WHITE PAPER

Smart ContainerizationA unique technology that manages security, performance, compliance and support characteristics of any device, application, content or email while preserving the quality of the mobile user experience

Nagi PrabhuJames Rendell

Introduction– what is “Containerization”?con·tain·er·i·za·tion [kuh n-tey-ner-uh-zey-shuh n]

noun Transportation. a method of shipping freight in relatively uniform, sealed, movable containers whose contents do not have to be unloaded at each point of transfer.

Containerization as a technique was invented in the 20th century in ocean shipping to make transporting of freight simple, fast, secure and efficient. In this technique freight is segregated by its type, placed in uniform size containers and transported using various transportation methods. Though they are of uniform size, each container is treated differently based on what content it holds. For example, some containers may be refrigerated while others may require humidity control, etc. A container may leave a factory by truck and be transferred to a railroad car, then to a ship, and, finally, to a barge. Transfers of an un–containerized cargo will result in theft, loss of efficiency and substantially add to the cost of transportation.

These principles have been adopted in enterprise mobility to keep enterprise data segregated on a mobile device. The principle is that all enterprise data can be placed inside a “container,” keeping it separate from the users’ own data. By doing so, enterprises can allow the employees to use their device, applications and data in a manner they please, but applying security policies on the container so that the data inside it can remain protected.

Various mobility vendors have attempted to implement this seemingly simple technique differently and with varying degrees of success but in the end, none has been completely accepted. Some of these different technologies are outlined below.

A. Using a Single On-Device ApplicationIn this implementation, a single, proprietary, specialized application is required to access all the enterprise applications, with fundamental common mobile PIM (Personal Information Management) applications such as email, calendar, contacts, etc. being duplicated in proprietary form within the container app. These “parallel” apps require the end user to learn new, non–native user interfaces for the basic mobile functions of messaging, email and web browsing, with the result that this form of containerized solution is widely disliked by end users.

All applications, regardless of the type or sensitivity of the data that they access, are placed inside the container application. The mobile device’s built-in applications or other third-party applications cannot access the container or the contents inside the container. Such a specialized container approach is marketed as a security solution, on the premise that enterprise data is separated out from personal data on board the device, enabling the enterprise to remove the container, and therefore all the data inside it, as required.

Comparing this to the shipping analogy, this approach is like creating a single gigantic container and placing all cargo types inside it regardless of whether the freight requires any special handling, is perishable, requires refrigeration and so on. A single container approach quickly becomes unmanageable due to its size, is extremely inconvenient to load and unload, and is unable to support the different types of handling required by different freight types. As a result in the real world we do not see freight shipped this way and similarly in the enterprise mobility space, the approach does not enable enterprise data and apps to be managed in a flexible and granular way.

2 | CONTAINERIZATION ca.com

3 | CONTAINERIZATION

B. Using Remote AccessSeveral software vendors have specialized in remote desktop access technology to provide a solution where the data and applications are run on a desktop or server computer in the data center and access is provided to the computer over the network by streaming the native PC user interface to the mobile screen. By simply drawing the desktop or server user interface on the mobile device, all of the advantages and power of the mobile device’s native user interface are lost and the quality of the experience of the end user becomes entirely dependent on a very high quality network connection remaining available while the remote application is in use. From a security standpoint, the premise is that by keeping the data and applications running only inside the data center and by not transferring the data on the mobile device, there is no chance of data loss or theft.

To extend our shipping container analogy, this solution would be akin to putting the cargo in containers and providing a webcam feed to view the contents of the container and a remote control robot arm to access the cargo. This solution provides no value as no cargo is physically being moved to the destination where it needs to be consumed.

C. Using Dual PersonasCertain device manufactures attempted to implement containerization through a technology known as “dual persona.” In this method apps, email and content are secured by creating a container in the form of a duplicate environment on the phone. Users are forced to keep all their personal apps, emails and data in one environment while enterprises use the second environment to keep their apps and data. No interaction is allowed between the two environments. Enterprises can destroy the second environment thereby destroying all the data and apps they would have placed on the device.

