Containers are playing a big part in the new wave of enterprise mobile security.
One user experience benefit of secure containers is that they eliminate the need for a power-on password on the device. So if a user wants to leave his phone unprotected for personal use, the enterprise data portion remains secure and still requires a password or another authentication mechanism.
The security measures go beyond simply encrypting the data in the secure container -- mobility vendors now address the issue of data loss prevention. Any data or emails that are downloaded to the secure container are marked as enterprise data; even pictures that are taken with the camera in the secure container are marked as enterprise data -- a good feature because users now routinely snap a picture of the whiteboard with their smartphones at the end of a meeting.
Generally, data, emails or attachments that have been downloaded and marked as "enterprise" cannot be forwarded, and their contents cannot be copied and pasted to applications outside of the container. The management capabilities allow for very granular control of different data types and can even prohibit printing.
Secure containers typically have their own email clients, browsers and whatever line-of-business applications users need to do their jobs. So the user loses the ability to have a single inbox for business and personal emails, but this is preferable to carrying a second smartphone.
Much of the data on current smartphones is not in email, but in the applications themselves. Of course, if those apps are in secure containers, that data is encrypted, but IT pros are finding that it is important to further protect those apps.
The first link in that security chain is to ensure that a device's OS has not been compromised. Apple's iOS and Windows Phone both use a secure boot function that prevents unauthorized or modified software from loading. All apps must be signed with a certificate, and a hash of that certificate is actually burned into the device's ROM, which essentially confirms the validity of the software in the hardware.
Given the diversity of Android manufacturers, it is difficult to get that same level of control. However, Samsung has developed a technology called Knox that builds on Security Enhancements for Android to create a secure container. It also provides a secure boot capability called the TrustZone-based Integrity Management Architecture.
The Knox platform features a secure container that can be managed through a variety of MDM/EMM systems. Google will incorporate some capabilities from Knox in its next iteration of the Android OS, dubbed Android L.
The application management capabilities of the MDM/EMM platforms allow administrators to whitelist or blacklist specific applications and even configure devices to run a single app exclusively for task worker or kiosk applications.
The concerns of mobility managers have changed since the birth of the modern mobile market and the ensuing shift to BYOD. However, research tells us that the majority of mobile devices accessing corporate email and other systems are still company-provided.
In the end, it is important to recognize that MDM, MIM, MAM or whatever combination of capabilities IT needs to provide will apply equally to all mobile devices. We've moved past "device" management and now must focus on securing data and systems.