Learn how NIST SP 800-46 Could Impact You
Last week, the National Institute of Standards and Technology (NIST) updated its guidance for mobile security with two new publication drafts. The folks at NIST recognize that more and more employees are using mobile devices to access confidential data and that mobile devices have become a weak link in many organizations’ defenses.
According to NIST computer scientist Murugiah Souppaya, “Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework.”
The new NIST SP 800-46 draft, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, offers recommendations to improve BYOD security and reduce the risk of data breaches caused by mobile devices.
According to the NIST publication, organizations should:
- Encrypt all sensitive data stored on client devices or not storing sensitive data on client devices.
- Use strong authentication—preferably multi-factor—for enterprise access
- Encrypt communications to maintain confidentiality and integrity and prevent eavesdropping and interception
The publication also recommends that virtual mobile infrastructure can help secure BYOD access:
Although terminal server access and VDI technologies are primarily meant for telework PCs, there is an emerging technology that provides similar capabilities for mobile devices: virtual mobile infrastructure (VMI). Just as a VDI solution delivers a secure virtual desktop to a telework PC, so does VMI deliver a secure virtual mobile device environment to a telework mobile device. Organizations considering the use of mobile devices for telework, particularly BYOD or third-party-controlled mobile devices, should investigate VMI technologies to see if they may be helpful in improving security.
A lot has changed since NIST published its original guide for telework and remote access nine years ago. That guide focused on personal computers and laptops. Since that time, mobile device use has skyrocketed. Government agencies and enterprises alike must grapple with a host of different phones and tablets owned by employees.
Today, many government and defense agencies provide their employees with locked-down, secure mobile devices. However, some of these employees end up carrying around two mobile devices: one for work and another for personal use. This practice is not only cumbersome and costly, but it probably increases the risk of losing a device because it is harder for workers to keep track of two devices than just one.
While federal workers are not going to ditch their employer-provided phones anytime soon (especially if they need to access top secret data), government agencies should consider technologies like VMI for BYOD. VMI provides secure remote access to sensitive data while still allowing users to access their personal apps. VMI also extends secure access to contractors and partners that do not have locked-down and managed devices.
Mobility has revolutionized how users work, collaborate and communicate, but it has also introduced a wide array of new security risks. NIST SP 800-46 provides an excellent framework for securing mobile access from all users, including emplo
 Executive Summary (lines 236 – 244) of NIST SP 800-46 Rev. 2 (Draft)
 Section 2.2.2 of NIST SP 800-46 Rev. 2 (Draft)
Businesses around the world want to leverage mobility to drive digital transformation. However, before businesses start rolling out new mobile apps to their employees, they must consider security and compliance risks. It is much easier to enforce data loss prevention (DLP) policies on corporate-owned laptops than it is on employee-owned mobile devices.
Why? Because many traditional DLP products are not designed for mobile devices. The few products that do support mobile devices require mobile apps to be routed through a VPN connection.
Often times, users can find ways to bypass these VPN connections. And even with VPN, organizations may not gain full visibility into encrypted traffic, depending on the mobile app. This provides a gap in defenses that users can exploit. It may also expose organizations to compliance violations or regulatory fines if they are not using sufficient controls to monitor and protect business data.
Mobile access is within scope of most compliance mandates if mobile users can view or modify regulated data, such as Personally Identifiable Information (PII), financial data, or healthcare records. For example:
- PCI DSS: Merchants and payment processors must protect cardholder data. If users can access user records and cardholder data from mobile apps, then they could theoretically take screenshots and share cardholder data.
- HIPAA: Organizations can be fined up to $50,000 per violation for the disclosure individual health information. If healthcare workers can access patient records from their phone, they could take and distribute a screenshot from their phone.
- ISO/IEC 27002: To address International Organization of Standardization (ISO) rules, organizations must track privileged user accounts and prevent unauthorized changes to software or logs. If mobile access to sensitive systems is supported, then organizations must prevent privileged users from downloading and sharing confidential data from their phones.
With virtual mobile infrastructure (VMI), organizations can regain control over mobile data by logging all activity and preventing users from storing data on their devices. VMI is like virtual desktop infrastructure for mobile apps, allowing users to securely access Android apps from iOS, Android, Windows, or Mac devices.
However, stopping users from downloading, copying or printing content does not completely prevent data loss. Users can still take screenshots of sensitive data from their mobile device. So, the SierraVMI client can optionally block users from taking screen captures of the VMI app.
