Digitizing and networking your workforce is essential in the contemporary business world, but security, logistics, and cost issues abound. For already-networked employees, they increasingly want to combine their personal and work devices, too, inducing security headaches for enterprises that want to protect their internal data, not to mention legal compliance with confidentiality and privacy legislation.
There are three main solutions to the security issue when it comes to employees and mobile devices. Enforced separation of work and personal devices, wherein the company purchases and issues work-only handsets, is an expensive and often unpopular solution. A more popular and much cheaper solution is ringfencing of data and applications on-device through bring-your-own-device (BYOD) programs, massively cutting costs and employee resistance. Ringfencing is a permissions and accessibility structure that contains a secure, impassable wall between the personal data on a device and the company data that may also live there. Data is still processed on-device. Another low-cost solution but with remote data and applications is virtual mobile infrastructure (VMI), which allows even low-end devices to “run” high-end software. The data in VMI is processed off-device, so often company data never touches external hardware.
What exactly is VMI and how does it compare to ringfencing and enforced separation? Let’s explore this topic further.
Why Implement BYOD Programs?
The first question to ask before even considering a VMI approach might be: why allow employees to use their own device at all? The answer is threefold: cost, convenience, and accessibility.
Naturally it is far cheaper to utilize existing physical equipment than to purchase every employee a new handset. If the company has excess capital to spend on employees, it might present the BYOD program as an employee perk: work for us and receive big subsidies for top-end devices. Coupled with subsidized service plans, employees can enjoy economical mobile service and a brand new smartphone. If no such excess capital exists, many employees will already have their own devices, significantly reducing costs.
BYOD also leads to convenience for both the employer and the employee. The former has an army of devices at the ready, with an 81% penetration rate among US adults. The latter prefers smartphones to cheaper, nonsmart devices that may be issued in enforced separation programs. They are required to handle only one expensive device, and they can easily switch between private and professional tasks.
Finally, since private and professional environments are mixed, employees become more accessible to the corporation, able to answer brief messages or stay connected all the time. Different BYOD solutions may provide functionality to power down the corporate side during off-hours to protect work-life balance, but the potential remains. Moreover, employees who follow very flexible hours can easily access corporate resources, even if their on-hours are very different from the standard.
So BYOD programs generally are cheaper, even for higher-tech devices like smartphones, they offer more convenience for both employers and employees, and they provide accessibility to both parties.
The main drawbacks have always been security and confidentiality compliance. Corporate and customer data and access to corporate resources become vulnerable to compromised personal devices.
Topology and Explanation of the Virtualness of VMI
In security, the words virtual machine, virtual environment, and sandboxing often appear. Virtual machines and virtual environments are those that are accessible on physical devices alongside host operating systems. This means that a complete operating system (Windows, OSX, Linux) can work inside another operating system. In fact, operating systems can even be mixed, where a Linux host runs a Windows virtual machine. For BYOD schemes, this means both iPhone and Android users can access Windows or Linux systems and programs, even though Windows programs cannot run on Android or iOS systems directly.
The inside OS (officially the guest OS) appears, to itself, as a real, physical machine. If it can see and use 4GB of RAM, then 4GB of RAM will be reserved for it on the physical host machine. The guest OS cannot access data or interact with programs on the host, protecting the host from any malicious code or actions. Data on the guest can be protecting from thieving actors on the host – useful if an employee’s phone is stolen.
When a virtual machine runs on the same physical device as the host, this can be considered local virtualization. Ringfencing follows this concept, wherein the data lives on the host device’s hardware or it is at least processed there, but it is only accessible from within the app.
Another type of virtualization allows the guest OS to run on a remote server, and the host device only provides a GUI and networking functions to shuttle data between the host, on the local physical device, and the guest on the remote server. This second type of virtualization is the basis for Virtual Mobile Infrastructure.
For the simplest systems (simple from a user perspective), access to the guest OS manifests in an app that runs like any other app on the user device. The only difference is that the app is only a graphical window into the guest OS, which lives on another machine, and interacts via a network.
Why complicate the relationship with a network? This approach centralizes processing to corporate resources. Thus, even low-end employee devices can execute commands on high-powered software, since the processing takes place entirely off-device. Employee devices won’t heat up, lock up, or suffer battery drain.
Moreover, stored data will physically remain on corporate servers and is never transmitted to the employee device, unless requested. Details can be retained under tight corporate control while the processed results, potentially anonymized, are sent to the host device so the employee can complete their tasks.
How VMI Mitigates the Security Risk
Similarly to ringfencing, the app on the host device disallows data to pass beyond its digital borders, preventing data leaks. However, VMI also ensures backend data is never present on the physical device’s hardware, cutting off some sophisticated RAM attack vectors.
If the guest OS is containerized on the remote server, another complex technical solution, any infections originating from the host device will be trapped in the container, unable to spread to other employees’ containers. If a container’s information must be uploaded to a central system for synchronization, it can be scanned for malware before the upload.
Is BYOD with VMI worth it? We will explore this in more detail in further posts, but it does afford significant convenience while solving security and financial issues associated with digitizing your workforce.
Ready to get started with Hypori virtual mobile infrastructure? Request a 14-day trial of Hypori.