The Bring Your Own Device (BYOD) and IT consumerization trends are growing, and enterprises are starting to embrace rather than fight them. Accepting these trends means facing several new problems and requirements to make sure these devices behave as trustworthy end devices in the corporate network. Under these new trends, an employee’s device will contain both his personal and business applications and data. Mixing the two can be a major threat to the corporation and to employees.
Bitzer Mobile is one of the companies addressing this risk.
Of the problems stemming from these new trends, security of corporate data and networks is the most important.
Among the other problems is the fact that the sheer increase of IP-based devices may exhaust the IP addresses allocated to the corporation. Something has to be done about that, but Bitzer Mobile is not addressing that. Recently at Tiecon, I had a chance to sit down with Indus Khaitan, Co-founder, VP Product Marketing & Alliances.
For secure (corporate) and unsecure (consumer) networks and data to cohabit on the same platform, they need to be separated with something like a virtual firewall. When I worked on a secure card-reader technology, we considered running one secure and one unsecure virtual machines on the hypervisor to create two independent operating environments. In this architecture, the hypervisor must be secure enough so that no sensitive corporate data are stolen or tampered with by applications on the unsecure side. Although I do not know of any companies that have developed such technologies, I am sure there are some that claim to have done so.
Alternatively, you can make the whole thing very secure. For that, IPSec can be used to secure communications with the corporation from your iPhone or iPad. This approach may guarantee secure communications, but your personal applications and data may be included, and any malicious virus that may have infected your applications or data can be transmitted to the corporate network.
Bitzer Mobile’s approach
Bitzer Mobile uses a simple but secure method to solve this problem. They neither run two virtual machines nor communicate with IPSec. They use a secure container, which is a specialized app, that run on the platform, as shown in the following figure. My curiosity set in, and I started with several questions about how security is accomplished.
Because their secure container is just another application like any other on the device, no changes are required to the end device’s hardware or OS. So how can they maintain corporate security of networks and data? Bitzer Mobile uses the following diagram to describe their technology.
How do you use the secure container?
I was not quite sure how this whole thing worked on an actual iPhone. Indus gave me a quick demo with his iPhone. The Bitzer Secure Container is downloaded from the corporate server within the corporate network perimeter and is signed with a certificate. A free version of the Bitzer Secure Container is available from Apple Store for both iPhones and iPads, but only for demonstration. The container is just another application on the screen, as shown in the next figure.
When you activate the application, it opens up the container as in the following display.
Within the container, applications (such as email and calendar) that only work with the corporate internal network are available. As long as you access via the secure container, your use of these applications is secure.
Let’s talk about two scenarios: access from outside the corporation and access from within the perimeter of the corporation.
Access from the outside
Sensitive corporate data in transit from the end device to the corporate network are encrypted via SSL and are secure. The data stored on the device is also encrypted, and other applications, whether they are normal or rogue, cannot have access to any app data. The encryption key is not stored on the device but on the corporate server.
What if you lose the iPhone with Bitzer Secure Container on it? There are two things you can do. One is to wipe out the container application from the server with a command (see the Bitzer admin command panel in the figure above). This deletes only the container and leaves your applications intact. Alternatively, you can delete all the contents of the device with Apple’s MDM.
Indus added that the first option can also be used for an employee who is leaving the company. He brought in his own device and installed Bitzer Secure Container along with his personal applications and data. When he leaves, his access to the corporate network can be removed by deleting the container only; his personal stuff will remain on the device.
Access within the perimeter of the corporation
Within the perimeter of the corporation, secure corporate applications and data are allowed to access the sensitive corporate network, and other applications connect to the outside networks as usual, with no access to the internal corporate networks. Corporate data are not accessible and cannot be tampered with by other applications. OK, Bitzer says their technology guarantees security. Any proof of that?
Is this secure enough?
The story sounds very convincing, but is it really as secure as Indus claims? He said that they went through a penetration test and FIPS 140-2 compliant and its being used by large security conscious organization. So this technology guarantees security both outside and inside the corporation.
Bitzer Mobile’s white papers list several advantages over other technologies. But to me, the followings seem to be the most attractive:
· Ease of installation without altering the platform
· Ease of switching between personal and corporate is like switching between two apps
· End-to-end security from the network to device
Although the installation must be done at each corporation rather than simply downloaded from Apple Store or Google Play, it is done just like any other app and is very simple. The app is developed with with plenty of testing on both software and hardware. But even if the intent is to enhance security, any changes done to the original platform tend to introduce subtle bugs. So I prefer for a technology not to alter the original platform but run on top of the Operating System instead of using hooks into it
As for the future, Bitzer plans to support Windows tablets and phones for their end devices. Although the total shipments of PCs and laptops are declining and those of smartphones and tablets are increasing (as indicated in the following graph), the corporation is still very Windows based, so it is necessary to support Windows, and the Mac is gaining a lot of popularity among researchers and developers.
Employee-owned devices: 2011 and 2012 (%) (source Bitzer Mobile)
My blog is not complete without referring to energy efficiency. BYOD by itself does not introduce energy efficiency into the work environment. On the contrary, it may increase plug load and make it harder to manage because of the difficulty in tracking the energy consumption of these devices. Many end devices brought in to the corporation, as BYOD tend to be mobile and come with internal batteries. Batteries are not the most energy efficient, especially as they age. I need to think a little bit more about the relationship between energy efficiency and BYOD.