New containerization technologies can help BYOD initiatives succeed by creating separate spaces on smartphones for work and personal use.
安东尼·珀金斯想在纽约梅隆银行的员工,使他们的个人智能手机,并使用这些而不是公司配发的黑莓手机to access business email, applications and data.
But there's a catch: Not all employees are comfortable with the prospect of having their personal phones locked down and controlled as tightly as the BlackBerries that Perkins would like to phase out. That's where the notion of containerization comes in.
A bring your own device (BYOD) strategy is good business, says Perkins, managing director and CIO at the bank. It reduces the time and expense involved with maintaining and managing company-owned BlackBerries. "We'd like to be in the business of managing software, not hardware. In the RIM world you manage hardware," he says, referring to Research in Motion, the BlackBerry's manufacturer.
On the down side, today's popular mobile devices were developed for the consumer market, and third-party management tools don't have the same management hooks that RIM can offer, since it designed and controls the BlackBerry client architecture and has been especially responsive to the needs of corporate customers.
Managing mobile from the cloud
Mobile device management typically involves installing agent software on each user's device and setting up a server-based management console. Don't want to do it yourself? Service providers that help IT manage mobile devices and software are plentiful.
For example, integrator Vox Mobile offers a"managed mobility" service包括全面的监测和报告,提供的Fiberlink对MaaS360企业电子邮件和文档,以及移动运营商AT&T推出了基于云计算Toggle mobile management service去年。
与切换,AT&T安装在每个智能电话,其中用户登录“工作容器”与密码。然后,管理员可以通过称为切换集线器基于云的门户网站和应用程序商店的方式来管理容器的策略。在第三季度,AT&T计划,以增加在所有被管理的设备上运行防病毒扫描,以及对锁或擦拭容器的能力。
"More and more of thiswill move into the cloud. But today it's still a small percentage," says Phil Redman, an analyst at Gartner.
"Where this is leading is dual data plans on the same device," says Mobeen Khan, executive director of advanced mobility solutions at AT&T. "You will have a phone number for the container and one for your personal device."
安东尼·珀金斯,在纽约梅隆银行董事总经理兼CIO,非常兴奋这样的前景。这是目前正在开发的产品“我们正在与Verizon和AT&T上有两个电话号码,一个SIM电话交谈,”他说。珀金斯说,运营商都告诉他那些产品都是短短几年了 - AT&T拒绝可用性评论 - “这可能是方向,我们会去”,但无论是两年十个,他说,
But Perkins says those advantages are outweighed by users who are generally more productive due to the multitude of productivity apps available in theAndroidand iOS worlds. And most importantly, having a BYOD policy is "a great way to recruit and retain young talent."
由于企业应用和数据往往是在与用户的个人内容混合,移动设备管理(MDM)工具往往是非常保守的,当涉及到用户的手机管理企业资源,与政策通常适用于整个设备,包括个人和专业应用和数据。用户可能不愿意放弃控制自己智能手机in exchange for receiving access to corporate apps and data.
To get around that user resistance, Perkins is turning to containerization -- an emerging class of management tools that carve out a separate, encrypted zone or policy bubble on the user's smartphone within which some corporate apps and data can reside. In this way, policy controls apply only to what's in the container, rather than to the entire device.
Mostly, containerization tools are complementary to MDM software, with increasing numbers of MDM vendors incorporating containerization techniques.
That said, as great as containment is for limiting corporate liability, it doesn't help any personal data that may be lost due to a wipe if the phone is lost or stolen. Some IT departments are recognizing that users may need help backing up their personal data and apps, and some, like Jacobs Engineering, arehelping their end-users get set up with backup systems.
瑞安特里,分裂CIO和CSO在大学医院卫生系统在夏克海茨,俄亥俄州,转向集装箱,因为他看到了使用传统的MDM工具来控制整个设备的责任问题。医院需要有应用程序或数据安全地交付给临床医生不与用户访问个人应用和数据的能力干扰。“我们不能删除个人性质的事物或阻碍其使用他们的个人资产的能力,”他说。
Alex Yohn, assistant director of technology at West Virginia University, is also wary. "I don't want my guys doing settings on the personal side that could come back to haunt us," such as accidentally deleting data or making configuration changes that affect how the users' personal apps run.
For businesses that need strictsecuritypolicy and compliance controls, such as the highly regulated healthcare and financial services industries, containerization can be especially helpful in making the BYOD experience more palatable for users, IT leaders say.
选择你的容器
现有的供应商提供,在本质上,三种不同的方法集装箱:
- 创建加密的空间,或文件夹,在其中的应用程序和数据可以被倾倒
- Creating a protective "app wrapper" that creates a secure bubble around each corporate application and its associated data
- Using mobile hypervisors, which create an entire virtual mobile phone on the user's device that's strictly for business use
All of these technologies offer more granular control over corporate applications and data on users' devices than whatever security comes standard with smartphones currently. And users' devices no longer need to be on a list of smartphones that has been certified and tested by IT, because corporate apps and data reside inside a secure, encrypted shell.
However, the need to switch back and forth between the business and personal environments may be perceived as inconvenient and affect overall user satisfaction, says Phil Redman, an analyst at Gartner.
Neither Apple nor Google offer containerization technology, and neither would comment for this story, but their respective spokesmen did point out some resources that might be helpful. (See sidebar, below.)
