MDM Companies Collide Instead of Planets

Over the last two years, the market for Mobile Device Management (MDM) software has become quite busy, with over two dozen entrants in orbit around the MDM opportunity.  The pull of MDM is gravitational – a massive new chunk of the $100B+ global Enterprise IT market, aimed at enhancing employee productivity, freedom and privacy. 

All signs point to MDM market consolidation in 2012. You don’t need a telescope to see that many MDM companies will either crater or meld with others.  Choice is a great thing in a young market, but maturing Enterprise Mobility requirements will demand solid solutions from a smaller, more capable constellation of vendors.  Enabling the stars and survivors in MDM will be mobile virtualization, complementing feature-rich MDM utility and middleware portfolios with military-grade security and software isolation.

Mobilizing the Military and Militarizing Mobility

Although it’s unlikely that our armed forces will face alien invasions in 2012 (although you never know), they are likely to encounter budget cuts and need innovative responses to belt-tightening.  The perennial response to fiscal challenges has been to turn to commercial off-the-shelf (COTS) sourcing of defense systems, and mobile communications is no exception.

In 2012 we’ll see increasingly regular requirements for secure mobility in tenders from all branches of government – defense, homeland security, local/state government, police/fire and other first responders.    But instead of developing and deploying expensive custom/proprietary equipment – legacy devices can cost $2000-$5000 each – we’ll see COTS handsets and tablets being turned into “Obamaberry” and “Jack Bauer” devices.  Key to conversion will be integration of encryption and other point technologies.   More importantly, military-grade devices will deploy virtualization to isolate secure software and signals from regular communications and apps. 

Not only will virtualization help secure COTS hardware for government workers, it will also make its way back into enterprise, becoming equally important for protecting business-critical data, apps and communications.

Preventing Multicore Meltdown

In the ongoing 2011 end-of-year shopping frenzy, and on into 2012, multi-core silicon will increasingly lie at the heart of popular mobile devices.  On the desktop, multicore is mainstream; in the coming year, dual-core in mobile will be de rigueur in smartphones, with triple and quad-core around the corner. But as with the desktop, mobile platforms and the apps that run on them often don’t benefit from the new silicon.

Instead of gaining performance from those millions of additional transistors, multi-core mobile systems can lose battery life and dissipate more heat.  Multicore mobile devices may or may not contribute to global warming,  – but poor utilization of multicore silicon can seriously impact device usability and limit available power for making calls, viewing multimedia and running apps.

A great way to cool down multicore mobile hardware and gain performance is to deploy virtualization as a standard part of the mobile software stack.  Separate from both the high-level platforms running apps and the low-level OSes handling baseband and other housekeeping, virtualization allocates the right amount of “juice” in smartphones, tablets and other systems.  Mobile virtualization is ideal for managing multi-core resources – especially CPU cores and the power they gobble – more efficiently and dynamically than either handcrafted AMP (asymmetric multi-processing) or OS-based SMP (symmetric multi-processing).

No Meteors, But a Security ****Storm

2011 was probably the worst year on record for exploits and data spills.  We heard lots about near-misses from asteroid belt ejecta, but less about devastating direct hits on the private and public sector money belts.

A little searching reveals critical breaches at Citigroup, Epsilon, Fox Network, Lockheed Martin and Sony. The national treasuries of England and France and the European Space Agency were not immune, nor was supplier of security tokens, RSA, whose encryption-ware is intended to staunch leaks, not create them.   Experts agree that 2012 will bring more of the same and also worry about national and global security suffering at the hands of cracker and hackers.

Enterprise ISVs Join the Security Struggle

In 2012, mobile security solutions will no longer be optional in enterprise and will form the centerpiece of Enterprise Mobility. To shelter government, Enterprise and also SMB organizations from mobile security threats, Enterprise ISVs will engage in the mobile security struggles previously left to MDM and boutique mobile software suppliers.  Expect announcements from major ISVs of Enterprise Mobility solutions in the Cloud and on devices, via mobile operators and direct from corporate help desks.  Anticipate announcements of acquisitions of MDM technology and top-tier supplier offerings involving mobile apps and web portals.