With regard to our shipping analogy, this solution is equivalent to dividing the ship into two halves with a thick, impenetrable partition. The cargo is divided across the two sides with the partition preventing any movement of cargo between the two halves. While the separation seems beneficial, if the job at hand requires cargo from both sides, then one will have to shuttle back and forth between the two halves to complete the job.

D. Using VirtualizationVirtualization vendors create a container in the form of a “phone within a phone.” Inside the operating system that is present in the mobile device another virtual device is created to host the enterprise application and data. By removing the virtual device, one can easily remove the enterprise app and data. The assumption was that virtualization could be applied to all devices and operating systems, however it turns out that this technique is incompatible with the majority of devices, such as most Android implementations and Apple’s iOS, where the “low level hacks” needed to implement virtualization are prevented by the device manufacturer.

The virtualization approach can be compared to placing one ship inside a larger ship. Besides the inconvenience of moving between the two ships to perform any job, this would be extremely space inefficient. The ship hosted inside would consume the precious cargo space of the main ship. Hardly any ships are built to host another ship inside themselves and most ships would not have enough surplus engine power to drive the mass of an additional ship. This analogy is true for mobile devices: almost none are adapted for virtualization and the resource consumption impact of having a “phone within a phone” is too great for most devices.

ca.com

4 | CONTAINERIZATION

Although each of the techniques of containerization seems like a straightforward proposition on the surface, none of the techniques above provide a holistic mobility management solution for the enterprise. In addition to the points above, the existing containerization techniques suffer from a variety of other inherent drawbacks:

It’s all about the user: Existing containerization solutions are built only to address security challenges, completely missing the opportunity to solve other problems such as performance management, application support and user experience management. A strategic, future-proof approach to mobility management ensures that the users not only access apps and data securely, but also enjoy a great experience while doing so. Market research indicates an increasing trend of individual users owning 2 or 3 devices simultaneously. Thus scaling user experience becomes even more critical when mobile applications are rolled out to millions of devices across multiple platforms.

Not granular: Placing all of the data in a single container leads to all data being treated the same way. Thus, there is only one security policy: the policy applied to, and enforced by, the container. Because the enterprise deals with many different types of data, each with distinct management and security requirements, the “one size fits all” policy approach is too inflexible for enterprise-wide use.

Not multi–channel: Current containerization solutions that operate only on mobile devices such as iOS and Android are typically not multi–channel in nature. In a “Never, Never Land” enterprise where only mobile devices were allowed, this may not have been an issue. But increasingly, mobile devices are just one of multiple device types that are used to access enterprise applications and data. Because they operate in a “mobile silo,” these solutions require the enterprise to find additional, separate security solutions for the other device types like laptops, desktop PCs, smart meters, IP cameras, etc. in use in the enterprise.

Not borderless: In today’s always on, always connected world characterized by pervasive mobile device use, the ability to control the usage of data outside and inside the enterprise is of prime importance because outside the enterprise is precisely where confidential data is exposed to the greatest risk. In short, security solutions have to be borderless.

Thus, despite the fact that these first generation containerization solutions are marketed as security tools, their effectiveness for enterprise mobility management is severely lacking.

CA Smart Containerization™CA Management Cloud for Mobility is powered by “Smart Containerization” technology from CA Technologies. Smart Containerization associates a policy describing security, performance and support requirements with individual content, emails, apps or devices. Thus, a single file, mail, app, or a device, is protected within a Smart Container, which enforces policies appropriate to the type of content being managed. For example:

• A mobile app may have a policy controlling where (i.e. a geographic location or Wi-Fi network) it can execute.

• A single email may have an encryption policy applied to it based on its content, or the email may have a policy that prevents it being forwarded outside the enterprise.

