WHITE PAPER

MOBILE APP SECURITY THROUGH CONTAINERIZATION:

10 ESSENTIAL QUESTIONS
OVERVIEW: WHY DOES MOBILE SECURITY MATTER?
Mobile devices present a unique dilemma to the enterprise. On the one hand, workers empowered with tablets and smartphones
can transform the way they do business; theyre more agile, closer to customers and more productive. Bring Your Own Device
(BYOD) programs give users the freedom to work on the devices of their own choosing, while still allowing an enterprise to reap the
productivity benefits of these always connected, readily accessible mobile devices.
On the other hand, these ubiquitous mobile devices represent increased security risks to the enterprise, especially with BYOD.
Sensitive corporate and customer data can be stored on mobile devices that can easily fall out of pockets or be left at airports. Wellintentioned employees use popular cloud-based file sharing apps to make themselves more efficient, unknowingly taking corporate
data out of IT visibility and control. Malware can access all data on or going through the device. Disgruntled employees can make
copies of sensitive data and use it for their own. Without a comprehensive, thoughtful approach to security, mobility brings danger.
Mobile Device Management (MDM), an initial approach to mobile security, enables IT with device-level controls, such as enforcing a
device password policy or being able to remotely wipe the device. But MDM provides only part of the solution, as it isnt appropriate
in all circumstances. For example. contractors, resellers and other business partners are typically not under IT control within an
MDM paradigm. So IT cant provide security controls on employee devices, even if Lines of Business distribute their own mobile
apps. Another example where MDM wouldnt work is for an enterprises board of directors, whose members often sit on the boards of
multiple companies. The members of the board need secure access to multiple enterprises corporate data, but cant install multiple
MDM agents thats another limitation of MDM. Employees are also pushing back on IT taking complete control over their devices
after all, the important thing is to keep enterprise data secure, not to control the users personal data, such as MP3 playlists or
pictures of their kids.

A NEW STRATEGY: SECURE YOUR ENTERPRISE MOBILE APPS

Enterprises need a different approach to mobile security that works for all users i.e., employees and non-employees who need
access to corporate data. A better, more encompassing, approach is one that provides finer-grained application-level controls, not just
device-level controls. With this approach of securing enterprise apps, organizations can focus on protecting their data arguably
their most important asset on any device, without being too intrusive. At the same time, users get a better on-device experience,
since any security restrictions are only experienced when the user interacts with the enterprises apps.
The approach of securing enterprise mobile apps to protect corporate data might appear straightforward, but there are many factors
to be considered. At Good Technology, weve worked closely with hundreds of enterprises that have implemented mobile security
solutions to protect corporate data. Listed below are the highest priority requirements that these companies focus on as they build out
their mobile app security strategies. As you build out your own strategy, you should evaluate the importance of these requirements.

1. Can enterprise apps and data be segregated from personal apps and data?
Given the prevalence of BYOD, there must be a way to securely separate corporate data on any device whether its user owned
or corporate liable. One approach that has become the prevailing approach, recommended by industry analysts and gaining
acceptance at many companies is to use app containerization technology that provides each managed app, and its data, with its
own secure runtime container. To be effective, app containerization must use a strong encryption algorithm that is separate from
native device encryption, with the containerized apps secured by a strong password policy. The isolation provided by containerization
reduces the chance of malware infection or privilege escalation from a malicious app on the device.
Containerization, typically delivered via a mobile app security platform, causes an app to transform in multiple ways: the app data
is encrypted and segregated from all other apps; native OS runtime system calls are replaced with equivalent secure versions; and
unique security functionalities such as secure shared services and app-to-app secure workflows become possible. Because of
the containerization delivered by the mobile app security platform, an enterprise suddenly has all kinds of security controls over the
app, and how it can or cannot interact with other apps in a combined workflow.
Containerized apps can coexist right alongside personal apps on the mobile device, but each containerized apps data stays in its own
container, and any connection to another containerized app or a corporate server is secured. True containerization is on an app-by-app
basis, and shouldnt be confused with virtualization, a less effective technique that creates a single shared environment for managed
applications, and may not be supported by popular mobile devices or operating systems.

2. Is the user experience preserved?

Before diving into technology, its important to step back and consider the user, the most integral part of the system were securing.
Its not enough to simply secure mobile apps; the user experience must be preserved as well. Otherwise, users will inevitably
undermine security by trying to work around cumbersome implementations and the enterprise will not gain the benefits of mobilizing
its worker base.
Both containerization and virtualization creating a separate, secure environment on the device can keep data secure. But
considering the user experience makes a powerful case for containerization, rather than virtualization. With containerization, the
core look and feel of a users device stays the same; its just that certain applications are secured. Virtualization, on the other hand,
requires that users do a hard cutover to a separate environment to use enterprise apps, which breaks the experience that end-users
expect from their devices. This will reduce adoption, at best, and may even encourage users to try to work around the officially
sanctioned solutions. Sometimes, the word containerization is casually applied to virtualization, so be sure to check whether a
solution uses per-app containers, or an unwieldy shared virtual environment.