Mobile Childhood’s End

Even after 30 years of handset deployment, mobile communications has remained a young and dynamic technology.  In 2012, this mobile childhood will end, not from an alien invasion, but from more earthbound challenges, especially cybercrime and espionage.
The good news is that OK Labs mobile virtualization will be here to help.

The truth is that decades of dealing with PCs have made IT staffers wary of letting unsanctioned software and hardware upset the delicate balance they’ve achieved on corporate desktops and networks.  But real-world mobility needs are changing the enterprise IT landscape faster and faster.

BYOD

Top-down IT policies and practices are giving way to bottom-up needs to support mobile BYOD – Bring Your Own Device. To accommodate the irresistible wave of smartphones and tablets already in the hands of employees (and also cut costs), companies are trying to make peace with BYOD

However, Enterprise IT still lacks the tools and technologies to support BYOD, and is singing

When an irresistible force such as you

Meets an old immovable object like me

You can bet just as sure as you live

Somethin’s gotta give, somethin’s gotta give, somethin’s gotta give.

But is what’s “giving” serving the interests of employers and employees?  When enterprise security is at odds with worker productivity, the result is Enterprise Immobility.

By far the largest obstacle to viable Enterprise Mobility lies in the path to market for candidate solutions.  In the long term, Enterprise Mobility will be enabled by software sitting between mobile hardware and application stacks (more below), a privileged position today reserved for factory “preload” system software.  In the short term, mobile software houses and other third parties seek to circumnavigate this market speed-bump by inserting two types of “postload” software – Mobile Device Management (MDM) and application-level dual persona software.

MDM – Top-down Immobility

MDM suites are enjoying the attention of the marketplace – over two-dozen suppliers offer MDM solutions of varying breadth and comprehensiveness.   MDM appeals to Enterprise IT because it is definitively a top-down approach: MDM software lets companies monitor and constrain web access, lock down key applications and restrict installation of new ones, scan for mobile viruses, locate stray devices and wipe the memories of lost or stolen ones, and in some cases log and control every type of activity on a mobile device.

Dual Persona

A simpler and more constrained approach is to create application-level “sandboxes” to contain and protect Enterprise applications and access to company assets.  A sandbox hosts the corporate persona and uses standard security mechanisms like encryption and SSH to secure sensitive data at rest and on the move.  The rest of the mobile device retains its original individual persona, where users continue to surf the web, engage in social networking, download and play games – the presumed unsafe activities that worry Enterprise IT in the first place.

Meeting Challenges to Security and Productivity with OKL4 Mobile Virtualization
A great benefit of MDM and Dual Persona solutions is that they are available today.  But both need help to be truly secure and more employee-friendly.  Both MDM and application-level sandboxes can themselves present targets for malware; both rely on security mechanisms native to mobile OSes that can be circumvented by system-level exploits that already plague these platforms.  Both employ application-level software components that are visible to malware and subject to CPU starvation and DoS-style attacks.

MDM and Dual Persona have the right idea behind them – provide safe and secure access to enterprise assets while protecting users from themselves and enterprise from crackers and cyber-thieves.    What these two approaches lack is a deep and pervasive architecture for security – the kind of security offered by the OKL4 Secure Microvisor.

What’s Old is New Again

Resolving the current Enterprise (Im)mobility situation to a large degree recapitulates the evolution of desktop security.  First generation systems had no anti-virus or other malware defense.  The market responded with shrink-wrap anti-virus software.  Today, desktop OSes include anti-virus software, firewalls and other security mechanisms. Enterprise ISVs offer secure desktop access to corporate assets (without re-inventing the user experience), built on virtualization and thin client technology.  And chipset makers and OEMs are in the process of rolling out hardware-enabled desktop security, secure boot and other solutions.

