Dual-identity Smartphones Could Bridge BYOD Private, Corporate DivideAdded 27th Nov 2012
Late next year, consumers will be able to buy smartphones that either come with native hypervisor software or use an app allowing them to run two interfaces on the phone: one for personal use, one for work.
The technology could help address an issue that has cropped up with increasing frequency at work: Employees who bring their personal mobile devices to work and use them to communicate with clients and to access corporate data. The issue can cause friction at companies that need to safeguard their data on employee-owned smartphones and tablets and want to be able to remotely wipe the devices of data if they're lost or if an employee quits or is fired.
The bring-your-own-device (BYOD) trend has enabled a more efficient and mobile workforce while exposing companies to a myriad of security and data management quandaries. For example, corporate BYOD policies limit what devices can be used based on the type of mobile device management software their IT shop has deployed.
Next year, software and mobile device manufacturers will enable what are essentially two instances of the same OS on a smartphone. That will give corporations secure control over their data and employees the personal data privacy they want, keeping it from being seen or wiped by corporate IT.
VMware and Red Bend are two of the leading software companies that have already signed OEM agreements with smartphone manufacturers to create dual-identify devices from some of today's most popular models.
The two approaches to the smartphone virtualization market, however, are different and hinge on whether the software provider is using a Type 1 or Type 2 hypervisor.
A Type 1 hypervisor is hardware-based technology that creates a second copy of the OS and runs both instances in two distinct regions of a processor. A Type 2 hypervisor runs as a guest OS on top of the host OS, not in parallel like a Type 1. The guest has to communicate through the host OS in order to access the hardware.
Type 1 hypervisor technology is considered more secure because it's integrated into the processor, said Ken Dulaney, a vice president and distinguished analyst at research firm Gartner.
Red Bend's Type 1 hypervisor will run on a new generation of mobile processors due out next year. It now has a partnership with ARM, which is developing a new Cortex-A15 processor to take advantage of mobile virtualization. "So it's the best security combined with the best performance," said Lori Sylvia, Red Bend's executive vice president of marketing.
ARM has also partnered with AMD to develop new x86 processors that are optimized for virtualized smartphones.
While more secure than today's devices, Dulaney sees a Type 1 hypervisor as kludgy because it requires dual booting of the OS -- one for each smart phone instance. "Most users reject this kind of operation because you have to go back and forth between two OSes," Dulaney said.
Sylvia acknowledged that both OSes need to boot, but said there's no performance issue. "It's the standard Android boot time," she said.
"In Red Bend's solution, the personal virtual phone boots first, and then the virtual work phone boots second. After the first one is running, it takes a few moments and then the second one is good to go, too," Sylvia said. "What goes into the work-phone instance will all be customized on the back end by the IT admins."
During a meeting with Computerworld, Sylvia demonstrated how Red Bend's technology works on an Android-enabled Samsung Galaxy Nexus smartphone prototype.
During the demo, if the phone was displaying the private user interface and a phone call came in from a person listed in the phone's corporate contact list, the device automatically changed interfaces to the business instance. The phone smoothly moved between the two distinct interfaces.
"The performance can be totally optimized because I'm only seeing one instance at a time," Sylvia said. "The other OS is there, but it's not consuming the same resources at the same time."
Some smart phone makers are looking at other UI implementations, such as an icon on the home screen that switches back and forth between private and corporate instances when pressed. "The [ones] we're working with are designing their phones to be virtualized. So the issues of additional RAM, which is the main requirement for this hypervisor, will be addressed on an enterprise-ready phone," Sylvia said.
Red Bend, which got its start in 1999 writing software that enabled AOL browser upgrades, moved into the mobile area in 2003 with its Firmware Over The Air (FOTA) technology. It's now used on 1.6 billion mobile devices for mobile OS and app updates.
Red Bend began developing its mobile virtualization platform after it acquired VirtualLogix in 2010.
When the technology is available in the second half of 2013, a dual-identity smartphone buyer would simply tell their corporate IT admins about the device. If the company has Red Bend's Software Management Center installed on its mobile device management (MDM) servers, the software will initiate an OMA Device Management session and send a delta file to the phone. The delta file copies the Android OS to create a second instance on the device.
