One way to insulate corporate data on personal mobile devices is to store it in a secure data container: an authenticated, encrypted area of a device that IT can provision and manage.
It may sound good, but the devil is in the details. The up-front costs, ongoing maintenance and required infrastructure may give pause to some organizations considering the secure data container approach.
What is a secure data container?
A secure data container is a third-party mobile application that acts as a storage area, authenticated and encrypted by software and governed by IT policies. Some containers are designed for a single
Compartmentalizing business data
One of the challenges around BYOD is protecting business data while ensuring personal privacy. Acceptable use policies can require users who bring their own devices to consent to full-device encryption and remote wipe as conditions of business enablement. Workers may worry about side effects, however, such as employer access to personal photos, call records, off-hours location, emails and more. Even when IT manages keys in ways that prevent employer decryption of device backups, regional privacy laws can tie admins' hands.
A secure data container addresses this challenge in a different way. It lets IT administer, back up and remotely wipe only business data, leaving personal data untouched. Employers won't have to worry about forensic recovery of sensitive business data on lost or resold devices, because simply wiping the container's encryption keys is enough to render stored data unreadable. Furthermore, depending on the data container implementation, previously backed-up data may be restored on a replacement device, reducing the risk of business data loss.
Using a data container for more than security
IT-managed data containers can also offer benefits that go far beyond security. Some data containers let employers push documents, media and other data resources workers need to do their jobs. For example, IT might define a list of reference documents that all users in a given Active Directory group (and only that group) need, then house the latest version of those documents in a secure data container on each mobile device. The documents can be distributed and updated automatically. Admins can also use query and reporting features associated with some containers to determine which mobile workers have received and opened a given document.
Overcoming native encryption gaps
Even mobile platforms that support full-device encryption may fall short of meeting your organization's security policies. For example, iOS devices can apply the 256-bit advanced encryption standard (AES) to all data stored in flash memory. But Apple's encryption hardware has not yet achieved Federal Information Processing Standards (FIPS) 140-2 certification, and the device's passcode controls data access.
IT can use Apple mobile device management (MDM) application program interfaces to enforce long, complex passcodes and full-device encryption, even on BYO devices, but that's not sufficient for U.S. government agencies required to use FIPS 140-2 compliant products or two-factor authentication.
Such document management tools are far superior to informal, labor-intensive, email-based file distribution systems. Moreover, they don't require mobile devices to be connected to cloud storage the moment a user needs a document.
Understanding secure data container limitations
So why doesn't every employer already use a secure data container to safeguard mobile business data? For starters, secure data containers are third-party applications that organizations must purchase, deploy and maintain. Organizations that don't have a mobile device management (MDM) system or mobile application management option in place may lack the infrastructure needed to pursue this approach on a large scale, especially on consumer devices.
Secondly, secure data containers don't protect everything. IT may or may not be able to place enterprise apps that handle corporate data, other third-party business apps or even device-native browsers and email clients into a secure data container. For example, some containers can house read-only PDFs or other media IT pushes, but not files that users generate or modify on their devices. Sometimes a data container can protect email messages, attachments, contacts, appointments and tasks, but not other files stored on a device or its removable storage card. To combat these issues, focus on the business data your organization needs to protect and identify container apps that address your current and future needs.
Finally, placing an app in a secure data container forces users to alter their behavior and mobile device use. The biggest gripe has to do with non-native email clients, which offer far superior security and administration features but force users to open a different app and learn an entirely different user interface just to check business email. Whether the barrier that data containers create is a bearable cost of doing business or an insurmountable hurdle depends on your organization's risk tolerance and mobile data needs.
Data containers can provide an effective way to carve out a safe, managed storage area that is dedicated to business use on anyone's mobile device. These are just a few of the tradeoffs to consider when evaluating a secure data container deployment for your mobile workforce, but you can always compromise: Consider requiring secure containers only for high-risk devices and workers with access to sensitive business data.
This was first published in August 2012