What is containerization and why is it important for your business?

The inrush of personal devices into the workplace might bring convenience and augmented productivity for organizations. But this Bring Your Own Devices (BYOD) trend also has a darker side. If the devices are not managed properly there is a huge risk of corporate data breach. Devices with valuable corporate data on them can be lost, stolen or hacked. The compromising of customer information and internal business data can be a disaster for many organizations.
Organizations can’t mandate strong security policies on employee devices as this could raise privacy concerns. Performing a complete wipe on a compromised device often requires the employees’ consent. From the organization’s perspective, it’s not the device but the valuable data on it which is more important. However, for the employees, their privacy would be a major concern. Thus, BYOD can ultimately lead to a conflict between privacy and security.

Containerization: the ultimate solution for BYOD management

BYOD has tremendous potential in the corporate world and couldn’t simply be banned considering the security risks. The key is to implement BYOD in a manner that simply ensures security without compromising employee privacy. The concept of containerization unsprang then.

What is containerization?

Containerization is all about separating work and play. Containerization technologies are commonly leveraged by organizations to orchestrate the packaging up, isolation, and encapsulation of work data on separate segmented user space within the device. It allows business and personal apps and data to co-exist on a single device, but each stays within its confines. Containerization establishes separate, encrypted containers on personal devices – a secure area on the device that keeps business data insulated from everything else on the device and allows admin to manage only what is in the container restricting corporate access on personal data. Data and apps in personal container space is kept separate and remain private.
Containerization with effective compartmentalization into work and personal workspace domains is an efficient data control mechanism for the individuals who can do whatever they want on their side of the border as well as the businesses that can take over the other part. All the interactions between the user and corporate data take place within the container in its encrypted area.

Key advantages:

• Encryption – Most containers use the AES (Advanced Encryption Standard) based encryption and ensure that the corporate data can’t be accessed from outside the container.
• Remote wipe – Highly targeted remote wipe is possible with container-based products. Selective wipe ensures that only corporate data (data on work container) are wiped leaving personal data untouched.
• Data leakage protection – Organizations can retain control over their data by strictly limiting the flow of data into and outside the container. Admins can enforce strict security policies to control the container data flow with an MDM solution.

First generation containerization was proprietary having limited options for employees to use their preferred productive applications and IT teams had no options to roll out mobile applications not supported by these containers. But now containerization is more flexible and integrates with app stores from Apple and Google allowing employees to work with their preferred applications without compromising privacy. The rapid increase in the interest in the usage of container-based isolation constraints has developed the urge for more agile and secure-by-default containerization technologies and approaches that provides a clean separation of concerns. With flexible containers, organizations can offer the users a significantly larger app store experience which can add on to their productivity.

Containerization and MDM

Today it is possible to deploy containers with an MDM profile to enable containerization keeping the management focused on the corporate part of the device rather than the entire device. Mobile Device Management (MDM) solutions support containerization keeping the IT focused on containerized apps residing inside the work containers. All the required business apps are made readily available to the users by this resource-isolated contained environment with enterprises having limited communication or access to the underlying resources.
Deploying MDM technology with containerization gives the opportunity to enforce the use of strong authentication and encryption and to wipe corporate data from lost or compromised devices selectively, personal data remaining untouched. Enterprise wipe also comes in handy when an employee working with his personal device leaves an organization and the organization wants to remove the data from the business container without destroying any resources residing in the personal zone that the device owner has stored on his device. Thus, admins can prevent personal applications from accessing corporate data and users can be confident that the organization won’t access the personal information that they store on the device outside the container.

The Android Enterprise container

Google’s Android Enterprise program offers several features to secure and manage corporate data on Android devices. Android Enterprise lets admins create a separate workspace on Android devices in which business-managed applications and data reside. With a compatible MDM server, IT can control how data is managed within the workspace by enforcing strong security policies. Android Enterprise is supported as of Android 5.0 (Lollipop) and is available in almost all recent Android devices.
Android Enterprise containers support any Google play store apps and Google Play’s entire catalog of premium business applications is available to download through Android Enterprise. Additional functionality allows organizations to publish private applications to authorized devices along with approval and configuration of Managed google apps.
Android Enterprise comes with two different types of deployment. Organizations can choose to use MDM either for profile-based or complete management of their Android devices. That is, the company can manage either a work profile on the device or the entire device.

Management modes:

• Device owner (Fully managed device) – Company has full control over the entire device. In the case of corporate-owned devices provisioning the device as Device owner ensures that the device is entirely managed by the organization. Device owner supports all the profile owner supported features along with additional features such as kiosk mode and a set of advanced restrictions.
• Profile owner (Work profile) – Android Enterprise creates a dedicated work profile that isolates and protects work data. Work apps and data reside on a separate self-contained space whereas personal part of the device remains the same. All the data are stored on the device’s primary profile with zero control for the organization. The work profile acts as a logical container that clearly demarcates the work and personal space. Admins will have complete control over the work apps and data on work containers but have no visibility or control over the personal apps and data on the devices. Google suggests personal devices to make the MDM agent a profile owner, where they obtain access to both personal and work apps, work applications being marked with a work badge.
• Fully managed devices with a work profile – Work profile can be rolled out to company owned devices needing separate containers just like the BYOD devices. Company owned devices are sometimes used for both work and personal purposes. Organizations have full management control over the entire device, but the device workspace is segmented into personal and business regions (containers). This enables admins to configure a separate set of policies to the work profile and personal profile. Strong management and data security policies can be applied to the work profile and a comparatively light weight control measure can be enforced upon the personal profile.