The IT administrator can then customize the "corporate image" on the smartphone with whatever applications the company has chosen for its employees. For example, the corporate image could include a VPN, meeting apps, and access to the company email system.
VMware's Horizon Mobile software
VMware has also been working on the idea of a Type 1 hypervisor on mobile phones. Four years ago,VMware purchased France-based Trango Virtual Processors, a maker of Type 1 hypervisor technology. After several years of development, however, VMware decided not to use Trango's technology because it didn't see support among smartphone manufacturers for hardware-based virtualization, according to Srinivas Krishnamurti, VMware's senior director of Mobile Solutions.
"Type 1 hypervisors for mobile phones are hard to build and maintain in a scalable manner," Krishnumurti said. "The chip makers -- the Qualcomms and the Texas Instruments of the world -- were like, 'Why should I invest in rewriting all my device drivers, and doing a bunch of battery, graphic and performance optimizations that no [systems manufacturer] is asking me for?'
"So it's hard to do it without an ecosystem, and the ecosystem is not going to do it unless their customers are asking for it," Krishnamurti added.
VMware chose a Type 2 hypervisor product, Horizon Mobile, which will either be embedded on a smartphone and awaiting activation or a free, downloadable app. It will be available to U.S. smartphone users next year.
VMware already has deals in place with LG, Samsung and Motorola to embed its Horizon Mobile software on their devices. Motorola is already selling its Droid Razr M smartphone in Japan with VMware's hypervisor technology.
"Our expectation is there will be multiple devices from each vendor available in the U.S. in 2013," Krishnamurti said. "And there are three or four other vendors we've not yet announced. Our expectation is there will be a lot of Android phones that will have our hypervisor on them."
On the corporate side, IT administrators who want to enable employee smartphones for business use can buy VMware's administrative interface, Horizon Mobile Manager. When an employee with a Horizon Mobile-enabled smartphone wants to activate the "corporate" interface, all he or she needs to do is choose the app; it will ask them to log in with their corporate name and password.
The Horizon Mobile Manager server on the backend will then recognize the log-in, and a pre-configured Android or iOS instance (with all the work apps) will be pushed to the smartphone. If an employee tries to transfer data or apps between the corporate instance and the private instance, the transfer is automatically blocked.
"So, we basically monetize on the management side and not on the app or the hypervisor side," Krishnumurti said. "Enterprises are the ones who are having the problems with security and making sure data doesn't leak. So they're quite willing to pay for that."
Currently, VMware's Horizon Mobile supports Apple's iOS and Android-based smartphones. VWware hasn't announced its plans for Windows phones yet. It's currently waiting to see how adoption rates scale before moving to modify the hypervisor for that platform, Krishnumurti said.
iOS products are relatively easy to support, Krishnumurti said, because Apples devices at the factory are updated when that operating system is upgraded. And typically, 50% to 60% of iPhone and iPad users download an upgrade in the first two weeks it's out. By contrast, the Android phone market is more fragmented, he said. Some OEMs upgrade to the latest version of the OS, others don't, he said.
"It's hard for us to put our arms around it. By virtualizing, we normalize and abstract away all that fragmentation and give IT their own version of Android to manage," he said. "And, there's no chance a Type 2 hypervisor will show up on an Apple device" because of the proprietary nature of Apple's hardware.
Other mobile virtualization players
Like VMware's Horizon Mobile software, CellRox's ThinVisor is a kernel-enabled hypervisor that runs on the smartphone and creates multiple "personas" to keep corporate data and private data separate. In September, CellRox announced it had launched its BYOD Multi-Persona app toolkit for Android Ice Cream Sandwich-enabled mobile device manufacturers to embed the capability on their smartphones.
Good Technology places encrypted containers in a sandboxed segment of a file system on the phone, where corporations can run their own apps securely and separate from a user's personal apps. Gartner's Dulaney said Good Technology's product isn't truly a hypervisor because it has basically built an application development container.
ARM and AMD plan new hypervisor processors
For many dual OS-instance technologies to succeed, today's mobile processors will have to become more powerful to handle the added workload and incorporate native data management and security features.
Red Bend has signed a partnership agreement with chip maker Advanced RISC Machines Ltd. (ARM) to produce processors powerful enough to run dual-OS phones. Those are expected out in the second half of 2013.