Mobile/wireless is a microcosm of desktop computing.  Today’s mobile devices are increasingly subject to malware and other exploits.  The first wave of response is packaged as shrink-wrap software – MDM and application-level Dual Persona solutions.  But Enterprise IT will not tolerate security “whack-a-mole” on hundreds of different devices built on diverging versions of Android, Linux, Windows and other mobile OSes.  Instead, they look to device manufacturers to integrate security into mobile devices destined for employee use, and ISVs to supply after-market security solutions as well.

Best of Both Worlds

Just as Fortune 1000 companies discovered that virtualization is key to securing the Enterprise Desktop, so are OEMs figuring out that mobile virtualization with OKL4 is their key to Enterprise Mobility (as 1.5 billion OKL4 deployments testify).  But rather than building security on EITHER hardware or software foundations, why not do both?  While ARM and its licensees are spec’ing and shipping silicon that is enabled for virtualization, MDM and Dual Persona providers can make their solutions truly secure and user-friendly by integrating OKL4 into their software architectures. 

OKL4 confers a unique combination of performance, security and flexibility for mobile designs:  superior performance from smart minimalist design, hardware-targeted optimizations and fine-grained control over guest communications; security from a small trusted computing base and MMU-based isolation of guest software; and flexibility to support bare-metal and light-weight execution environments, shareable virtual device drivers,  and highly configurable  resource access by guest software.

OK Labs is already engaging with the mobile/wireless ecosystem to implement a unified architecture together with MDM and Dual Persona.  We are eager to form new partnerships with MDM suppliers and other secure mobility ISVs.  The time to integrate is NOW.

Great story. Two processors working together so that a device can select the right processor for the right task. If more power is required, the Cortex-A15 is ready. If less power is required (but still a lot of performance), the Cortex-A7 is 5x more power efficient for the less complicated devices. This is call Big.Little processing.

A great match for OK Labs. To quote Richard Phelan, Senior Strategic Software Partner Manager, ARM. “The Cortex-A7 processor and OKL4 boast scalable performance and help enable low-power operation, as well as simultaneous single and multicore big.LITTLE processing.”

Check out the video for more intrigue on the waterfront.

At last week’s VMworld, VMware presented, once more, their Mobile Virtualization Platform (MVP), now called Horizon Mobile. Besides the usual hype, there were a few things that I found somewhat annoying. 

Specifically, VMware’s Raj Mallempati is quoted as saying: “What VMware is going to do is provide me a corporate phone, which is a virtual machine that is completely encrypted, completely managed and secure, and they are going to deliver that onto my device.”

Even considering that it is coming from a marketing guy, I find this statement rather dishonest. Because secure it ain’t. Not for the business. Not for the owner of the phone.

Let me explain.

Insecure for the business

As I explained in a blog last year, VMware’s hypervisor is hosted inside the phone’s native Android OS kernel (which is why they call it, incorrectly, a Type-2 hypervisor). What this means is that whoever owns that OS kernel owns the VMware hypervisor, and thus the virtual machine which contains the business phone. They encrypt the business phone’s data on flash, but that doesn’t provide any protection if the native Android kernel is compromised, it can simply read the keys out of memory.

Hence, if an app compromises the Android kernel, it controls the business phone, including all its data, network connections, the lot. And notice that the private phone keeps functioning as normal, meaning the owner is free to install and run any arbitrary Android app. With the Android kernel comprising about a million of lines of code, it can be expected to contain about 10,000 bugs. How many of the 100,000+ Android apps trigger an exploit? Probably plenty. In fact, this is the primary reason businesses don’t like company-provided handsets to be open, they fear security to be compromised.

Insecure for the owner

But the setup isn’t secure for the phone’s owner either. It would be if VMware used a proper Type-2 hypervisor, as that would be completely untrusted from the native Android kernel’s point of view. However, as I explained in another blog last year, the MVP setup is actually neither a Type-1 nor a Type-2, but a hybrid hypervisor. It is hosted inside the host OS, not on top of it. (They wouldn’t be able to achieve acceptable performance with a Type-2.)

