Phones than on PCs because people normally trust the AppStores, believing the store itself is an assurance against malicious apps. Containers offer Enterprise Apps catalogs but they cannot block generic apps to be installed.
Another security exposure can be seen, at Enterprise level, the lack of a certification of the level of security offered by the containers itself. While many institutions requires standardized certification on PCs (i.e. US public sector with FIPS), every vendor implements its way to make containers secure and not all the most common certification criteria are supported by all the containers.
So, considering the capabilities of the containers and the security exposures, not all the customer needs can be implemented at container level. With reference to the figure below, some capability, like the jailbreak inhibition, can the implemented at OS level only, while there are a growing number of tools with address containers’ exposures outside the containers itself: Apps reputation, malware and information analyses are some examples of them.
What remains unaddressed seems the capability of offering, in the container, the same functionalities that are offered by the official apps. In fact, if requirements go in the direction to reach parity with PC, then basic apps like browser, e-mailer offered in the container will be obsolete in a short period of time while OS offered applications will implement the latest features.
IBM Mobile offering
The main IBM product in the mobile space is Fiberlink, product leader in offering the MDM and MAM typical capabilities. Being Fiberlink a classical container, it offers all the functions highlighted in blue above and suffers of the related exposures in terms of security. Such exposures can be covered through Trusteer, which, outside from the containerization, offers many of the security features required by the market. In particular Trusteer prevents social engineering by matching corporate credentials and sites, so that credentials can be used only on ente
Another example of how integration can be powerful in overcoming limitations of containers is the conjunction of Fiberlink and the QRadar capabilities to analyze security threats coming from the device, with superior information about data access and user activities. Integration between Fiberlink and ISAM is instead oriented to provide advanced authentication models (like SSO) and an effective way to address the access control at app level (see Figure 6 above). This is one of the functionality that iOS started to implement on iOS7. While it could be that fine network access at app level will be available in every major OS release, other functionalities like one-time password support for Enterprise–based scenarios will remain a major competitive advantage.
So the result is the above figure where it is evident how IBM, through Fiberlink and its integration plans, covers in practice all the customer needs. What remains out is mainly in the direction of offering secure apps in the containers with the same functions offered by the related app embedded in the OS (think at the browser, where it is quite impossible for a container to be up-to-date in terms of function with Safari). In this context, it seems more reasonable that Operating Systems will enhance containers-like security more than containers to implement all the functional requirements against base software applications (browser, e-mail…), that is another perspective to see OS erosion in the Mobile space.
Even if many Enterprises still prefer on-prem solutions, software running on mobile often requires them to open their network (for example if they have to administer Apple devices, leveraging Apple Notification Service). This basically already requires Enterprises to trust the OS provider and this is another reason that favorites OS erosion: once a level of trust must be given to the OS provider for networking and data purposes, it is natural to extend the trust to other things such as software and services.