Anthony Perkins wants employees at BNY Mellon to bring their personal smartphones to work and use those instead of company-issued BlackBerries to access business email, applications and data.
But there's a catch: Not all employees are comfortable with the prospect of having their personal phones locked down and controlled as tightly as the BlackBerries that Perkins would like to phase out. That's where the notion of containerization comes in.
A bring your own device (BYOD) strategy is good business, says Perkins, CIO for BNY Mellon's Wealth Management business. It reduces the time and expense involved with maintaining and managing company-owned BlackBerries. "We'd like to be in the business of managing software, not hardware. In the RIM world, you manage hardware," he says, referring to Research in Motion, the BlackBerry's manufacturer.
[See related blog entry, "BlackBerries and BYOD: RIM makes its play."]
On the downside, today's popular mobile devices were developed for the consumer market, and third-party management tools don't have the same management hooks that RIM can offer, since it designed and controls the BlackBerry client architecture and has been especially responsive to the needs of corporate customers.
But Perkins says those advantages are outweighed by users who are generally more productive due to the multitude of productivity apps available in the Android and iOS worlds. And most importantly, having a BYOD policy is "a great way to recruit and retain young talent."
Because corporate apps and data tend to be mixed in with the user's personal content, mobile device management (MDM) tools tend to be very conservative when it comes to managing corporate resources on users' phones, with policies often applying to the entire device, including both personal and professional apps and data. Users may not be willing to give up control of their smartphones in exchange for receiving access to corporate apps and data.
To get around that user resistance, Perkins is turning to containerization -- an emerging class of management tools that carve out a separate, encrypted zone or policy bubble on the user's smartphone within which some corporate apps and data can reside. In this way, policy controls apply only to what's in the container, rather than to the entire device.
Mostly, containerization tools are complementary to MDM software, with increasing numbers of MDM vendors incorporating containerization techniques.
That said, as great as containment is for limiting corporate liability, it doesn't help any personal data that may be lost due to a wipe if the phone is lost or stolen. Some IT departments are recognizing that users may need help backing up their personal data and apps, and some, like Jacobs Engineering, are helping their end-users get set up with backup systems.
Ryan Terry, division CIO and CSO at University Hospitals Health System in Shaker Heights, Ohio, turned to containerization because he sees the use of traditional MDM tools to control the entire device as a liability issue. The hospital needs to have apps or data delivered securely to clinicians without interfering with the users' ability to access their personal apps and data. "We can't afford to delete things of a personal nature or impede their ability to use their personal asset," he says.
Alex Yohn, assistant director of technology at West Virginia University, is also wary. "I don't want my guys doing settings on the personal side that could come back to haunt us," such as accidentally deleting data or making configuration changes that affect how the users' personal apps run.
For businesses that need strict security policy and compliance controls, such as the highly regulated healthcare and financial services industries, containerization can be especially helpful in making the BYOD experience more palatable for users, IT leaders say.
Choose your container
Existing vendors offer, in essence, three different containerization approaches:
- Creating an encrypted space, or folder, into which applications and data may be poured
- Creating a protective "app wrapper" that creates a secure bubble around each corporate application and its associated data
- Using mobile hypervisors, which create an entire virtual mobile phone on the user's device that's strictly for business use
All of these technologies offer more granular control over corporate applications and data on users' devices than whatever security comes standard with smartphones currently. And users' devices no longer need to be on a list of smartphones that has been certified and tested by IT, because corporate apps and data reside inside a secure, encrypted shell.