Virtual Mobile Infrastructure: Secure the data and apps, in lieu of the device

VMI offers an effective, efficient way to provide access to sensitive mobile apps and data without compromising security or user experience

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Corporate use of smartphones and tablets, both enterprise- and employee-owned (BYOD), has introduced significant risk and legal challenges for many organizations.

Other mobile security solutions such as MDM (mobile device management) and MAM (mobile app management) have attempted to address this problem by either locking down or creating “workspaces” on users’ personal devices. For BYOD, this approach has failed to adequately secure enterprise data, and created liability issues in terms of ownership of the device – since it is now BOTH a personal and enterprise (corporate)-owned device.

MAM “wrap” solutions in particular require app modification in exchange for ‘paper thin’ security. You cannot secure an app running on a potentially hostile (unmanaged) operating system platform, and critically you can’t wrap commercial mobile applications.

By contrast, Virtual Mobile Infrastructure (VMI) offers an effective, efficient way to provide access to sensitive mobile apps and data without compromising enterprise security or user experience.

Like VDI for desktops, VMI offers a secure approach to mobility without heavy-handed management policies that impact user experience and functionality.

From IT’s perspective, VMI is a mobile-first platform that provides remote access to an Android virtual mobile device running on a secure server in a private, public or hybrid cloud. The operating system, the data, and the applications all reside on a back-end server — not on the local device.

From a user’s perspective, VMI is simply another app on their iOS, Android or Windows device that provides the same natural, undiluted mobile experience, with all the accustomed bells and whistles. Written as native applications, these client apps can be downloaded from the commercial app stores, or installed on devices using MAM or app wrapping technologies.

As Ovum states, “Put more simply, this [VMI] means in effect that your mobile device is acting only as a very thin client interface with all the functionality and data being streamed to it from a virtual phone running in the cloud.”

Getting started with VMI

After downloading and installing the VMI client, users go through an easy setup process, inputting server names, port numbers, account names and access credentials. When users connect to the VMI device they see a list of available applications, all running on a secure server that communicates with the client through encrypted protocols.

The client accesses apps as if they were running on a local device, yet because they are hosted in a data center, no data is ever stored on the device. Enterprises can secure and manage the entire stack from a central location, neutralizing many of the risks that mobile devices often introduce to a network.

Two-factor authentication is supported via PKI certificates in the physical phone’s key store. The physical device forces the user to have a PIN number (or biometric) to unlock the phone when there is a certificate in the hardware-backed key store. Additionally, the client supports variable session lengths with authentication tokens.

The server infrastructure that supports VMI clients can be implemented as multiple server clusters across geographic regions. As users travel, the client synchronizes with the server cluster closest to its physical location to access the applications on its virtual mobile device. The client continues to communicate with one server at a time, choosing the server location that provides the best performance.

In a typical deployment, there are compute nodes that host the virtual mobile devices, a storage service that holds user settings and data, and controller nodes that orchestrate the system.

The controller node(s) can be connected to an Enterprise Directory service, such as Active Directory, for user authentication and provisioning, and systems management tools such as Nagios and Monit can be used to monitor all parts of the system to ensure they are up and behaving properly (e.g. are not overloaded). The server hosting the devices creates detailed audit logs, which can be imported into a third party auditing tool such as Splunk or ArcSight.

VMI is platform-neutral, which means organizations can write, test, run and enhance a single instance of an app on a ‘gold disk’ OS image, rather than building separate apps for each supported end-user platform. This represents significant time and cost savings for resource-constrained IT organizations.

And while VMI takes a different approach to securing mobile endpoints than MDM, it does not aim to replace those solutions. Instead, VMI can integrate with MDM, MAM and other container solutions allowing organizations to use MDM to configure and manage an enterprise-owned virtual mobile device running in a data center, and MAM to support version management and control upgrade scheduling of VMI thin clients.

Mobile by design

Because VMI is optimized for smartphones and tablets with small touch screens and many sensors, users enjoy native apps and a full mobile experience. VMI supports unmodified commercial apps, allowing for greater workflow and productivity, and complements sandbox container solutions that provide limited offline access to apps such as corporate email by providing a richer user experience when the user is online (the vast majority of the time).

Users can also access separate work and personal environments from a single device, enjoying Facebook and Instagram and sending personal emails without worrying that corporate IT teams will seize data or wipe their data. When an employee leaves an organization, IT simply revokes their access privileges to the virtual mobile device.

Similar to VDI, there are many different business scenarios in which organizations should evaluate VMI. The most common include:

  • Healthcare - Enables access to electronic health records and other sensitive apps and data from mobile devices, in compliance with HIPAA privacy requirements.
  • Financial Services - Facilitates access to more sensitive client transaction data and business processes, from both personally owned and enterprise owned devices.
  • Retail - Supports secure Point of Sale as a Service for credit card transactions; Protecting the confidentiality of customer data accessed both from on and off premises.
  • Enterprise BYOD - Provides secure access to native apps from employee-owned mobile devices; keeping all data secure in the data center while at the same time not infringing on personal privacy.
  • Commercial Services - Extends the mobile enterprise to contractors, partners and customers.
  • Classified mobility - Allows government and security services to access data and applications from classified mobile devices, ensuring compliance with the thin client requirements of NSA’s Mobility Capability Package.

With 1.9 billion devices expected to hit the market by 2018, IT professionals are on the hunt for a more effective way to secure the enterprise. VMI provides the access they need without compromising security or user experience.

Marston is CEO and co-founder of Hypori. A seasoned entrepreneur and technology innovator, he previously served as founder and CEO at BlueSpace Software, where he developed trusted virtualization security solutions for the defense and intelligence communities.

 

This story, "Virtual Mobile Infrastructure: Secure the data and apps, in lieu of the device " was originally published by Network World.

Shop Tech Products at Amazon