Even with anti-screen capture technology, users could take a photograph of sensitive information with a separate camera. To deter would-be photographers, SierraVMI also offers watermarking. When watermarking is enabled, the VMI client’s username is displayed diagonally across the mobile device. screen. Because users would know that they would be identified if they distributed the image, they would be less likely to photograph sensitive data.
Plus, watermarking acts as a subtle reminder to users that they are accessing protected information. That knowledge can be enough to reduce the risk of unwanted activity.
Today’s workforce is mobile. Workers are not just relying on their mobile devices to check their email, but to perform their job. Field service workers, doctors, police officers, flight attendants, and many more use their phones and tablets every day to look up records, to collect customer data, and to communicate.
Mobile workers also take photographs on their phones to document information or gather evidence. Unfortunately, without proper security and storage, those photos might be erased or—worse yet—they might expose workers and their employers to legal risks.
Let’s take a look at some of the reasons why workers snap photos on the job and why they should not store photos locally on their mobile devices.
- Insurance adjusters: often take photos of insured vehicles or property to document damage. If an insurance adjuster’s phone is stolen, the photos could be lost.
- Doctors: use their camera phones to record the conditions of their patients. However, most doctors do not want photos of a patient’s ugly foot rash sandwiched between photos of their kids and their Hawaiian vacation.
- Office workers: take photos of white board sessions and presentations from their phones. If these photos reveal proprietary information, such as business plans or product roadmaps, organizations should protect them just as they would protect confidential documents and spreadsheets.
- Police officers: use camera phones to collect evidence of criminal activity, but officers should avoid storing graphic or disturbing photos on their personal phones; storing photos of child exploitation or other illicit activity could make law enforcement officers liable for the crimes they are trying to prevent.
- Meter readers: take photos of electricity meter levels to ensure meter reading data is accurate and to reduce fraud. Storing these photos instantly in a central location will expedite the collection and cataloging meter data and reduce loss.
These are just a few examples showcasing why mobile workers capture information with their mobile cameras. As mobile devices become more integrated into employees’ everyday jobs, cameras will play an increasing role.
Virtual Mobile Infrastructure (VMI) can help organizations take control of photos captured on mobile devices. With VMI, employees can capture a photo using their camera phone using a camera application hosted on a remote VMI server. Unlike content management and containerization tools from MDM vendors, VMI ensures that confidential photos are never stored on mobile devices.
To learn how to protect photos and other applications on mobile devices, read about SierraVMI Virtual Mobile Infrastructure.
Employees are clamoring to bring their own devices to work. However, before IT security teams allow BYOD users to access business data or use Wi-Fi networks, they must consider the security implications. BYOD trends not only introduce new risks, they can also provide an avenue for users to circumvent existing security measures. Therefore, IT security teams must develop a strategy to prevent:
- Data breaches caused by lost or stolen mobile devices
- Data leaks from mobile users
- Access to phishing and malicious sites from mobile devices
- Reduced employee productivity due to lack of web filtering controls
Lost and Stolen Phones
Organizations’ top mobile security challenge, bar none, is lost and stolen phones. To address this challenge, organizations can keep sensitive data off of mobile devices by hosting mobile apps in a secure data center or they can remotely wipe lost devices. While IT security teams have several options to mitigate the threat of lost and stolen devices, other BYOD security risks are not as easy to solve.
Data Leaks from Mobile Users
PCs and laptops are relatively easy to lock down. With data loss prevention (DLP) software, organizations can block users from saving data to USB drives or from printing confidential files. Organizations have fewer options to prevent data loss on mobile devices. And even with the few tools that do exist, many users will balk if their employer tries to monitor their mobile usage when they are at home.
Phishing and Access to Inappropriate Websites
For two decades, organizations have maximized employee productivity and reduced risk by blocking malicious and undesirable websites. However, the combined trends of BYOD and SSL encryption make it challenging for organizations to control mobile users—and even desktop users. These challenges are due to several reasons, such as the lack of IT management tools to control browser or certificate settings for different mobile devices. In addition, the widespread use of certificate pinning in mobile apps makes it challenging for organizations to decrypt and inspect traffic.
As a result, many users can bypass web filtering controls simply by bringing their phones and tablets to work. Plus, IT administrators may end up disabling security measures for both mobile and desktop users when mobile users complain they cannot access specific websites.
