New ideas in IT go through a long distillation process. Someone invents the idea, vendors talk about new product concepts, analysts weigh in on the value. Eventually, a new category of hardware or software materialises, but rarely in a fully formed state. With mobile virtualisation, the pedigree is sound: Most organisations use some form of server virtualisation in their data centres.
Now, IT executives are faced with a new form of virtualisation that takes place on smartphones. The idea is to run two instances of an operating system on the same phone. That way, employees (and IT) can relegate personal apps and services to one OS and business services to a more secure OS. There are two distinct approaches: type one runs at the root hardware level and requires participation from the OEM phone maker, while type two virtualisation runs as a secure app on any device.
As analyst Chris Hazelton with The 451 Group notes, there are pros and cons to each approach. Root level virtualisation is more secure, he says, and means trusted access to root-level services such as Bluetooth connectivity or firmware changes. The downside is that this root level access often requires permission and cooperation from phone vendors like Samsung and Motorola. "This involves longer sales cycles, meaning limited device reach, and many layers of management to go through," he says.
Meanwhile, mobile virtualisation software that runs as an app can mean easier deployment to more devices in a shorter timeframe. Type two virtualisation is inherently less secure, he says, because the software does not work at the hardware layer. And, type two may run slower than native apps.
Mobile virtualisation meets the challenge
Either approach will address a fundamental problem within many organisations: the dreaded BYOD (bring your own device) conundrum.
The reality of IT is that employees will bring their favoured device into work, tap into company resources and can compromise your security infrastructure. In fact, IDC estimates that 55 percent of all smartphones used in business will be employee owned by 2015. Mobile virtualisation provides a way to meet this challenge head on, and even fully resolve it.
"Enterprise data can be kept separate from consumer applications and potential mobile malware," says Hazelton. "Any data within the virtualised environment is encrypted, preventing outside applications from accessing or interacting with corporate data and apps. IT can mandate a password on the corporate side of the device, letting users avoid password protection for consumer apps for the camera, social networks, personal emails and other apps. If the employee leaves or the device is lost or stolen, IT can wipe the enterprise data without touching personal data."
"The idea of mobile device virtualisation is to create a partition between enterprise and consumer apps and data," adds Stacey Crook, a mobile enterprise analyst at IDC. "Once device virtualisation is applied, the device can run two OS's that are completely separate from each other. Companies will be interested in doing this to protect their sensitive corporate data from viruses and data loss."
As it stands, three companies, Enterproid, VMware and Red Bend Software, offer competing products in this market. Each has found a niche for the enterprise, and offers unique features geared for particular needs.
1. Enterproid Divide
Enterproid offers the most straightforward approach. On an Android phone, the employee clicks one app and taps in a password to start a secure business instance of the OS. On the management side, IT can control which apps are installed, set policies and remotely swipe the business instance. Yet IT also cannot touch the personal data of the employee or control app installs.
Because Divide is intended for quick deployment, IT can roll the product out to just about any Android device, which includes tablets like the Amazon Kindle Fire.
Andy Zmolek, the director of solutions engineering at Enterproid, says one differentiator between Divide and the VMWare Horizon Model hypervisor approach, which also runs as an app, is that Divide does not require any cooperation with the phone OEM. The install does not require a low-level driver and uses the standard Android procedures for installing an app.
Zmolek says other unique features include the ability for IT admins to send apps to the business instance based on employee role, control policies such as allowing copy-paste between instances and using 256-bit encryption for data.
Zmolek says the type two hypervisor for Divide allows more flexibility in deployment compared to a root-level hypervisor like the one from Red Bend Software. "If you force the device OEM to do virtualisation you will only have a few devices and it will take more time to bootstrap devices," he says.
2. VMware Horizon mobile virtualisation
VMware offers a hybrid approach to mobile virtualisation. The product, Horizon Mobile Virtualisation, is not just a sandbox emulator that runs as an app, but instead offers some of the root-level benefits of a type one hypervisor like Red Bend without requiring root-level access from the phone OEM. There is an app, but it is more baked into the OS than a virtual machine app like Enterproid Divide.
