New ideas in IT go through a long distillation process. Someone invents the idea, vendors talk about new product concepts, analysts weigh in on the value. Eventually, a new category of hardware or software materializes, but rarely in a fully formed state. With mobile virtualization, the pedigree is sound: Most organizations use some form of server virtualization in their data centers.
Now, IT executives are faced with a new form of virtualization that takes place on smartphones. The idea is to run two instances of an operating system on the same phone. That way, employees (and IT) can relegate personal apps and services to one OS and business services to a more secure OS. There are two distinct approaches:
Type 1 runs at the root hardware level and requires participation form the OEM phone maker, while Type 2 virtualization runs as a secure app on any device.
As analyst Chris Hazelton with The 451 Group notes, there are pros and cons to each approach. Root level virtualization is more secure, he says, and means trusted access to root-level services such as Bluetooth connectivity or firmware changes. The downside is that this root level access often requires permission and cooperation from phone vendors like Samsung and Motorola. “This involves longer sales cycles, meaning limited device reach, and many layers of management (people) to go through,” he says.
Meanwhile, mobile virtualization software that runs as an app can mean easier deployment to more devices in a shorter timeframe. Type 2 virtualization is inherently less secure, he says, because the software does not work at the hardware layer. And, Type 2 may run slower than native apps.
Mobile Virtualization Meets the Challenge
Either approach will address a fundamental problem within many organizations: the dreaded BYOD (bring your own device) conundrum. The reality of IT is that employees will bring their favored device into work, tap into company resources, and can compromise your security infrastructure. In fact, IDC estimates that 55 percent of all smartphones used in business will be employee owned by 2015. Mobile virtualization provides a way to meet this challenge head on, and even fully resolve it.
“Enterprise data can be kept separate from consumer applications and potential mobile malware,” says Hazelton. “Any data within the virtualized environment is encrypted, preventing outside applications from accessing or interacting with corporate data and apps. IT can mandate a password on the corporate side of the device, letting users avoid password protection for consumer apps for the camera, social networks, personal emails, [and other apps]. If the employee leaves or the device is lost or stolen, IT can wipe the enterprise data without touching personal data.”
“The idea of mobile device virtualization is to create a partition between enterprise and consumer apps and data,” adds Stacey Crook, a mobile enterprise analyst at IDC. “Once device virtualization is applied, the device can run two OS’s that are completely separate from each other. Companies will be interested in doing this to protect their sensitive corporate data from viruses and data loss.”
As it stands, three companies – Enterproid (www.enterproid.com), VMware (www.vmware.com), and Red Bend Software (www.redbend.com) — offer competing products in this market. Each has found a niche for the enterprise, and offers unique features geared for particular needs.
1. Enterproid Divide
Enterproid offers the most straightforward approach. On an Android phone, the employee clicks one app and taps in a password to start a secure business instance of the OS. On the management side, IT can control which apps are installed, set policies and remotely swipe the business instance. Yet, IT also cannot touch the personal data of the employee or control app installs.
Because Divide is intended for quick deployment, IT can roll the product out to just about any Android device, which includes tablets like the Amazon Kindle Fire.
Andy Zmolek, the director of solutions engineering at Enterproid, says one differentiator between Divide and the VMWare Horizon Model hypervisor approach, which also runs as an app, is that Divide does not require any cooperation with the phone OEM. The install does not require a low-level driver and uses the standard Android procedures for installing an app. Zmolek says other unique features include the ability for IT admins to send apps to the business instance based on employee role, control policies such as allowing copy-paste between instances, and using 256-bit encryption for data.
Zmolek says the Type 2 hypervisor for Divide allows more flexibility in deployment compared to a root-level hypervisor like the one from Red Bend Software. “If you force the device OEM to do virtualization you will only have a few devices and it will take more time to bootstrap devices,” he says.
2. VMware Horizon Mobile Virtualization
VMware offers a hybrid approach to mobile virtualization. The product, Horizon Mobile Virtualization, is not just a sandbox emulator that runs as an app, but instead offers some of the root-level benefits of a Type 1 hypervisor like Red Bend without requiring root-level access from the phone OEM. There is an app, but it is more baked into the OS than a virtual machine app like Enterproid Divide.