"BYOD is not just about running two OSes," said Ron Perez, an AMD fellow and the director of its security architecture organization. "It's [also] about what to do with the data produced in that corporate environment that's on the device."
In a move away from its traditional server market space, AMD earlier this year also partnered with ARM to develop x86 chips that will have ARM microcontrollers dedicated to mobile security.
ARM, and now AMD, are also working with the non-profit standards organization, GlobalPlatform, to develop the Trusted Execution Environment (TEE) API Specification. Founded in 1999, GlobalPlatform has its roots in the smartcard and payment market with member organizations such as Visa, MasterCard and American Express.
Using the ARM microcontroller on the x86 chip, the TEE would create a separate area on a mobile phone's main processor that uses data encryption algorithms to secure sensitive data stored on the device. Mobile capabilities already on smartphones would allow IT organizations to track mobile devices and erase only corporate data if the device is lost or compromised, or if the employee has left the company. For example, geo-sensor technology on smartphones would allow corporations to track where employee-owned mobile phones are and wipe the devices if they left a specified region.
"So, essentially this comes down to encryption key management. How do we protect the data from one operating system so that another operating system doesn't have access to it," Perez said. "The security processor would have that responsibility."
AMD expects its news secure mobile processors to begin shipping in the second half of 2013.
Although AMD also plans to use its new x86 chips in the server and storage industry, mobile will be first.
"The mobile platform is the most exposed," Perez said. "It's the weakest link in the entire ecosystem. That's where greater levels of separation through virtualization is needed."
Next year will see demonstrable evidence of the Internet of Things, real-time communications on the Web, and SDN-enabled platforms with killer applications for them.
A Stratecast survey has found that more than 80 per cent of employees admit to using unauthorised Software-as-a-Service (SaaS) applications during work.
Microsoft moved to reassure business and government customers worldwide that it is committed to informing them of legal orders related to their data, and will fight in court any 'gag order' that prevents it from sharing such information with customers.
Distributed denial-of-service attacks against financial firms and other industries have been mounting, so today the Cloud Security Alliance (CSA) announced it is establishing the Anti-Bot Working Group to help fight this threat.
The majority of today's CIOs see value in mobilizing enterprise applications and in deploying mobile-related innovations such as GPS features, location-based services (LBS), mobile payments and QR codes. Many also say their organizations are already somehow increasing revenue and developing new revenue streams directly related to mobile. But nearly as many CIOs also see the cost of deploying new innovations as prohibitive and complexity as a major concern, according to a new survey commissioned by Mobile Helix, a mobile security vendor.
The price of bitcoins may be soaring, but China isn't too thrilled with the virtual currency. On Thursday, the nation moved to regulate use of bitcoins, stating that its financial institutions could not deal in the virtual currency.
New attack campaigns have infected point-of-sale (PoS) systems around the world with sophisticated malware designed to steal payment card and transaction data.
Ruby on Rails users are advised to upgrade to newly released versions of the Web development framework that contain important security fixes, according to the Rails development team.
Mobile technology is increasing the complexity, usage and costs of mainframe applications, according to Compuware research.
Asian markets are ready for advanced mobile technology and fast connectivity, according to new insights released by Telenor Group in Asia.
Large smartphones with 5-in. or larger displays -- often called phablets -- are eating into sales of smaller tablets with screens in the 7-in. range.
Analysts have predicted that the Internet of Things will continue to grow in 2014, and more enterprises will start to realise the potential benefits.
When end users circumvent the IT department and start using software-as-a-service (SaaS) applications without permission, the IT pros complain about the plague they call "shadow IT." But it would seem the professionals are also operating in the shadows, according to a survey out today.
Once upon a time, not so long ago, the IT admin chose exactly what hardware and software would be used by employees. Recent trends like the consumerization of IT and BYOD (bring your own device) have shifted the balance of power, but IT still has to maintain some degree of control over the applications used and where sensitive data is stored. Many users just download apps or start using unsanctioned services, though, and introduce unnceccesary security risks through "shadow IT."
Once heavily reliant on the Chinese market, Lenovo is now looking to make acquisitions as it tries to expand its growing enterprise business to other countries.