CIO Greg Taffet looked into mobile device virtualization to get a handle on the rapid adoption of mobile devices...
at U.S. Gas & Electric Inc., a fast-growing North Miami-based national reseller of natural gas and electricity. So did Barry Porozni, CIO at The Reinvestment Fund (TRF) in Philadelphia, where a bring-your-own-device (BYOD) policy started out modestly enough and keeps growing.
Who wouldn't be intrigued? Mobile device virtualization promises the benefit that made server virtualization such a big hit in the enterprise: being able to run multiple operating systems on a single piece of hardware. Whereas cost savings on hardware was the primary driving force behind the adoption of server virtualization, the allure of mobile device virtualization is being able to provision dual personas on the same device -- one for work and one for personal computing.
More on virtualization
A return to the Garden of IT with mobile device virtualization?
Virtualization capacity management: The right tools rule
With dual personas, if a company wants to impose a strong password policy or to standardize on one version of bandwidth, all that can happen independently of what goes on in the personal domain. Corporate assets are protected, and the employees can do as they please on their side of the border. In enterprise computing, where CIOs are under tremendous pressure to adopt BYOD policies and where mobile endpoints are multiplying like locusts, a dual persona solution sounds like paradise regained. "It allows IT to leverage that centralized control they had for so long," said Philip Clarke, research analyst at Mokena, Ill.-based Nemertes Research Group Inc.
Taffet and Porozni discovered, however, that the approach is very new, the market is very unsettled and the mobile device world is changing very rapidly. So -- for the time being anyway -- they are steering clear of putting virtual machines on mobile devices. After all, the Type 2 hypervisor approach taken by VMware Inc., arguably the world's leader in enterprise virtualization, to date works only on Android devices, they noted.
For Porozni, security was also a concern, specifically with the device's Type 2 hypervisor technology that relies on the underlying operating system to work. "How do you know there isn't something they can't download on the personal side that can't impact the phone?" he asked. A guest OS also takes more power from the base system, raising the possibility of performance problems. For now, he's going with "good enough." He opted for a mobile device management (MDM) product from Fiberlink Inc., a Mobility-as-a-Service provider based in Blue Bell, Penn.
U.S. Gas & Electric's Taffet is testing a piece of software from Bitzer Mobile Inc., which provides its own business-encapsulated secure environment on the mobile device. Everything from the business runs in the Bitzer mobile app container, he said. "They take the pain of making it run on all the appropriate devices, so that I only need to set it up once. I can push and pull and manage and wipe -- at my control versus the user's -- on the business side. Whatever happens on their side of the computer doesn't affect my side," he added. "I'm beginning to feel comfortable with the level of security they provide."
Mobile device virtualization a silver bullet or a bust?
Analysts we interviewed agreed that at least until mobile device virtualization is device agnostic and becomes "ubiquitous," many CIOs will choose the "good enough" capabilities offered by mobile device management (MDM) vendors for managing, monitoring and securing mobile devices, "But they are not giving IT the full breadth of control," Nemertes' Clarke said.
Christian Kane, an analyst at Forrester Research Inc. in Cambridge, Mass., who follows MDM closely, agreed. "Most MDM technologies leverage the native APIs of the mobile device, so they can't get the same data and application controls that enterprise clients are looking for," he said. The monitoring problem will only worsen with the proliferation of mobile devices and versions in the enterprise.
If you can't control what gets installed on the device, then the best way to protect your data and assets is to make sure you can control the work environment they are deployed in.
analyst, Forrester Research Inc.
Moreover, IT ends up "owning the device" with MDM, whether the device is provisioned by the company or owned by the employee, noted Chris Ward, solutions architect at systems integrator GreenPages Technology Solutions in Kittery, Maine. "There is always an agent or some software on the device. If something breaks, where does IT step in? Drawing those lines of responsibility is key," he said.
In theory, so-called dual persona technology helps sort out responsibilities. Notes Forrester's Kane: "If you can't control what gets installed on the device, then the best way to protect your data and assets is to make sure you can control the work environment they are deployed in." Of course, the dual persona approach comes with its own challenges, starting with the variety of products being floated and the uncertainty of which ones will prevail, said these analysts, who expect the market to shake out over the next six months to a year.
Forrester's Kane lumps the products into two bins: the "true virtualization" offerings from VMware (Horizon Mobile, a Type 2 hypervisor) and from Open Kernel Labs (which makes a Type 1 hypervisor, essentially firmware on the phone), and the offerings from vendors that take a "more containerized application approach," such as Enterproid Inc., OpenPeak Inc. and Good Technology Inc.
"From a user perspective, there is not much difference, because they will still be seeing two environments," Kane said.
Meanwhile the two "pure play" mobile device virtualization offerings are still up against Apple Inc., which thus far has shown little interest in allowing mobile virtualization vendors access to the hooks required for dual persona phones. Getting on the mobile Windows phone will not be a problem, but the iOS is another matter, GreenPages' Ward said. "If VMware can't crack that code on the iOS side, I don't think you'll see Horizon Mobile go very far," he said.
Even on the Android, a Type 2 hypervisor approach might fall short, as can happen on laptops, in Ward's view. "When you're running a virtual machine on top of that piece of hardware, you're not necessarily able to use 100% of the native abilities of the physical laptop. You run into the same challenges on mobile devices," he said.
VMware moved from a Type 1 to a Type 2 hypervisor after finding that adding a Type 1 hypervisor to the physical phone added to the already long development cycle for these devices. That presented a problem because these consumer devices are short-lived in the marketplace. As TRF's Porozni notes, "That's their reason for doing it. I want a secure solution, not the one that comes to market faster." (Open Kernel Labs claims it has gotten around that problem by shipping chipsets that are virtualization-ready. "We're spending a lot of time with manufacturers to do that," said Carl Nerup, the company's vice president of business development.)
One more caveat: Some proponents of BYOD aren't sold on the dual persona approach, arguing that in a world where work and personal have become so intertwined, separating the two undermines the user experience. Moreover, toggling back and forth between segments -- even on the same device -- is not that different from carrying two devices, said Forrester's Kane, who added, "No one wants to go back to that."