Horizon Mobile addresses the trend in IT where more employees are using personal devices at work. Hoofar Razavi, a VMware product manager, says there are too many restrictions put in place for the personal use of smartphone in the enterprise. Yet, the product also makes it safe for employees to conduct “transactional” activities in a secure mode. For example, employees can use their personal device to check Facebook status, but they can switch to the business instance to create expense reports or answer business-sensitive e-mails. This combination of is more fluid to daily work. “Mobile devices might be the only touchpoint employees use to interact with the enterprise,” he says.
Interestingly, VMware has offered both Type 1 and Type hypervisors for mobile virtualization. The company started out using only hardware-level virtualization. Razavi says the company recognized the lightening-fast design cycle and time-to-market realities of mobile devices. He says most smartphones are only on the market for about 9-12 months, but it takes about two years for OEMS to develop the phones. That means, hardware-level virtualization will always be running behind the market.
Razavi says the Type 2 hypervisor is well-suited to the current BYOD climate because the apps run as fast as a native hypervisor, the virtual instances can take advantage of new improvements in processor architecture faster, and Type 2 can support new business apps that arise. For now, VMware has announced partnerships with LG and Samsung for the Horizon Mobile client. One of the main differences between Horizon Mobile and Divide: VMware might include their virtual client as a default install, ready to deploy, whereas Divide might be more of an aftermarket add-on.
3. Red Bend Software vLogix Mobile
The main advantage to choosing Red Bend vLogix for mobile virtualization, a Type 1 hypervisor, has to do with speed and control. Lori Sylvia, a Red Bend vice president, says the company has worked closely with several device makers and semiconductor companies to make the product a native, hardware-layer component. She says native, driver-level hypervisor provides better performance, better security and tighter integration. That ways, she says, next-gen enterprises devices will be ready for deployment.
One example of this is the new ARM A-15 Cortex processor currently in development. The processor supports native level mobile virtualization. With this chip, IT can create a secure enterprise domain for the phone that is used to deploy mobile OS for business. IT becomes like a service provider for the business platform, choosing the exact drivers, firmware, apps, and security. Red Bend is already familiar with this deployment model, since they provide the framework for many over-the-air firmware updates used by most major smartphone companies, including Samsung and Motorola.
For personal data and apps, the employee then relies on the standard mobile carrier. When a notification appears related to the business instance, the employee can return to a home screen and access that platform. To visualize the difference between Type 1 and Type 2 hypervisors: the change form one platform to another might occur at the actual phone lock screen, as opposed to switching apps. This provides more hardware-level security and faster performance.
Of course, the downside is that the process of working with OEMs takes longer. There will be fewer smartphones that can support hardware level virtualization.
IT User Acceptance
One of the challenges with mobile virtualization has to do with user acceptance. When an employee beings an iPhone into work, the last thing he or she expects is to have to hand the device over to IT for gatekeeping measures. Fortunately, as Hazelton noted, these employees will be more likely to go along with new mobile virtualization policies if they see the value in their job.
For example, mobile virtualization can help reduce some complexity with unified communication. IT can seamlessly “merge” one device into the enterprise as their business and personal phone become one. Employees will also benefit from more streamlined security: anytime they surf the Web, snap a picture, or chat over instant messaging, they won’t have an IT hawk looking over their shoulder.
Yet, Hazelton says, when they do engage in business activities — such as sharing a secure financial report — they can use the approved business apps and an OS instance that is governed by IT. There’s also no need for a complex password on the device when an employee wants to check the news. Employees are also free to download any app on their phone as long as they do so in the personal virtual OS.
A major hurdle to widespread adoption: Most of the mobile virtualization software works only with Android phones today. That leaves the most popular phone in the world out of the loop: the iPhone. Hazelton says few organizations have standardized on only Android phones.
Virtualization Helps But You Still Need Policies
In the end, mobile virtualization does address some critical trends in the enterprise. The one caveat is that, mobile virtualization does not fully address rogue employee activity. There is a clear separation between personal and business activities, and IT can control which apps are approved for business use, but employees can still send personal e-mails that contain business data. They can still nap photos of financial records with their phone and transmit them over Yahoo Mail.
Hazelton advises companies to still go to the root causes of security breaches and develop clear mobile policies. Virtualization can help, but it is not a fool-proof answer to the BYOD problem.
John Brandon is a former IT manager at a Fortune 100 company who now writes about technology.