Virtualization is new to mobile, but established in the data center, fundamental in cloud computing and increasingly popular on the desktop. Mobile Virtualization lets handset OEMs, operators/carriers and end-users get more out of mobile hardware.  It decouples mobile OSes and applications from the hardware they run on, enabling secure applications and services on less expensive devices today and deployment on advanced hardware tomorrow.

An enterprise mobility solution based on virtualization should feature well-built separation of secured (enterprise) and unsecured (personal) operation domains – company assets and personal data and apps occupy separate and secure cells, isolated from one another, running on unique instances of one or more mobile OSes. By enabling an unsecured (and unrestricted) and a secured (and restricted) virtual phone to coexist on a single physical device in separate cells, mobile virtualization helps to accommodate the needs of both the individual and the enterprise. Moreover, by isolating mobile enterprise assets (Mobile Device Management (MDM) agents, endpoint security software, regular data and applications), mobile virtualization effectively “protects the protectors.” It complements and strengthens MDM, anti-virus, and other mobile technologies, resulting in a strong mix of security, privacy, and functionality.

Thus, with mobile virtualization, individuals can bring their personal devices to work and they willingly let employers install enterprise mobility software because a virtualization-based solution does not threaten personal privacy or limit the websites and apps they want to access. Employers, in turn, enjoy increased productivity from their employees and are willing to let them use the software and services they want with a straightforward and thorough approach to security.

Authentication and the network type in which the mobile devices operate go hand-in-hand. For every type of the network connecting the mobile device, the authentication happens distinctly. Following are some scenarios how authentication happens in different networks:

Network Type: On Site Wi-Fi

Authentication Process: The authentication occurs just after the association of the device and the network, before getting the IP address. Networks with Wi-Fi Protected Access (WPA), suited for Enterprises, allow authentication of different types (passwords/digital signatures/biometric techniques). This type has geographic restrictions limiting the device’s access to the Wi-Fi network.

Network Type: Internet Protocol Security (IPSec), Secure Sockets Layer (SSL) or Mobile Virtual Private Network (VPN)

Authentication Process: In any of the cases, the authentication happens just when the channel is established between the network and the device. Use of advanced versions or integrating the standard network options to external authenticating servers provide a good control of the network and the device used in that network. This type does not have any geographic restrictions and hence the mobile device can access the network from anywhere.

Determining the choice of the authenticating suitable to the organization will create an impact on the mobile device usability and the network security

The previous post of “Mobile Devices & Security Risks” discusses about the security risks associated with mobile devices within and outside the  enterprise. This post briefs on how security can be achieved in the enterprise, broadly at 2 levels, namely the Device & Application level and the Network level.

Device & Application Level: Since devices are more vulnerable to physical loss, protecting the data on the device becomes critical. Options which can secure the data in the device & application level are:

• Data encryptions to conceal the data/content transmitted over the network
• Validation of user’s identity with passwords/biometric techniques
• Electronic signatures to authenticate the user
• Mutual authentication by both the communicating parties
• One Time Password (OTP) which regenerates for every session
• Device tracking using Global Positioning Systems (GPS)

Network Level: Security at the network level is more complex than at the device/application level with policy formations and compliance conformations. Options at the network level to guarantee security of the enterprise applications running on the mobile devices are:

• Filter & monitor the Media Access Control (MAC)/Internet Protocol (IP) when access to the server & application logs is requested from the mobile devices. A policy permitting only a pre defined device list into the network should be in place.
• Segment the network (WLAN/Service Set Identifiers (SSID)) for specific group of people’s devices. Assign & permit these specified devices to the data required by these set of employees.
• IT department should be able to penetrate into the visibility of the employee-owned mobile device applications (used for both personal & the enterprise purpose). They should be able to control the installed & running applications to filter unwanted/unauthorized applications, on these mobile devices over the network.

As enterprises mobile enable their applications, they are providing variety of mobile devices to their workforce who can access these applications from anywhere. Such proliferation of devices come with certain associated risks.

• Device loss or theft: Physical loss of the device is the first risk which leads to productivity and loss of sensitive data.
• Unauthorized network penetration: Since mobile devices provide a variety of network connectivity options like Bluetooth/Wi Fi, they are easy targets of malicious attacks. Attackers who gain access to a mobile device may be able to impersonate a legitimate user and gain access to the corporate network.
• Intercepted or corrupted data:  With so many business transactions taking place over mobile devices, there is always concern that critical data could be intercepted along the path through the Internet cloud, via tapped phone lines or intercepted microwave transmissions.
• Malicious software: Though traditional desktop malwares like viruses, Trojan horses, and worms are not yet that significant in mobile devices, there is a growing consensus among security experts that mobile devices will be targeted.
• Unsupported or unsigned applications: Older applications that are no longer supported, while they may still work, are dangerous because they may be vulnerable to attack by new viruses. If an unsigned application is installed on a device, it could make changes to a device that would jeopardize its security.