BYOD Requires Secure Containers for Mobile Devices

The BYOD, or bring your own device, trend seems to be expanding. There are many aspects to BYOD, but the use of end devices, whether they are PCs, netbooks, laptops, smartphones, or tablets, for both personal and business uses opens up security problems. The business use by enterprises in general requires more stringent security measures, and their applications and data should be separated from personal applications and data.

Several companies I talked to directly or heard about have implemented a secure container to separate secure (business) and unsecure (personal) areas. However, a secure container can mean different things to different companies. In the recent Consumerization of IT in the Enterprise 2013 conference, Leo Rohlinger, Executive Director, AT&T Mobility Solutions Services, mentioned that they use a secure container, but he did not elaborate. Their technology is called Good Dynamics. It would be helpful to compare flavors of secure container technologies. I may do it when I find time.

In any event, at the same conference I had a chance to meet with David Appelbaum, Senior VP marketing of Moka Five, which was founded by five people from Stanford University. Their implementation of a secure container is noteworthy.

David Applebaum

The following is a summary of my chat with David.

If we picture secure and unsecure areas on end devices, we may draw a figure like that below. The enterprise applications and data are stored in a secure container, while our personal applications and the data associated with them are left in their original environment outside the secure container.


Figure 1. A secure area (the secure container) and an unsecure area (the original environment)

How does MokaFive do it? Its LivePC corresponds to the secure container. You can choose two configurations. You can keep your own applications and data outside the secure container, as in the diagram above, or you can put everything in LivePC, as shown in their picture below.

Figure 2. MokaFive’s LivePC (secure container)

Let’s ignore the left side of the figure for a moment and concentrate on the right side. The right side is your Windows, Mac, or Linux personal computer. They call the secure container M5 LivePC. Notice that you now see three different layers in the secure container. The two layers in red represent secured user data, settings, and applications layers, and the blue layer is the secured corporate OS and applications area. The secure layers are fully encrypted and are allowed to communicate with the enterprise internal network and assets over a secured and encrypted connection, either the Internet or a dedicated one.

Host-based user data and applications, on the other hand, do not have access to the corporate network and are separated from the secure layer. In other secure container implementations, a secure container tends to include only the layer or entities that need to be secure from the corporate point of view. But in MokaFive’s implementation, both corporate and user configured assets are inside the secure container. If you put your applications and data in it, you can apply LivePC’s manageability to them including full image rejuvenation in the event of host failure. Also, it is more secure than leaving them outside the container.

Also note that LivePC resides physically on the end device but is not a virtual desktop. LivePC is a virtual machine running on its own hypervisor. LivePC can support two virtualization schemes: type 1 and type 2. Type 1 allows its virtual machines on the bare metal without the native OS in the end device. Type 2 lets a virtual machine run on the host OS. This setup may be convenient in some cases. For example, if your company does not want to move to Windows 8 yet, they can pack Windows 7–based applications in LivePC. On the other hand, you may want to use the latest applications for Windows 8 outside LivePC. This satisfies both corporate and personal requirements at the same time.

Type 1 virtualization


Type 2 virtualization

Figure 3. Virtualization types 1 and 2 compared

Virtual layers

The virtual layer is Moka5 IP and has a patent on it (along with others). My understanding after skimming the patent document is that each of the three layers manages specific assets and is based on the underlying corporate OS. User data, user settings, and user configurations are maintained and secured and in this way image updates, patches, new installs, etc., can occur in the corporate layers leaving the user layers intact and vice versa, In this way, the granular management of User and Corporate layers can be maintained while also enabling broad management and provisioning of devices can also happen. This is very different from other implementations of a secure container.

Anything in LivePC or LiveData (on a mobile device) are fully secured and encypted..

The server side

Let’s focus on the server side, the left side of figure 2 above. Golden image refers to the verified copies of the OS and applications that are sanctioned by the corporation and free of any virus or other malware. Along with those copies, policies (in their proprietary format) are brought in to the M5 server to form a LivePC to be shipped to each end device.

When your corporate applications and data are infected or tampered with on your personal computer, you can download the verified version, which you know to be OK, from the server, and recover easily. This includes user data and configurations – you can rejuvenate the entire system to its last known clean state prior to the infection saving significant time, money, and effort. Their system works offline as well as online. The data synchronization problem will be taken care of by each application. Also, if a newer version of the corporate OS or corporate application are introduced, they will be updated when you come online the next time.

Smartphones and tablets

For those smaller devices with fewer features, MokaFive has a product called LiveData, which essentially does the same thing with fewer features.

Energy thoughts

Now let’s see if this technology has any direct impact on energy efficiency. Moka5 is vastly more energy efficient than say, VDI because it requires minimal back-end infrastructure. Rather than having to store, serve, and manage, the entire desktop for an organization in a data center, Moka5 requires only a minimal amount of server access. The combination of server upgrades, server availability, SAN upgrades, router upgrades and the associated increase in HVAC and power costs are not insubstantial and represent a significant area of hidden cost. A power utility company like PG&E can use this technology. There are many linemen working in the field to maintain and repair their extensive infrastructure. I think even a conservative industry like the power industry will embrace BYOD soon, if they have not done so yet. Linemen would find it much easier to have relevant and secure repair and maintenance information at their fingertips. Rather than issuing a large number of devices, PG&E may find it less expensive to allow linemen to bring their own gear. Also, with timely information, dispatched linemen would be able to do their job without wasting time locating the exact points of problems.

Zen Kishimoto

About Zen Kishimoto

Seasoned research and technology executive with various functional expertise, including roles in analyst, writer, CTO, VP Engineering, general management, sales, and marketing in diverse high-tech and cleantech industry segments, including software, mobile embedded systems, Web technologies, and networking. Current focus and expertise are in the area of the IT application to energy, such as smart grid, green IT, building/data center energy efficiency, and cloud computing.

, , , , ,

No comments yet.

Leave a Reply