What this means is that VMware essentially installs a rootkit into your Android kernel, which re-directs the exception vectors to their hypervisor module. Meaning they take over your phone. Effectively, your phone is now “owned” by whoever controls the hypervisor. Which isn’t you, the owner, it’s VMware or the OEM or the network provider or your employer (or maybe all of them). All your private data is at their mercy.

And VMware go on to say that they combine this with device management software, so they can remotely wipe the phone without touching it. Only the business phone, of course. Really? Are they going to cleanly un-install the rootkit? If you just got fired, would you trust your former company with all your private data? In fact, would you trust your company with all your private data on the phone even while you’re still working for them?

Summary: It Ain’t Secure!

Not secure for the company, not secure for the phone owner. Take my Advanced OS class, guys!

Taking the Metra train transported Iggy into the city swiftly and safely. The Chicago Metra trains offer fast and comfortable rides between downtown and the suburbs. Luckily for him, Iggy remembered his ten-ride pass and was able to save a few bucks.

Tour highlights:

• Visiting Navy Pier and seeing the various sculptures, including Crack the Whip, and the Ferris wheel.
• Seeing the beautiful Lake Michigan and seeing the city’s skyline from the lakefront.
• The view of the Marina City buildings, which were designed by the famed architect Bertrand Goldberg
• Millennium Park and all of its surroundings, including the Jay Pritzker Pavilion, Cloud Gate, the Crown Fountain, and the Nichols Bridgeway for pedestrians.
• The Art Institute and its Modern Wing, connected to Millennium Park by the Nichols Bridgeway. Here Iggy made friends with the pair of resident lion statues that guard the entrance to the museum.

Taking the water taxi was a scenic and relaxing way for Iggy to wind down the day. Conveniently it also dropped him off at the Willis Tower. Formerly called the Sears Tower, this building was once the tallest in the world with 108 floors! It is also just across the street from our very own Open Kernel Labs! Like many tourists in town, Iggy tilted his flexible neck so that he could take in the considerable height of the building.

Be sure to check out our pictures from the day!

• The tactics were relatively easily deployed and low-tech -impersonation of phone users while talking to customer service- to gain unauthorized access to private voicemails.
• The real threat for the future lies in the sophisticated techniques being used by persistent phone hackers in search of secrets (political or commercial business) and financial gain at the expense of consumers, governments, and businesses alike.
• Well beyond the world of famous people watchers, hackers are listening to real-time communication on smartphones today and will continue to compromise the realm of political and corporate activities.
• Unsecured mobile phones, similar to computers and laptops, can posses a world of other assets that reside on the smartphone, creating yet another vulnerable repository of private information.
• While there are a variety of solutions that offer security protection for smartphone users, taking care of it at the front end of phone design will minimize the security breaches that are waiting to happen. The OK Labs SecureIT Mobile application is an ideal solution that will pre-empt and prevent smartphone exploitation.

SecureIT Mobile Enterprise White Paper 
SecureIT Mobile Government White Paper 

Mobile device security is a topic that looms large these days. Like Chen’s mandate, it makes sense to avoid creating a crisis, as I there are abundant tools to enable security in the realm of connected devices. This blog is filled with instances of how mobile virtualization enables dual-persona smartphones (one smartphone for both business and personal environments) and prevents perilous security breaches on behalf of enterprises and governments. 

Reinforcing a similar theme, another title caught my eye in PWC’s report on Unleashing Enterprise Mobility. Galen Grumman, executive editor at InfoWorld and contributing writer for PWC penned “Mobile technology’s journey from peril to promise.” The article frames the discussion around the need for businesses to ensure security in mobile devices that are used for both business and personal matters. It’s clear in the analysis that device security must be resolved before the promise of significant business value can be realized.  

Mobile virtualization is the logical path forward for secure applications and secure communications for connected devices. 

Crisis or opportunity?

Peril or promise?

The choice is clear. 

As secure dual-persona phones enabled by mobile virtualization hit the market, we can look forward to a surge in productivity for employees and a crop of CIOs and IT managers who worry just a little less.