What Organizations Can Do to Regain Control
To protect corporate data and control BYOD access, IT security teams can consider virtual mobile infrastructure (VMI). With VMI, mobile users access apps hosted remotely in a data center or in the cloud, rather than on their phone or tablet.
VMI helps mitigates risks due to lost and stolen phones and data leaks from malicious insiders. With VMI, organizations can easily monitor and control which websites mobile users visit.
Plus, as an added bonus, VMI helps thwart mobile malware. Mobile malware cannot exfiltrate sensitive data because sensitive data is never downloaded to the device. Anti-screen capture technology blocks malware from intercepting VMI images. So if mobile malware like XcodeGhost and YiSpecter become more widespread, VMI will keep malware risks at bay.
As we creep closer and closer to Halloween, fears of ghosts and bad-tempered trick-or-treaters will keep some folks up late at night. But IT security professionals face even greater risks, not just at Halloween, but all year long. Some of these risks are well-documented, while others are not as widely known, but end up causing just as many sleepless nights.
Top seven scariest BYOD threats are:
- Lost and stolen phones: Lost and stolen mobile devices are the biggest BYOD risk by a landslide. With over three million phones stolen every year, the chances that an employee’s phone will get into the wrong hands is extremely high. It’s not surprising, then, that 68 percent of healthcare breaches were due to the loss or theft of mobile devices, according to a Bitglass survey.
- Mobile applications with weak authentication: Many recent high-profile breaches were due—at least in part—to attackers bypassing weak or non-existent authentication. As organizations move their business apps to the cloud and allow mobile users to access those apps from any location, they also make it easier for cyber-attackers to find and exploit authentication weaknesses.
- Data leaks from disgruntled employees: Mobility enables “anywhere” access to business applications, but it also makes it harder for organizations to monitor user access and prevent data leaks. Traditional network monitoring controls only work when mobile users are the network, while end-point data loss prevention (DLP) software only supports a few pre-defined apps on mobile devices. As a result, many employees can easily distribute sensitive data by uploading it to cloud file sharing sites or copying it into a text messaging app with a couple of clicks—leaving employers none the wiser.
- Business photos stored on phones: A wide range of users—from police officers to doctors to meter readers—use mobile devices in the field on the job every day. Often, they need to take photos for evidence or for analysis purposes. Whether snapping a picture of a broken ankle or recording a crime scene, users may need to take photos, but they shouldn’t store these photos alongside pictures of their kids. Organizations need a way to isolate business and personal use of camera, microphone, and data storage.
- Jailbroken and rooted phones: An estimated 7.5%[i] of iOS users and 27%[ii] or more of Android users jailbreak or root their phones. Plus, some Android phone manufacturers are using modified Android OSs like Cyanogen and Xiaomi that support apps from third-party app stores that could distribute malware. Jailbreaking and rooting phones not only increases the risks of malware, but it also allows employees to circumvent some types of security controls.
- Excessive app development costs: In the past, organizations could develop apps for Windows and possibly Mac clients. Today, to support the profusion of different mobile devices, organizations need to build apps for different versions of Android, iOS Windows Phone, Blackberry, and traditional desktop operating systems. App costs can skyrocket if organizations try to integrate their apps with mobile app management and app wrapping tools.
- Limited patches for older software and unexpected release cycles: In the days of yore (pre-smartphones), IT administrators could prepare for and test operating system updates before rolling out the changes on users’ desktops. Now, phone manufacturers can deploy new operating system versions and patches with little warning. Mobile users can upgrade their operating system at any time, occasionally breaking apps. In addition, phone manufacturers may not patch vulnerabilities quickly or patch older OS versions. This leaves IT and security administrators at the mercy of the phone vendors to ensure that users’ phones are secure.
No More Double, Double, Toil and Trouble
Regardless of which BYOD headache gives you nightmares, virtual mobile infrastructure (VMI) can bring you piece of mind. Learn more about VMI and how it safeguards mobile apps and data.
4 Reasons Why SierraVMI’s Compression Is Better than Pied Piper’s
This past June, hundreds of thousands of viewers in the U.S. and the Philippines tuned in to watch Pied Piper’s Condor Cam. While the condor egg never hatched, viewers witnessed an equally riveting event: a museum worker falling down a ravine. Condor cam watchers observed every moan and every whimper in high resolution from Pied Piper’s ground-breaking 4K middle-out compression.
