Less than ten percent of businesses have a comprehensive security policy in place to protect employee-owned devices, according to a recent Compass Intelligence survey, leaving the vast majority of the Bring Your Own Anything (BYOx) market open to hackers and phishing attacks. Containerization is one method of separating device and corporate data with the intent to secure it. But despite most mobile management offerings applying container technology to their security suites, this method is only part of a holistic solution.
According to the Compass Intelligence survey of more than 1,700 business decision- makers of technology and wireless devices, less than 10 percent of respondents have a BYOD policy in place.
“Roughly five percent of businesses today actually have a way (through containerization or a specific BYOD solution) to separate business and personal applications and/or content,” said Stephanie Atkinson, CEO of Compass Intelligence, in a blog post. “This presents a growing concern over security, device management, protecting proprietary company and client data, and the ability to wipe a device clean when lost or stolen.”
SiliconANGLE contacted three industry experts to discus their take on containerization, in particular the question of whether or not this data management method has solved the BYOx security issue.
Containers discourage end-user excitement over mobile
Andrew Hoog, CEO and Co-founder of viaForensics, LLC
Containerization is a stop-gap measure where IT departments are establishing their fiefdoms on users’ phones. While certain types of data can be encrypted, alienating end users will eliminate the excitement, enthusiasm, and efficiency that drives mobile. Containerization is a mature technology, but whether you can make users adopt it is another question. With viaProtect, our goal is to put security in the users’ hands in way they can get excited about.
Containers have not solved the BYOx issue, but are one layer of many that are present in the mobile security model. Completely securing enterprise data in a container still doesn’t mean that data is 100 percent secure, since attackers who are able to gain root access to the device can compromise the container every time.
Containers also put a significant barrier between the user and what they are excited about on mobile — quick access to data, new apps, speed and usability. In effect, containerization strategies deployed by IT departments tend to alienate end users. As part of the security model, containers are able to protect data from “low-hanging fruit” risk scenarios, like a user physically losing their device on the subway or having it stolen, but they do not protect the most critical areas.
If you’re a company that has intellectual property, highly sensitive data, information that falls under HIPAA security rules, an attacker is going to look for devices that have a container on it. An attacker is going to compromise that device and then wait until it is authenticated against the container because attackers know that’s where all the good stuff is. Containers are just one technique, effective in some cases, but they are not a complete solution and companies need to adapt a broader view for better mobile security.
Monitoring & education can supplement containerization
Nicole Pauls, Director of Product Management and Security at SolarWinds Worldwide, LLC
While containers are another effective layer in a defense-in-depth strategy, it’s unlikely we can consider anything “solved” when it comes to security. The reality is there’s still a user involved, there’s still authentication, and there are a lot of attacks that go after precisely these things. Rather than exploiting a technical security weakness, they exploit the human weakness. On personally-owned devices, users may have a different sense of ownership than with a corporate-owned device, and they might use them in more — for lack of a better term —promiscuous ways that could lead to everything from keyloggers to phishing scams targeting their data. Creating a barrier of entry like a container raises the barrier of entry for data access, but it won’t necessarily prevent it.
The technology for end-to-end BYOx management is still early, and it will take time for things to mature. You will always have to fight against targeted attacks and users’ exposure of their own data, though that is a challenge on enterprise-owned systems as well. So, perhaps by saying we’ve raised the bar to “almost as good as a corporate-owned system,” we’ve indeed come a long way.
Targeted attacks, phishing, and social engineering continue to pose a threat. As such, it’s important to apply a defense-in-depth strategy that also includes monitoring and education.
Containerization has yet to scale in BYOD
Subbu Iyer, Vice President of Product Management at Bluebox Security, Inc.
Containers have helped to secure email, calendar and contacts on mobile devices, but the same approach has not scaled well to workflows involving third-party apps normally desired to enhance productivity.
Comprehensive BYOx security of the app, OS and network layers should involve protecting the app data at rest as well as in transit. To avoid such a solution being limited to email, calendar and contacts alone, it would also need to allow any app to be dynamically containerized upon user request to keep up with the increasing demand to include new apps in productivity workflows. Each containerized app would also need to become self-defending to detect integrity failures of the device or its own app logic. Additionally, the app would need to defend its data in the event that a device is vulnerable to unpatched security vulnerabilities, has hostile malware present or is in an un-trustable state.
An environment would thus need to be created on the device where apps can dynamically be containerized, made self-defending and work together in synergy to ensure that corporate data is secured within these container apps. From a technology perspective, it is certainly possible to do that. Bluebox started off as a company with exactly this goal and delivers comprehensive security at the device, OS, app, and network layers.
While containers have largely focused on protecting corporate data largely for internal employee usage, the technology has to scale now to protect any application that’s used internally or externally. It is not enough to think of containers as a way to protect employee data on a BYOx device. Containers can and should protect any app’s data, at rest and in transit, for any kind of internal or external business needs.
The usage of containers alone does not provide perfect risk management capability. The security posture of the containers is subject to the environment the container executes within, namely the device. The integrity and trust-ability of the device must be taken into account automatically by the container, such that the container is immediately aware of whether it can achieve its security agenda
Rather than being limited to individual silos of applications, the container must encompass all corporate applications on the device, allowing secure data to be shared amongst those apps. This will allow users share documents with their containerized productivity apps and internally developed apps.
Container technologies have to scale toward this end, and avoid becoming individual silos for just email and calendar or a handful of third-party apps.
Cheryl Knight contributed to this article.