This content is part of the Essential Guide: Lock down enterprise mobility and security
Get started Bring yourself up to speed with our introductory content.

How secure containers improve mobile data protection

Secure containers protect enterprise data on smartphones and tablets by limiting what users can do with it. IT can control everything from email to the camera in a container.

Containers are playing a big part in the new wave of enterprise mobile security.

One user experience benefit of secure containers is that they eliminate the need for a power-on password on the device. So if a user wants to leave his phone unprotected for personal use, the enterprise data portion remains secure and still requires a password or another authentication mechanism.

The security measures go beyond simply encrypting the data in the secure container -- mobility vendors now address the issue of data loss prevention. Any data or emails that are downloaded to the secure container are marked as enterprise data; even pictures that are taken with the camera in the secure container are marked as enterprise data -- a good feature because users now routinely snap a picture of the whiteboard with their smartphones at the end of a meeting.

Generally, data, emails or attachments that have been downloaded and marked as "enterprise" cannot be forwarded, and their contents cannot be copied and pasted to applications outside of the container. The management capabilities allow for very granular control of different data types and can even prohibit printing.

Secure containers typically have their own email clients, browsers and whatever line-of-business applications users need to do their jobs. So the user loses the ability to have a single inbox for business and personal emails, but this is preferable to carrying a second smartphone.

Much of the data on current smartphones is not in email, but in the applications themselves. Of course, if those apps are in secure containers, that data is encrypted, but IT pros are finding that it is important to further protect those apps.

The first link in that security chain is to ensure that a device's OS has not been compromised. Apple's iOS and Windows Phone both use a secure boot function that prevents unauthorized or modified software from loading. All apps must be signed with a certificate, and a hash of that certificate is actually burned into the device's ROM, which essentially confirms the validity of the software in the hardware.

Given the diversity of Android manufacturers, it is difficult to get that same level of control. However, Samsung has developed a technology called Knox that builds on Security Enhancements for Android to create a secure container. It also provides a secure boot capability called the TrustZone-based Integrity Management Architecture.

The Knox platform features a secure container that can be managed through a variety of MDM/EMM systems. Google will incorporate some capabilities from Knox in its next iteration of the Android OS, dubbed Android L.

The application management capabilities of the MDM/EMM platforms allow administrators to whitelist or blacklist specific applications and even configure devices to run a single app exclusively for task worker or kiosk applications.

The concerns of mobility managers have changed since the birth of the modern mobile market and the ensuing shift to BYOD. However, research tells us that the majority of mobile devices accessing corporate email and other systems are still company-provided.

In the end, it is important to recognize that MDM, MIM, MAM or whatever combination of capabilities IT needs to provide will apply equally to all mobile devices. We've moved past "device" management and now must focus on securing data and systems.

Dig Deeper on Enterprise mobility strategy and policy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is a secure container the best way to protect mobile data?
Mobile containerization ensures employees' personal files remain separate from corporate materials and business data.  It generates a protected, encrypted sector on each worker's device dedicated solely to storage of enterprise information, for mobile appliances like deep-utility smartphones and tablets.  Data remains encrypted, during both storage on a user's device and transmission from one device to another.  Auto-wipe security supports deletion of business data should the device is lost or stolen.  Current container apps reliably manage enterprise data.  Because business communications are conducted on a confidential corporate channel, the secure container is the best available option for secure mobile data.
Secure containers are secure to the extent that the passwords for the containers are secure, not more than it.

"We've moved past "device" management and now must focus on securing data and systems."

That's it in a nutshell. The BYOD ship has sailed; organizations need to focus on protecting the data rather than protecting the device.