Containerization moves beyond the full erase

The latest containerization technologies enable IT to create separate, protected areas for work apps and data on employees’ personal devices. The challenge is to maintain security

Containerization moves beyond the full erase
Thinkstsock

What a difference three years makes. In 2012, when Computerworld first looked at containerization technologies that help organizations manage their bring-your-own-device programs, the landscape was quite different from what it is today. Now, all the issues about information security, app wrapping and data wiping have gathered under one umbrella: management.

Encryption -- as opposed to mobile hypervisors and app wrappers -- is now considered the most viable option for keeping corporate data separate from personal data. The primary goal, of course, is to keep confidential company information away from unauthorized eyes. But another reason for separating the two types of data is to make it possible to delete corporate data on a personal phone without touching the personal data.

And vendors are adding other capabilities, such as links between enterprise mobile management software and mobile operating systems. No vendor has mastered the balancing act between the need for security and the need to give employees access to company data so they can be productive, but they're making progress.

Experts say three trends have shaped the current containerization landscape: increased mobility among workers (who don't want to carry two phones or lose personal data after a corporate wipe), advances in mobile security technology and a push toward better device management.

Here's a look at those market-shaping trends and their impact on IT departments.

1. Mobility boom

"We no longer live in a world where mobility is a nice-to-have," says J. Travis Howerton, deputy director of the IT services division at the Oak Ridge National Laboratory, a national science and technology research center in Tennessee that a partnership known as UT-Battelle manages for the U.S. Department of Energy. "The next-generation workforce expects to work anywhere and anytime, and [employers will] have trouble acquiring and retaining top scientific talent" if they don't meet those expectations.

The Oak Ridge IT department supports approximately 1,000 mobile devices that the lab furnishes to employees, and more than 1,800 personal devices that employees use as part of the lab's BYOD program. Going forward, Howerton expects to drive down the first number and push up the second.

Wes Wright, CTO at Sutter Health in Sacramento, Calif., concurs with Howerton: "If one of my clinicians comes to me and says there's this cool Android or iOS app out there that lets us provide better or more efficient healthcare, then I want to be able to say, 'Yes, we can run that app.' Without containerization, I could run the app, but I couldn't let that app talk to [Sutter Health] data, because I can't be sure where that app's been. When I put it in a container, I know it's safe."

2. Technology evolution

Once there were three ways to manage the so-called partitioning of corporate data from personal data: Create an encrypted space for applications and data, create a protective "wrapper" around each application and its data, or use mobile hypervisors, which created a virtual mobile phone strictly for business use.

"In my view, mobile hypervisors didn't take off," says Terrence Cosgrove, an analyst at Gartner. "For most organizations, creating the separation on the hardware through a separate [hypervisor] OS environment has been rendered unnecessary by decisions to put the separation within the OS."

There were other issues as well. "Because these were personal devices, we wanted to make sure it was a lightweight footprint but still provided security," says Sean Valcamp, director of IT at Avnet, a Phoenix-based technology distributor. "The problem with a hypervisor perspective was that it was an OS within an OS, with two bootable partitions, and that increases the footprint on the device."

Sean Valcamp, director of IT, Avnet [2015] Avnet

Sean Valcamp, Avnet

Putting apps in wrappers became problematic because they were contained in their own little spaces. One app couldn't talk to other apps, even in the same container, unless IT built a secure connection to the second app. "We're seeing the security tools and the operating systems evolve," says Christian Kane, an analyst at Forrester Research. "Three years ago, the conversation was about dual-persona devices and mobile device management, and now it's moved to application management. Technology is making it easy for companies to adopt BYOD, because more companies are comfortable with it."

On the operating system side, Cosgrove cites advancements in both Apple iOS and Google's Android for Work to provide security without the use of hypervisors.

3. Better device management

Perhaps the biggest shift has been from thinking about security to thinking about applications in general, not just on mobile devices. "You have to be able to control the back end. Our customers want a containerized bucket on their device, but they also want to manage application delivery to those devices," says Manoj Raisinghani, vice president of product marketing for Citrix's mobile platforms group, XenMobile. He cites the need for what he refers to as unified endpoint management.

