Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/1/2011
01:59 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

MDM: To Sandbox Or Not To Sandbox?

Mobile device management systems take different approaches to sandboxing. Is mobile virtualization the answer?

Most enterprises must make a tradeoff when it comes to mobile device management, or MDM, systems, because providers fall into one of two camps: those, like Good Technology, that provide a single sandbox where all corporate data goes, and those, such as MaaS360 or MobileIron, where the device has some sandboxing (for email) but most of the MDM client's work is done in conjunction with the operating system's apps and features.

The two approaches have pros and cons, and some organizations have a very difficult time deciding which route to go. Well, life is set to get a bit easier now that Verizon has partnered with VMware and AT&T has linked up with Enterproid's new Toggle to bring mobile virtualization to the market.

While sandboxing is traditionally done at the application level, the new technologies from VMware and Enterproid focus on creating partitions, using virtualization, to sandbox the entire mobile device. That allows a user to run two versions of a mobile operating system at the same time on the same phone: one for work, one for personal use.

In a video from the Qualcomm QPrize event demonstrating Entreproid's technology, you can see how a mobile user can seamlessly switch between the two "phones" and have full access to all 250,000+ real apps within each partition, as if they were the only apps on the device. We can finally allow Angry Birds to be installed in the personal partition and prevent it from running in the corporate partition. Huzzah!

While you can't get your hands on the tech until later this year, it has been discussed since 2009 and has been securing a very well-known user's mobile phone for over a year: President Barack Obama uses this type of virtualization technology on his BlackBerry to separate the highly secure apps he needs to run from the rest of the phone.

The benefits to enterprises are pretty compelling, too. Mobile virtualization provides all the advantages of sandboxing--mainly, full encryption of all corporate data and easy wiping of that data--as well as the benefits of non-sandbox-based approaches; for example, employees can use native mobile apps, such as the calendar and mail clients, without having to be retrained on a quirky interface from a vendor such as NitroDesk TouchDown or Good. There are new benefits, too, such as allowing an end user to upgrade to a new version of Android while the corporate partition stays at a corporate-enforced version.

We don't recommend you hold off on your MDM or mobile strategy until these technologies are available, since all the vendors we spoke with say that'll take a few months. But definitely keep it on your radar. I think that mobile virtualization will be a game changer for the enterprise if phone manufacturers provide devices that will support the technology. The holdup there is that the phone must have enough processor power and should be a dual-core device. Almost all the new Androids are dual-core, and this is something to consider if you provide stipends or guidance for users on device selection.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J to the C
50%
50%
J to the C,
User Rank: Apprentice
11/4/2011 | 5:26:36 PM
re: MDM: To Sandbox Or Not To Sandbox?
I just read about 3LM. Looks like it takes Android to the iOS security level(s). Have you read about Mocana as well? Eventually BYOD will become BYOA (bring your own apps).
GrantMoerschel
50%
50%
GrantMoerschel,
User Rank: Apprentice
11/3/2011 | 11:13:32 AM
re: MDM: To Sandbox Or Not To Sandbox?
These are interesting developments. As I've learned more about the MDM space, I've come to the conclusion that Good-type solutions are typically going to be a dead end because user's will revolt if they can. In high security environment they can't revolt but in most others they can. Also it'll be interesting to see how standardized OS mods like those done by 3LM.com will play into hopefully normalizing the major flavors of droid so that they can be consistently controlled. Or will these VM's simply fix it all by giving people two completely different interfaces both of which are friendly and not restrictive.

Grant Moerschel, InformationWeek contributor
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
11/2/2011 | 11:14:03 PM
re: MDM: To Sandbox Or Not To Sandbox?
I agree. Mobile VMs will be the key to managing BYOB devices in a corporate environment. As pointed out, it is probably the cleanest and easiest to manage approach.

Jim Rapoza is an InformationWeek Contributing Editor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18375
PUBLISHED: 2020-04-10
The ASG and ProxySG management consoles are susceptible to a session hijacking vulnerability. A remote attacker, with access to the appliance management interface, can hijack the session of a currently logged-in user and access the management console.
CVE-2019-18376
PUBLISHED: 2020-04-10
A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.
CVE-2019-7305
PUBLISHED: 2020-04-10
Information Exposure vulnerability in eXtplorer makes the /usr/ and /etc/extplorer/ system directories world-accessible over HTTP. Introduced in the Makefile patch file debian/patches/debian-changes-2.1.0b6+dfsg-1 or debian/patches/adds-a-makefile.patch, this can lead to data leakage, information di...
CVE-2020-8832
PUBLISHED: 2020-04-10
The fix for the Linux kernel in Ubuntu 18.04 LTS for CVE-2019-14615 ("The Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors.") was discovered to be incomplete, meaning that in versions of the kernel before 4.15.0-91.92, an attacke...
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, lea...