• A document may have a policy preventing it from being stored locally on the device.

• An application may have a policy that collects and reports the performance characteristics of the device or itself.

ca.com

5 | CONTAINERIZATION

Smart Containerization solves the critical issues in first generation containerization solutions outlined below:

• Smart Containerization delivers high end-user acceptance by preserving a native device user experience. Applying a single treatment to all the data and/or apps makes the container very intrusive when it comes to the user experience on the device. The Smart Container is transparent and leaves the user experience of the device in its native form.

• Smart Containerization technology is multi–channel in nature, covering PCs and laptops as well as mobile devices.

• Smart Containerization is inherently borderless because policies can flow with data, content, apps and devices as they move.

• Smart Containerization provides the granular control that enterprises require because content, emails, apps or devices can be “self–defending” and describe their own security and support requirements to the container.

• A Smart Container enables all IT management domains an enterprise would like to perform on the mobile device, data and applications—be it performance, security, support, user experience management, etc.

To relate Smart Containerization back to our shipping container analogy, Smart Containerization is equivalent to creating multiple containers each optimized for different cargos, which enables one to match cargo transportation requirements to the specific containers with appropriate attributes, e.g. ice cream and meat can be put in the same container since they both require freezing, whereas vegetables may require a temperature controlled container but not one that freezes cargo since that might destroy the vegetables, and so on.

Gran

ular

ity

Manageability

Secure Container

Remote Access

Size of the bubble indicates diversity of the things the container can manage

Virtualization

Dual Persona

Smart Containerization

This chart shows how the containerization techniques described above stack up against these criteria.

ca.com

6 | CONTAINERIZATION

Smart Containers would offer many benefits over and above simple protection of the contents:

• They would provide adaptive environmental controls such as humidity, light intensity and temperature based on the containers’ contents.

• Smart Containers can optimize their energy consumption based on circumstances such as the ambient temperature or the time of day.

• Smart Containers are aware of who is allowed to access the content inside, making it easy for authorized people to enter the containers while blocking others from entering the container.

Adaptive, Smart Containers make it easy for the transporter to simply place the content in the container and let the container take care of the contents from that point forward.

The following sections describe how the products within the CA Management Cloud for Mobility implement and enforce their particular policy responsibilities powered by Smart Containerization.

Devices: CA Mobile Device Management (CA MDM)CA MDM manages the inventory and configuration of a variety of mobile devices, as well as Windows PCs, and provides for remote management of these devices in a secure, scalable manner. Smart Containerization for CA MDM begins with the device hardware and software stack and works through to centralized granular policy control and configuration of a multitude of device features camera, network access, GPS control, etc.

Mobile device platform features: An interesting development in the mobile space is that the mobile device manufacturers are increasingly taking responsibility for the security, integrity and robustness of the platform they provide. In just the same way as we expect automobiles to provide built-in safety and security features, so the mobile device manufacturers are responding to consumer expectations that mobile devices will also provide appropriate security features.

Notable amongst these are Apple’s security features in iOS 7, and the Samsung For Enterprise (SAFE) and KNOX security capabilities for Samsung Android devices.

CA MDM’s support for Apple’s iOS 7 security features and Samsung’s Android security extensions enable Smart Containerization protection to be applied to these devices—providing a firm foundation on which to deploy additional security capabilities to control the use of apps, content and email. Typical features provided by these platforms, which can be centrally controlled via CA MDM include:

Managed Open-In: On iOS 7, CA MDM can centrally control the list of apps allowed to open content of a given type, regardless of whether additional apps are available to the user. For example, if an enterprise has a specific PDF reader that is an enterprise standard, that PDF reader can be defined as the only reader app that can open PDFs attached to emails, downloaded via Safari, etc. This enables the iOS 7 device to “Smart Containerize” selected data to specific apps on the device.

ca.com

7 | CONTAINERIZATION

Per App VPN functionality enables an app to be “Smart Containerized” to a given network on both iOS 7 and Samsung Android. For example a corporate application can be configured to automatically start and only function if a specified VPN connection is available, thereby preventing a sensitive enterprise app from making unfettered use of the internet.