Encrypted folders
The most mature containerization approach is the encrypted, folder-based container, Redman explains.AirWatch在这个空间中的祭,Good Technology公司是企业采用集装箱化方面的早期领导者,特别是在监管企业。
For basic mobile access, BNY Mellon usesGood for Enterprise创建于内,用户可以运行良好的电子邮件和日历客户端,并使用安全浏览器的智能手机的加密空间。“这是与应用程序,可以发送和接收经过加密的企业电子邮件安全的容器,”帕金斯说。所有的通信都通过良好的网络运营中心,该中心验证移动用户发送。
Where Apple and Google stand
Spokesmen for Apple and Google would not comment for attribution but both pointed Computerworld to documents and offered clarifications by email. Here's a summary.
Google Apps for Business, Government and Education administrators can use the Google Apps Control Panel to manage end users' Android, iOS and Windows Mobile devices at the system level. The panel enables the device to sync with Google Apps, encrypts data and configures password settings.
Another tool, called Google Apps Device Policy, enforces security policies such as device encryption and strong passwords and can also locate, lock and wipe a device. It can also block use of the camera and enforce email retention policies. However, partial wipes of just corporate data are not supported.
MDM vendors can use Google's Android Device Administration API to provide similar controls outside of Google Apps.
As to Google's position on the use of containerization/app wrapping technologies that require access to binaries to create a policy wrapper around apps that are enterprise-specific, Google does not offer such a tool itself and declined to comment further.
欲获得更多信息:
访问谷歌的博客:http://googleenterprise.blogspot.com/2012/08/make-mobile-more-manageable.html
Android Application Security:http://source.android.com/tech/security/index.html#android-application-security
Apple
苹果公司说,它支持第三方MDM工具。它允许MDM服务器从App Store管理内部应用程序和第三方应用程序,并支持去除在MDM服务器管理的任一或所有的应用程序和数据。
In practice, however, MDM servers are limited. While most tools allow for selective deleting or blocking of specific enterprise apps, there's no automated way to identify and erase all of the associated data. "No IT manager can sit around and go through thousands of files that may be on each user's phone," says Phillip Redman, an analyst at Gartner Inc.
至于苹果对应用需要访问应用程序的二进制文件创建一个围绕是企业特定应用程序的策略包装集装箱/应用包装技术的位置上,苹果并没有提供这样的工具本身并拒绝发表评论。
欲获得更多信息:
Visit Apple's iPad in Business Web page:http://www.apple.com/ipad/business/resources/
下载MDM部署方案文件:http://images.apple.com/ipad/business/docs/iOS_MDM_Mar12.pdf(PDF)
就其本身而言,很好's basic email and calendaring capability has been available for several years. Late last year it added the capability for other apps to run within its protected space using the Good Dynamics Platform, but each app must be modified to run in Good's proprietary environment. So far, about a dozen commercial apps are available, including QuickOffice, which is typically used for reading and editing downloadedMicrosoftOffice文件附件。
帕金斯只使用电子邮件和日历好 - 的“杀手级应用”的大多数员工,他说 - 和访问内部,使用良好的浏览器基于浏览器的应用程序。
For full-on access to the corporate network, SharePoint and other services, BNY Mellon relies onFiberlink's MaaS360, 一个云-based MDM system it has configured to take complete control of the user's device. MaaS360 monitors what gets written to and from the operating system, and blocks access to some personal apps, such as Yahoo Mail and Gmail, when the device is accessing corporate resources.
"When it's on our network we own it and control it," says Perkins. When used in personal mode, individuals have control over which apps they can use.
更重要的是,纽约梅隆银行可擦除的设备 - 包括所有用户的个人应用程序和数据的 - 如果它丢失或被盗,虽然MaaS360和大多数其他主要MDM工具做允许选择性擦除。以安全为由,帕金斯拒绝透露该公司已经有多少次擦拭已丢失或被盗的手机。
In comparison, if the Good-based units are lost or stolen, only the corporate container is wiped.
这并不奇怪,一些员工concerned about turning their personal smartphones over to "Big Brother." The Good alternative, Perkins says, is more palatable for users who want access to just the basics: email, calendar and a secure browser.
App wrapping
这是一个新的,更细粒度的方法,其中每个应用程序都包含在它自己的加密策略包装或容器。这允许管理员量身定制的政策给各应用。与专有方法小摊贩占领市场,包括Mocana,Bitzer Mobile,OpenPeakandNukona(recently acquired by Symantec).
For its part, RIM is working on adding this capability to its黑莓移动融合MDM软件,可能只要2013年5彼得Devenyi,企业软件的高级副总裁(移动融合的Android和iPhone设备以及对黑莓。运行)说,RIM的产品将是“集装箱化的解决方案,其中一个可以包装而不需要程序修改源代码,这样就可以作为企业应用程序运行它,管理它作为企业的资产“。
"Using these tools you can put together a pretty complete, fully wrapped productivity suite that's encrypted and controllable," says Jeff Fugitt, vice president of marketing at mobile integratorVox Mobile. So far, however, the customer base for the technology is relatively small.
Forrester分析师克里斯蒂安·凯恩描述应用程序包装为“应用级VPN”,可以让制定政策,以确定哪些应用程序可以与用户的设备上或在网络上交互的管理员,什么访问应用必须后端资源。它还允许该容器的远程擦拭,包括应用程序和任何相关联的数据。
应用包装还不成熟。菲尔·雷德曼,Gartner分析师