Three mobile containerization methods for guarding corporate data

For security reasons, IT departments prefer that business processes live in a different environment than personal data on mobile devices. Containerization makes that possible.

With the steady influx of mobile devices in the enterprise, administrators are turning to containerization to secure endpoints and safeguard corporate resources.

At the highest level, containerization refers to a set of features that separate corporate apps and data from their personal counterparts. The technology used to implement containerization often involves encryption, authentication and other mechanisms to ensure that sensitive information doesn't cross over to the forbidden zone -- most often the uncontained personal environment.

Mobile containerization is an effective strategy for protecting apps and data, especially when it comes to bring your own device (BYOD) security. Many workers today are bringing personal devices into the enterprise for work, and IT needs a way to protect business data from the risks of malware and breaches that can occur in that user's personal data. There are a few different methods of containerization out there, so get to know the most common forms of mobile containerization and how they differ.

Dual-persona containerization

Proponents of containerization are often most enthusiastic about the dual-persona strategy, which creates two separate environments, each with its own operating system running on the same device.

The dual-persona model relies on virtualization to create two environments that essentially behave like separate devices. Sensitive business apps and data operate in one environment, while personal operations take place in the other, with little to no crossover from one to the other.

Mobile containerization is an effective strategy for protecting apps and data, especially when it comes to bring your own device security.

There are two approaches to delivering dual-persona containerization. One strategy is to run two virtual environments in parallel, both sitting on the hypervisor. The other method is to run a virtualized system inside the core OS, like a virtual machine running on a host computer. Whichever dual persona approach you opt for, administrators will have a relatively simple and effective way to manage and protect corporate resources, without having to worry about data leakage.

The flip side to dual persona is that running two OS environments takes a toll on performance and battery life. It also offers little protection against rooted or jailbroken devices, which allow users to override Android and iOS restrictions in addition to third-party device settings such as dual persona.

User buy-in is another concern. If switching between environments becomes too cumbersome, users are more inclined to find ways to bypass the secure corporate container to stay productive.

Code-based containerization

To counter dual persona's draconian approach to device management, many organizations have turned to the applications themselves. App-level containment provides many of the same benefits as dual persona -- without many of the performance tradeoffs.

Generally, app-level containerization comes in two forms: code-based integration and app wrapping.

Code-based integration refers to the process of incorporating a vendor's software development kit (SDK) into an application's code base to containerize that app. Developers can use the vendor's APIs and security libraries to secure their apps. They are also able to incorporate productivity features such as document sharing or printing services, and implement app-specific management policies. The application operates out of its own secure container, which controls data moving in and out, and protects what's inside.

The downside to code integration is that it requires access to an app's code base as well as expertise to incorporate the SDK. This approach can also drain resources if an organization has to retrofit a lot of apps. In addition, going the code-based route essentially locks organizations in with the vendor providing the SDK -- at least for the apps incorporating that coding -- so admins should note that this strategy is a long-term commitment.

App wrapping

Many organizations don't have the time or resources to take the SDK-based approach and turn to another form of containerization, app wrapping, which injects a wrapper around an existing application without ever touching the code base. Most major mobile device management vendors now offer app wrapping, which does not require the same level of technical expertise as code-integration does.

App wrapping doesn't allow for as much customization as code integration, but it's still an effective method for securely containing an app without changing its underlying structure. You don't need access to the code base, and you can implement app wrapping through a quick and easy process.

App wrapping does present one significant challenge: Using it is not always legal. With the SDK approach, an organization that has access to the code base likely has the right to modify that code. However, an enterprise can theoretically wrap any application. Unfortunately, most commercial services come with legal protections and licensing agreements that protect against any type of modification, which can include wrapping. Although legal considerations remain a somewhat gray area, vendors are not likely to agree.

Making sense of containerization

The term "containerization" can sometimes be a slippery one. The concept of a separate, secure space is straightforward enough, but that definition becomes more nuanced as we dig deeper. For example, some argue that app wrapping is not a form of containerization at all. Others feel the same way about code-based integration at the app level. Then there are those who would define containerization more inclusively as any encrypted space or folder to keep apps and data.

The concept of containerization can also refer to wrapping the entire device in a management layer, which allows IT to monitor and control it from a central management console. Device-level containerization can facilitate tasks such as updating profiles, pushing apps or setting passcodes.

Another form of containerization is the multi-app container, which is somewhere between dual persona and code-based containerization. Instead of creating a separate OS for business use, as in the dual-persona model, multi-app containers run on the same OS as for personal use but create a layer of separation to protect corporate data. Multi-app containers function as if they are an application running sub-apps that incorporate the SDK from a container provider. This is similar to the code-integration model, except at a multi-app level.

Containerization can likewise be implemented at the OS level, providing secure containers that are integrated into the hardware and software, such as with Samsung KNOX. Even an app that provides remote desktop services can sometimes be considered a type of mobile containerization.

There are plenty of techniques for containerization, but dual persona, code-based integration and app wrapping remain the three most popular approaches. New strategies will continue to emerge, but containerization is already an effective way to secure company resources.

Next Steps

Using containerization for mobile app management

How secure containers improve mobile data protection

Test your knowledge of secure container technology

The pros and cons of dual persona

How much do you know about dual persona technology?

Using dual persona to secure Android devices

Dig Deeper on EMM tools | Enterprise mobility management technology