Advanced app controls on Samsung Android allow CA MDM to centrally control app installation and removal, as well as to blacklist and whitelist apps and centrally wipe an app’s data.

Email provisioning controls allow for centralized email account configuration and removal.

Device feature controls allow central administration of individual hardware components such as Bluetooth, WiFi and camera as well as storage encryption.

Enterprise Single Sign On enables the mobile device to integrate with a Microsoft ActiveDirectory or other Kerbero–based authentication environment.

Secure web browsing capabilities allow for URL blacklisting and whitelisting as well as centralized control of browser privacy options and enforcement of an HTTP proxy for secure internet browsing from the mobile device.

CA MDM can control the distribution of apps to mobile devices via an Enterprise App Store. When used in conjunction with CA Mobile Application Management, CA MDM can distribute Smart Containerized enterprise apps to mobile devices.

CA MDM also supports many other device platforms including Windows Phone 8, BlackBerry and all other generic Android-based devices (Android 2.2 and above).

Smart Containerization via CA MDM allows an enterprise to apply robust, granular, security policies regardless of the type of device in use.

Apps: CA Mobile Application Management (CA MAM)CA MAM enables advanced, granular control over the use of apps on the mobile device and the availability of specific device features to each mobile app. In essence, each app is “wrapped” with a Smart Container that applies granular policy control to the app.

The diagram to the right illustrates how Smart Containerization is applied selectively to two apps on a mobile device:

• The CA Corporate Escalation app has a policy attached to it that specifies it can only be executed when the device is located at CA Islandia Headquarters or CA Ditton Park EMEA Headquarters and that camera access is allowed, however Copy/Paste from the app will be prevented.

• The CA Business Intelligence app, which is an analytics and reporting app, has a policy attached to it that specifies that it can only be executed on a weekday, is allowed to access the internet and to have data Copy/Pasted.

ca.com

8 | CONTAINERIZATION

CA MAM’s Smart Containerization policies allow apps to be controlled in many granular ways:

Identity: The specific users or groups that are allowed to execute an app or are prohibited from executing it.

Apps: The specific app or apps the policy relates to.

Geofencing: An app can be configured to only execute when the device is in a certain location or can be prevented from executing when the device is in a certain location.

Time Fencing: The time windows when an app may, or may not, be executed.

ca.com

9 | CONTAINERIZATION

Network: An app can be explicitly “locked” to a specific WiFi network segment, e.g. an app can only be used when on a corporate WiFi network.

Features: An app can be enabled or disabled for access to many device features, e.g. Copy/Paste, GPS, Camera, Contacts, etc.

Selective wipe: Where access to an app is forbidden, there are additional options to lock access to the app and to permanently, but selectively, wipe any data stored on the device by the app.

Smart Containerization via app wrapping through CA MAM is an ideal complement to device security features. Where the device in use does not provide specific platform security features then CA MAM adds a much-needed layer of control. Where the device does provide built-in security features, CA MAM adds security controls to the app that are not provided through the devices own, built–in security functions.

ca.com

10 | CONTAINERIZATION

Content: CA Mobile Content Management (CA MCM)CA MCM provides a platform to enable secure collaboration where content is shared between users with mobile, as well as non-mobile, devices.

CA MCM applies Smart Containerization protection to data on the mobile device to ensure that only authorized users can view content and to prevent abuse of sensitive content by preventing local copying and copy/pasting of content.

ca.com

The content owner can control who should have access to content. Authorized content users have the ability to comment on content in real-time. Content updates are instantaneously available to authorized users as content is updated.

CA MCM manages the back-end connections to multiple data stores and repositories, such as cloud-based file sharing services, enterprise content management systems such as SharePoint and commonly-used SaaS applications such as Salesforce.com.