"How can I make sure that the apps are contained and secure, especially when they're pulling data from somewhere else?" adds Raisinghani. And equally important, how can mobile systems be managed from one enterprise mobility management (EMM) console?

If you want a sneak preview of where containerization is going, it's not too big a leap to start thinking about how containers might be used on other mobile devices. "Think about it as a universal way of managing all endpoints, even those in the Internet of Things," says Noah Wasmer, vice president of product management at VMware's AirWatch division.

Stumbling block: security vs. productivity

As wonderful as mobile devices like smartphones and tablets are, they have always posed a conundrum for IT. "They were really consumer devices, but IT ended up having to support them sooner than they intended," says Forrester's Kane. That issue is still causing problems in the enterprise.

As a result, if there's one obstacle that containerization still faces, it's usability. IT wants applications to be secure -- that's why they're put into a container in the first place -- but applications also have to be usable. "Historically, the user experience falters when containerization is in place. Too much security gets in the way of productivity," Kane warns. "Users will figure out a way to get around that, and then you're inherently less secure. You have to reach a delicate balance."

The usability issue causes problems for both users and IT. The whole idea of accessing applications within containers is a new one, and requires a different mindset. Unless every corporate application is containerized, users have to remember which application is which, where they access those applications and where data has been stored.

In truth, that's not much different from remembering where you stored a file on your own desktop (sometimes a perplexing process anyway), but it's complicated by the fact that you can move data from an unprotected folder into a protected folder (and vice versa). Another problem is that copy and paste and other basic features that people expect to use may be disabled, and that can trip users up and curb productivity.

There are also EMM tools that require people to use the vendors' own browsers or email tools within the container. "Those have the advantage of added security while leaving [personal data on the device] alone, but they're limited from a user experience standpoint," says Gartner's Cosgrove. "Users know how native email works, but if you introduce a new containerized app, there may be challenges because of a lack of familiarity."

At Avnet, which uses mobile management tools from Good Technology, "user reaction to the container has generally been positive," but employees regularly ask for access to "more and different types of data," says Brad Kenney, Avnet's vice president of IT.

"We have to look at whether the container allows that. [Valcamp] and I talk about this a lot," he adds. "The users appreciate that it's a challenge, but every day there's another request to access a new database or application." The answer, he says, is to determine if there's a real business need for mobile access to any given application.

Some users understand that they have to pay a price for greater security.

At BNY Mellon, for example, the use of containers means that employees may not have access to some basic functions, but security often has to take priority over convenience at the global financial services corporation, says Kevin Cassady, managing director of global digital workplace technology. BNY Mellon's security challenges include the need to comply with constantly changing sets of regulations in multiple jurisdictions, including the EU, various Asian countries, the U.S. and even specific states (California, for instance, has its own online privacy regulations).

Like Avnet, BNY Mellon uses Good Technology mobile management tools, and employees are pleased with the setup, says Tom Dicker, COO of the company's Wealth Management unit. Dicker says he chose to be part of the company's containerization pilot project "because we saw a lot of benefit in getting out of the 'hardware business' of buying and issuing our employees corporate-owned devices and managing all of the variables with service contracts."

Though employees were initially skeptical, they soon found they could download and view documents much more easily than they previously could, Dicker says. They also appreciated the fact that they no longer had to carry two devices and two chargers.

"We also found an unexpected benefit in that we could expand connectivity deeper into our organization, because any employee at any level who wanted to could get connected to work through their mobile device," he adds. "When we were providing devices, because of costs, we were only providing them to midlevel managers." Another plus is that there's less likelihood of hard copies of sensitive documents being out in the open, because employees can keep documents on their mobile devices.

"More usability is something that we're looking for, but the container meets our security standards," Cassady says. "We believe that the industry is evolving toward providing both security and usability." No one feels the need to balance productivity and security more than Darin Adcock, CIO at Fresno, Calif.-based law firm Dowling Aaron, whose attorneys deal with highly sensitive client information every day. Even so, he says, "productivity was the driving force" in Dowling Aaron's BYOD initiative.