3. Are containerized ISV apps readily available?

Enterprises shouldnt have to build all the mobile apps they need just to be secure. So one approach to mobile app security is to
take advantage of a community of independent software vendors (ISVs) who are developing containerized enterprise-ready apps that
share a common mobile app security platform. Commercial off-the-shelf apps provide functionality at a fraction of the cost and time
required for custom development. Of course, when considering these ISV apps, it is important that the security certification for these
apps is serious, not just a checkbox. For example, some questions that need to be answered are: Do the ISVs get help from the vendor
when testing their software? Do the solutions use FIPS 140-2 certified cryptography for data at rest on the device? Can these ISV
apps securely communicate with other apps built on the vendors mobile app security platform? How do they securely communicate to
behind-the-firewall application servers?

4. Can custom-built enterprise apps be containerized?

There will be many cases where there is a need to build apps to meet specific business requirements. Thats where custom app
development comes in. Those apps could be built in-house or outsourced to a 3rd party developer, but should use a common mobile
app security platform ideally the same one that is being used by ISVs who are building enterprise-ready apps that address the more
general use cases. Enterprises that are building custom enterprise apps and incorporating mobile app security into those apps use
two approaches:

App wrapping. For rapid time-to-value, organizations can choose to simply wrap their applications with the platform-provided

security functionality without having to do any additional development work.

Code integration. For advanced functionality that is not possible via app wrapping (e.g., secure inter-application

communication, etc.), developers can use the API calls and software libraries in a Software Development Kit (SDK) to

incorporate capabilities of the mobile app security platform into their apps.

5. Can containerized apps securely connect to the enterprise?

Unnecessary inbound connections to enterprise servers and controllers increase risk and complexity. A better option is for these
containerized apps to make a persistent connection to a secure network infrastructure, which relays encrypted traffic.This works best
when a proxy server inside the firewall concentrates traffic to and from enterprise servers and controllers on a shared, secure link. As
a result, data moving in and out of the mobile app is always encrypted. An added benefit is the ability to securely push data to the
device, such as a policy update or a notification, without requiring the device to accept a connection from a server.
Sharing a persistent secured connection is much more scalable and supportable than having each container on a mobile device open
a VPN connection into the enterprise. While VPNs are a common approach to secure access, theyre far from ideal. VPN access is
a significant driver of service desk incidents; many companies have reliability and supportability issues with VPN. Further, when
multiple mobile devices per user and multiple containers per mobile device connect to the network, it can require costly VPN client
access license purchases, hardware upgrades and network usage. Lastly, app-specific VPNs require that ports be dedicated to each
connecting app, creating a change management nightmare. And, of course, the more ports IT is forced to open on the firewall, the
greater the increase in security risks.

6. Will IT be able to centrally manage security policies for all containerized apps?
A very basic requirement is that enterprise IT administrators should have a single user interface for managing policies and security
for all mobile apps. While there will be general security policies that can be implemented for all apps such as data loss prevention,
ensuring password strength, frequency of password updates,etc. there will also be cases where app developers will create policy
controls that are unique to their apps. For example, your organization might outsource the development of a mobile HR app that
provides more functionality to a manager-level employee user than to an individual contributor-level employee user. App developers
should be able to take advantage of the centralized policy control user interface to enable, customize or lock down app functionality
for specific groups and individuals.
As you build out the mobile app security strategy, consider solutions that provide the flexibility of managing these app-specific policies
from the same interface that is used for all the other security policies. If each mobile application has its own control interface, this
will increase administration complexity exponentially, making it more likely that IT admins will make mistakes. Separate control
interfaces will also increase management costs and compliance burdents.

7. Can containerized apps be distributed to any device?

Enterprises need a scalable way for all their users to easily find and download the containerized apps that are relevant to the users
role, while still providing IT with the necessary security controls. This disqualifies consumer app stores. However the user experience
matters here as well, so choose a distribution mechanism that mirrors the experience provided by a consumer app store. An enterprise
app store is a viable option that is of interest to many companies, because it enables them to service the needs of both employees and
non-employees.
Enterprise app stores allow for the distribution of both apps curated from a public app store, as well as an enterprises secured apps,
and provides that consumer-level experience that users have come to expect e.g., browse, ratings & reviews, etc. At the same time,
an enterprise app store provides the controls that IT needs e.g., requiring authentication into the store, controlling app visibility
based on a users role, etc.