Smart Containerization solves a traditional problem where different back-end repositories—email, file share, web download, etc.—each have to be individually secured. In that legacy environment, the security attributes were defined according to the channel (email, file share permissions, web application permissions, etc.) and these may not be consistent between channels or appropriate for the content. Smart Containerization through CA Mobile Content Management makes the back-end repositories abstract to the user and applies security policy directly to the specific item of content, rather than inferring the policy based on the repository it was stored in.

Although CA MCM provides an easier way for users to securely share and collaborate on sensitive content than simply emailing it around, it is of course still the case that email has a vital role to play in the enterprise, hence the secure management of content via the CA MCM platform is complemented by CA Mobile Email Management, a platform to enable sensitive emails to be protected.

Email: CA Mobile Email Management (CA MEM)As noted in the introduction, Smart Containerization can apply to a single email, as well as a single app or single document. CA MEM applies policy-based public key encryption to emails that have been identified as containing sensitive data. Many of the emails that users exchange are not actually sensitive. Often an email simply contains non-sensitive, trivial or publicly available information and applying protection to such emails is a waste of resources and inconvenient for the user. For example, in the simplistic containerization model a user has to open up a special email client to access their corporate email only to find a new email message discussing a team social event!

In contrast CA MEM encrypts only the sensitive emails. The encryption is based on the recipients’ public key and the recipient must authenticate using the corresponding private key in order to decrypt their email.

11 | CONTAINERIZATION ca.com

Smart Containerization through CA MEM solves the critical issues with simplistic containerization in various ways:

Native client experience: As noted in the introduction, end users are highly resistant to security solutions that require them to use a separate, proprietary client that duplicates basic mobile device functions. CA Mobile Email Management integrates with the mobile device’s native email client, which provides a far more satisfactory user experience.

Cross platform: CA MEM integrates with webmail and Outlook email clients, providing email Smart Containerization functionality on any device available to the user for email access. If the device is internet enabled, CA MEM can support it.

Borderless: CA MEM can encrypt emails for users who are not yet enrolled, generating a public/private key pair and retaining the keys in escrow, along with the encrypted email until the user enrolls. Additionally the solution works seamlessly inside and outside the enterprise. External users are equally able to enroll on the system to manage sensitive email content as are enterprise users. The ability to provide protection policies that apply to the email, without dependencies on the user being an internal enterprise user in order to security policy to be applied is a key benefit of Smart Containerization.

Multi-Factor Authentication: As illustrated above, the mobile device therefore becomes an authentication factor in its own right. This ensures robust proof of identity when accessing sensitive email content.

12 | CONTAINERIZATION

AT&T

ca.com

13 | CONTAINERIZATION

Copyright © 2014 CA. All rights reserved. This document is for your informational purposes only, and does not form any type of warranty about the products or offerings described herein. CS200-70516_0914

SummaryContainerization emerged as a simple approach to securing corporate data on the mobile device, however, its simplicity also came with a number of critical weaknesses in terms of not being granular enough for today’s enterprise requirements, nor robust enough to resist emerging advanced threats. In addition, being limited in scope to managing data only on mobile devices within the enterprise meant the solution was too restrictive for today’s enterprises strategic requirements. Couple these enterprise issues with the fact that end users hate the way these containerization technologies force the user to abandon the mobile devices’ native user experience and it’s easy to see why enterprises are anxious for a replacement technology to emerge.

Smart Containerization by CA Technologies is unique in delivering the best user interface experience that end users insist on and provides advanced security features such as support for the latest platform security features, complete management benefits beyond security and robust multi-factor authentication, as well as being truly borderless and multi-channel—supporting mobile, as well as non-mobile, devices.

For further information about Smart Containerization by CA Technologies, please contact your CA account team and visit ca.com/mobility.

CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate – across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com.

Connect with CA Technologies at ca.com