Horizon Mobile addresses the trend in IT where more employees are using personal devices at work. Hoofar Razavi, a VMware product manager, says there are too many restrictions put in place for the personal use of smartphone in the enterprise. Yet, the product also makes it safe for employees to conduct "transactional" activities in a secure mode.
For example, employees can use their personal device to check Facebook status, but they can switch to the business instance to create expense reports or answer business-sensitive emails. This combination of is more fluid to daily work. "Mobile devices might be the only touchpoint employees use to interact with the enterprise," he says.
Interestingly, VMware has offered both type one and two hypervisors for mobile virtualisation. The company started out using only hardware-level virtualisation. Razavi says the company recognised the lightning-fast design cycle and time-to-market realities of mobile devices. He says most smartphones are only on the market for about 9-12 months, but it takes about two years for OEMs to develop the phones. That means, hardware-level virtualisation will always be running behind the market.
Razavi says the type two hypervisor is well suited to the current BYOD climate because the apps run as fast as a native hypervisor, the virtual instances can take advantage of new improvements in processor architecture faster, and type two can support new business apps that arise. For now, VMware has announced partnerships with LG and Samsung for the Horizon Mobile client. One of the main differences between Horizon Mobile and Divide: VMware might include their virtual client as a default install, ready to deploy, whereas Divide might be more of an aftermarket addon.
3. Red Bend Software vLogix Mobile
The main advantage to choosing Red Bend vLogix for mobile virtualisation, a type one hypervisor, has to do with speed and control. Lori Sylvia, a Red Bend vice president, says the company has worked closely with several device makers and semiconductor companies to make the product a native, hardware-layer component. She says native, driver-level hypervisor provides better performance, better security and tighter integration. That ways, she says, next-gen enterprises devices will be ready for deployment.
One example of this is the new ARM A15 Cortex processor currently in development. The processor supports native level mobile virtualisation. With this chip, IT can create a secure enterprise domain for the phone that is used to deploy mobile OS for business. IT becomes like a service provider for the business platform, choosing the exact drivers, firmware, apps and security. Red Bend is already familiar with this deployment model, since they provide the framework for many over-the-air firmware updates used by most major smartphone companies, including Samsung and Motorola.
For personal data and apps, the employee then relies on the standard mobile carrier. When a notification appears related to the business instance, the employee can return to a home screen and access that platform. To visualise the difference between type one and type two hypervisors: the change form one platform to another might occur at the actual phone lock screen, as opposed to switching apps. This provides more hardware-level security and faster performance.
Of course, the downside is that the process of working with OEMs takes longer. There will be fewer smartphones that can support hardware level virtualisation.
IT user acceptance
One of the challenges with mobile virtualisation has to do with user acceptance. When an employee beings an iPhone into work, the last thing he or she expects is to have to hand the device over to IT for gatekeeping measures. Fortunately, as Hazelton noted, these employees will be more likely to go along with new mobile virtualisation policies if they see the value in their job.
For example, mobile virtualisation can help reduce some complexity with unified communication. IT can seamlessly "merge" one device into the enterprise as their business and personal phone become one. Employees will also benefit from more streamlined security: anytime they surf the web, snap a picture or chat over instant messaging, they won't have an IT hawk looking over their shoulder.
Yet, Hazelton says, when they do engage in business activities such as sharing a secure financial report they can use the approved business apps and an OS instance that is governed by IT. There's also no need for a complex password on the device when an employee wants to check the news. Employees are also free to download any app on their phone as long as they do so in the personal virtual OS.
A major hurdle to widespread adoption: Most of the mobile virtualisation software works only with Android phones today. That leaves the most popular phone in the world out of the loop: the iPhone. Hazelton says few organisations have standardised on only Android phones.
Virtualisation helps, but you still need policies
In the end, mobile virtualisation does address some critical trends in the enterprise. The one caveat is that, mobile virtualisation does not fully address rogue employee activity. There is a clear separation between personal and business activities, and IT can control which apps are approved for business use, but employees can still send personal emails that contain business data. They can still snap photos of financial records with their phone and transmit them over Yahoo Mail.
Hazelton advises companies to still go to the root causes of security breaches and develop clear mobile policies. Virtualisation can help, but it is not a foolproof answer to the BYOD problem.