8. Is there a need for secure app-to-app collaborative workflows?

A well-designed mobile app is typically built to solve a very specific problem, very unlike the behemoth general-purpose desktop
apps. It stands to reason that constellations of mobile apps that interoperate seamlessly are more powerful. But they need to be
able to work together only with explicit permissions, and without the risk of data loss, which is often the result of commingling
corporate and personal data. So, your mobile app security strategy must also account for a way to allow these apps to send encrypted
information between each other in collaborative workflows. By collaborative, we mean the ability to both view and edit this encrypted
data, typically documents, within these containerized apps the way many companies use their containerized apps. The mobile app
security platform used to segregate business apps should provide IT with the ability to control data sharing capabilities, such as copy
and paste, between containerized apps through a secured path, so data never leaves a secured state.
Workflows arent only about sharing documents but also about the ability to invoke other apps with the requisite parameters or about
discovering and using services published by other apps. Just as web services have created new ways of combining functionality from
multiple systems into a whole thats more powerful than the sum of its parts, so too will secure enterprise app workflows unleash
new possibilities for mobile workers. Secure apps that provide specific services can even register themselves for dynamic discovery.
This future-proofs your mobile app security strategy: as new custom or secure ISV applications provide enhancements, they can be
dynamically plugged in to the mobile ecosystem.

9. Can users authenticate once across all containerized apps?

Its a given that multiple enterprise-ready apps will be made available to users. But requiring users to enter login credentials for
each app is a no-no, especially if you consider enterprise IT typically requires strong passwords that can be a challenge to type on
a small glass screen. Single sign-on for the containerized apps is a must have to preserve the user experience and to ensure usage
of the apps. IT should be able to designate that if a user authenticates successfully to one app, that app will delegate the users
authentication to other containerized apps. That user will then not be required to authenticate into any of the enterprises other
mobile apps on that device. Again, app-level control is the central requirement.

10. Is your app development platform native or hybrid?

Today most mobile apps are native, i.e. developed for use on a particular mobile OS platform such as Apple iOS or Google
Android. Native apps can take advantage of OS features, such as GPS, typically available on the mobile. However industry analysts
predict that the app development platform of the future is hybrid HTML5 which allows enterprises to harness much of the power of
the underlying mobile OS platform without requiring the specialized development expertise needed for native app development or the
investment required to support multiple native code bases. To prevent your organizations from being locked into any app development
platform, make sure to choose a mobile app security platform that supports equivalent containerization for either native or hybrid app
development.

CONCLUSION
Enterprises must secure mobile apps and the data they use. Device-level security isnt enough, especially with BYOD. The approach
to security must be comprehensive, and it should be based on an end-to-end strategy that has accounted for the above requirements.
By doing so, the enterprise will have a comprehensive mobile app security experience that can keep corporate data secure and prevent
data loss. Accounting for the user experience, which permits the users device to operate just as it always did, along with advanced
features such as single sign-on across apps and secure app-to-app workflows, allows the organization to accelerate the business
transformation possible with mobility.

ABOUT THE GOOD SECURE MOBILITY SOLUTION

Comprised of the Good Dynamics Secure Mobility Platform, the Good Collaboration Suite, and a rich ecosystem of 3rd-party and
custom mobile apps, the Good Secure Mobility Solution provides the markets first comprehensive solution for secure enterprisewide mobility, supporting users demands for robust and interoperable enterprise-grade mobile apps while giving IT the data security,
service visibility and infrastructure control needed to meet both regulatory requirements and service level agreements.
The Good Secure Mobility Solution provides the security and application services enterprise developers need to build transformative
mobile apps run on the most extensive, integrated framework for protecting and managing apps, data, and devices while enabling
business productivity, collaboration, and workflow transformation.

ABOUT GOOD TECHNOLOGY

Good Technology is the leader in secure mobility, providing the leading secure mobility solution for enterprises and governments
worldwide, across all stages of the mobility lifecycle. Goods comprehensive, end-to-end secure mobility solutions portfolio consists
of a suite of collaboration applications, a secure mobility platform, mobile device management, unified monitoring, management and
analytics and a third-party application and partner ecosystem. Good has more than 5,000 customers in 184 countries, including
more than 50 of the FORTUNE 100 companies. Learn more at www.good.com.

Global Headquarters
+1 408 212 7500 (main)
+1 866 7 BE GOOD (sales)

EMEA Headquarters
+44 (0) 20 7845 5300

Asia / Pacific Headquarters

+1 300 BE GOOD

2014 Good Technology Corporation and its related entities. All use is subject to license terms posted at www.good.com/legal. All rights reserved. GOOD, GOOD TECHNOLOGY, the GOOD logo, GOOD FOR
ENTERPRISE, GOOD FOR GOVERNMENT, GOOD FOR YOU, GOOD DYNAMICS, SECURED BY GOOD, GOOD MOBILE MANAGER, GOOD CONNECT, GOOD SHARE, GOOD VAULT and GOOD DYNAMICS
APPKINETICS are trademarks of Good Technology Corporation and its related entities. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners.
Goods technology and products are protected by issued and pending U.S. and foreign patents. 07/14 Rev. 07022014