"If I made the attorneys log in to the phone, I didn't want to force them to log in to a container [as well]," Adcock explains. "We needed speed but also security." Adcock ended up choosing AirWatch's EMM platform, which uses the containerization capabilities within the major mobile operating systems rather than a separate container. (AirWatch also offers its own container technology.)

Trivial pursuit?

Many users report that usability difficulties are more likely to be trivial irritations than real inconveniences. "Microsoft is not going to give me the code for Office 365 so I can easily put it in my container," says Wright of Sutter Health. "I have to put in a browser shortcut and make it look like Word or PowerPoint. It's not a showstopper."

On the other hand, there are times when seemingly trivial usability issues end up posing significant challenges, as Don Darling discovered when he was IT director at a healthcare consulting firm that used a particular vendor's containerization technology. "Our users would keep their contacts in Microsoft Outlook within the container, but the information couldn't go beyond the container," Darling says. "As a result, caller ID didn't work anymore, so the consultants wouldn't know if an incoming call was a client or not."

Darling recommends using management tools that maintain control, even on a granular level. "We eventually allowed a portion of the data to flow outside the container. We could set it using our management consoles, and push the policies down to the devices," he says. Even so, Darling occasionally encountered problems arising from the fragmented nature of the Android operating system. "In our testing, we would send remote wipe instructions. We had one situation where it worked, but then we upgraded the software, and the wipe failed," he recalls.

Mixed reviews

Gartner's Cosgrove acknowledges that containerization may continue to present usability challenges. "The feedback I'm getting is very mixed," he says. "The mobile [operating systems] are still immature, and the management tools often don't work as expected."

Forrester's Kane agrees, though he notes that while some stumbling blocks may be caused by the technology itself, others may be of IT's own making -- for example, usage policies may be too restrictive in some cases or not restrictive enough in others. "There are still growing pains," he says, "but the situation continues to improve." Tina Snyder's experiences as mobile device team lead at the Oak Ridge National Laboratory bear out the analysts' characterization of the state of the market.

Explaining that the lab moved from Good Technology systems to Citrix products, she says, "We had a rough start with the Web browser. We worked closely with [the vendor] to give them guidance on what we were expecting from the browser, and they've come a long way." She ranks it as having "90 percent functionality" of a mobile browser. (The lab emphasizes that its usage of a particular product should not be construed as an endorsement.)

The reaction of Oak Ridge users has been "not too bad," says Snyder. "Links [to containerized applications] can just be icons on the home screen," she says. "Users don't see the container itself unless they get prompted for the password, but they don't have to log in to a container and then the app."

What the future holds

If containerization is 90 percent there, what comes next? "We'll be able to unify management of mobile devices into a single console," says VMware's Wasmer. "Apple has made it clear that they care deeply about how EMM partners integrate with the OS, and they've set a high bar for privacy and security."

Citrix's Raisinghani echoes that idea: "Containerization is not just about storing and processing. It's also about interactions that people have with the device and anything corporate that touches that device," he says. A primary growth area, he predicts, will involve the ability to take a lot of different processes and tasks and bring them together. "How do I mobilize that entire app and processes, and deliver them in that secure container environment to a mobile user? How do I make sure the entire process flow is containerized?" he asks.

It's no surprise that EMM vendors are pointing to management as a key element of containerization, but analysts are also thinking along those lines. "Containerization is increasingly a product feature, rather than a discrete functionality," Cosgrove says. "It'll be how you manage devices and solve other types of problems relating to authentication and VPNs."

Furthermore, he predicts that containerization and management features will increasingly show up in mobile operating systems: "iOS and Android will provide more containerization, and they'll get better about privacy as well," he says. BNY Mellon's Cassady is equally optimistic, noting that "a more transparent experience" could be possible anytime in the next two to three years. "Some significant players are putting a lot of money into the space to make the native experience better for users," he says. "The industry has been making great strides in those areas. They just need to make more."

This story, "Containerization moves beyond the full erase" was originally published by Computerworld.

Copyright © 2016 IDG Communications, Inc.