Android devices enrolled as Profile owners will automatically create a work container upon enrollment. Silent installation and removal of work apps residing inside the work profile and per-app restrictions are the major benefits of employing profile owner mode on devices. By default, work profile notifications and application icons have a work badge so they’re easy to distinguish from personal apps. Apps in the work profile do not interfere or communicate with apps in personal space. Apps that are to be used in both the personal and business areas simply run double on the device, one unmanaged for personal use and the other managed. Applications that are part of the Work Profile will be highlighted by a small orange briefcase icon on top of the application icon, but except for that, the application will work just as expected and will be integrated into the overall Android user experience.

Key advantages of enrolling in Android Enterprise:

• Access to the Managed Google Play store – Managed Google play is the content marketplace for Android Enterprise that allows admin to manage and distribute pre-approved applications. Organizations can deploy any play app in the Google Play Store to a secure Android container without any additional wrapping. Besides this, an application that is to be distributed internally within an organization can be published as a private app in Managed Google play. Such an application won’t be visible or available to the users outside the organization. Managed Google play store also supports bulk purchases of paid apps.
• Silent app installation – You can add apps to the app inventory as Managed Google Apps and push the apps silently on to the devices. Enterprise apps have to be published to the Managed Google play to support silent installation.
• Custom app store – You can build a custom app store with Managed Google apps, customize it with pages and app categories. You can approve and add Managed Google apps to the MDM app inventory and design a store layout with custom pages and apps.
• App configurations and permissions – On MDM console, IT admins can configure settings for a particular application. You can control the features that a work application can access and configure the application even before the application is pushed to the devices. You can also set up what a specific application can do or have access to, right before they are assigned to any device.
• Enhanced data security with Android Enterprise restrictions and configurations – You can restrict what can be shared between personal and work profile, block screen capture in the work profile, restrict network connectivity options, app settings and so on.

Apart from Android Enterprise, Samsung devices have a built-in containerization platform called KNOX. Samsung KNOX is a containerized approach that builds Samsung’s defense-grade mobile security platform into Knox-supported devices released by Samsung. Apps in the KNOX workspace is protected by extensive DAT (Data at Rest) protections and is secured with AES-256 level encryption. KNOX requires an MDM platform for the activation and management of its container. MDM has an extra set of features built for Samsung KNOX devices. However, Samsung KNOX devices can be enrolled in Android Enterprise if they are running OS versions 6.0 and above. When Android Enterprise is deployed on Samsung devices, it can have enhanced platform and hardware level security.

Samsung made a major change from Android 8 Oreo onwards so that it is possible to address the APIs for Knox and Android Enterprise in a single activation. With this Android work profile can be deployed on Samsung Knox COPE devices apart from the other work profile and work managed devices. For simplification of deployment Knox Platform for Enterprise is harmonized with Android Enterprise from Knox 3.0 onwards. The major change brought about by this unification is the replacement of Knox containers with Android work profiles. Knox containers have deprecated in Knox version 3.4 and the new workflow is to build an Android work profile and apply Knox API for certain actions. There are certain features with Android as well as Samsung Knox having the same functionality. The main intent of the unification is to prevent such duplication of actions. According to Samsung, with Android Q and Knox 3.4.1, KPE functions that overlap with AE are discarded but continue to work in Android Q though documented as obsolete. These obsolete features won’t work with Android R Samsung devices.

The iOS Business container

iOS Business container seamlessly manages corporate apps and data separately from personal apps and data. The data exchange is defined using Managed Open-in. Apple’s Managed Open-in is a security feature released in iOS 7 that prevents attachments or documents from managed sources from being opened in unmanaged destinations and vice versa. Managed apps are apps installed via MDM. The Organization has full control over managed apps and their associated data. MDM can specify whether the application should be removed when the MDM profile is removed and can remove these apps and associated data at any time on demand.
Apple’s containerization approach divides the device into two virtual containers: one for managed work apps and the other for personal apps. Data flow between these two spaces is controlled by applying a set of restrictions from the MDM console. The iOS Business container has a specific set of features that enable corporate data to be managed at a granular level and ensures that the data doesn’t leak out to the user’s personal space. The containerization is built into the core of iOS and enables the same look and feel of iOS allowing admins to seamlessly manage the data with powerful control over the work data while maintaining the same iOS experience for the end users.
Here is the list of restrictions available in the iOS business container to protect your organization’s valuable data:

• Disabling documents from managed sources to be opened in unmanaged destinations and vice versa.
• Prevent managed apps from writing to unmanaged contact accounts and unmanaged apps from reading from managed contact accounts.
• Block sharing managed documents using AirDrop.

Along with these, the admin can also enforce other restrictions to secure managed apps by preventing managed app data from syncing with iCloud, preventing screen capture and so on.
Apple’s containerization is quite different from Google’s Android Enterprise approach. The most important thing is that in Android Enterprise, the work profile is visibly demarcated from the personal one whereas in iOS managed and unmanaged domains are not clearly distinguished. iOS business container runs in the background. This seamlessly enables admins to efficiently manage corporate data without the user even being aware of it.
The result of containerization is greater data security and control. Whether the platform is Android or iOS, admin can have explicit control over the work container and make sure that the corporate data is always safe and secured. Thus, containerization can be the perfect key for BYOD management.