After the Condor Cam went dark, many viewers[i] asked the Sierraware team how our compression would stack up against Pied Piper’s. Like Pied Piper, SierraVMI Virtual Mobile Infrastructure also compresses video streams. So, to answer your collective request, our engineering team performed and in-depth analysis and they discovered—low and behold—that our compression beats out Pied Piper’s middle-out algorithm. Here’s why:
- SierraVMI uses popular codecs, so it can provide optimal performance and not burden mobile device CPUs for decoding. Offering two different types of compression image formats, users can adjust settings based on their requirements. Pied Piper, with its new, middle-out compression, would not support ordinary GPU cards for acceleration or hardware codecs in most mobile devices.
- The type of data you compress can be as important as the actual compression algorithm. With streaming data, SierraVMI uses an intelligent data selection algorithm to find the pixels that have changed and data that can be re-constructed from historical data without re-transmission. It reduces the amount of information that needs to be transmitted, putting less burden on the compression algorithm and enabling the solution to handle low-bandwidth networks.
- SierraVMI uses a variable frame rate feature that dynamically adjusts the vertical sync and the frame rate based on application requirements or based on the type of user interaction. Its intelligent algorithm takes into account various attributes such as an active text input field to temporarily increase the frame rate.
- Unlike Pied Piper’s technology, Sierraware’s compression technology actually exists. Vinith Misra, the Silicon Valley consultant that helped devise Pied Piper’s compression, admitted in an interview: “We had to come up with an approach that isn’t possible today, but it isn’t immediately obvious that it isn’t possible.” In contrast, Sierraware’s compression is very real. Test it out yourself today or watch an online demo of SierraVMI in action.
[i] By many, I mean none
As employees bring their own devices to work, IT teams face an assortment of challenges, from managing mobile apps on a myriad of different devices to backing up and restoring business data. But bar none, the greatest burden for IT staff is securing business data on mobile devices.
The Good, the Bad, and the Ugly
(in Reverse Order)
The Ugly: the BYOD phenomenon has spawned an array of new security risks. These risks include data breaches caused by lost and stolen phones, data exfiltration from insiders, wireless or man-in-the-middle attacks, and mobile malware.
While the insider threat might not seem daunting, a lack of oversight makes it easy for employees to abuse trust. From their mobile device, employees can easily open sensitive email attachments and then upload them to a cloud-based storage site and then—poof—they are gone.
The Bad: Lost and stolen phones are the top mobile security risk for organizations. Thieves steal a whopping 3.1M smartphones every year.[i] Users can also simply lose or misplace their phones. Unfortunately, both scenarios expose organizations to data loss. An experiment by Symantec revealed that 96% of people that find a lost phone will attempt to access sensitive information such as an HR or password file stored on a recovered phone.
The Good: Malware, the cyber-attack of choice in the PC world, has only penetrated a small percentage of mobile devices. But risks increase dramatically on jailbroken phones.
Mobile Device Management: Intrusive
Mobile Device Management (MDM) can help reduce mobile security risks. With MDM, IT administrators can remotely wipe lost devices, control which apps can be installed on a device, and manage encryption settings. However, MDM solutions cannot monitor app usage or prevent insider abuse.
Moreover, employees aren’t thrilled about corporate-mandated MDM solutions. In a recent report by Webroot, 55 percent of respondents would be extremely or very concerned if their employer could access personal data and 47 percent are concerned about personal data being wiped by an employer.[ii]
The Rise of Mobile App Ma nagement and App Wrapping
To satisfy privacy concerns and app auditing requirements, mobile security vendors have introduced Mobile Application Management (MAM). MAM solutions can manage, monitor, and secure individual apps. MAM relies on secure containers or app wrapping to protect custom apps.
With app wrapping, MAM vendors provide customers business apps developed by the MAM vendor or by app partners with built in security controls. These apps typically include email programs, contact lists and secure browsers.
Alternatively, organizations can wrap their own apps by integrating code from the MAM vendor’s software development kits (SDKs) into their app. SDK integration is only available if organizations have developed their own apps.
While application wrapping avoids the privacy concerns introduced with MDM, it also imposes its own unique set of problems.
Unwrapping App Wrapping
While app wrapping provides greater control over mobile apps without intruding on users’ personal data, it is not practical for most organizations.
The drawbacks of app wrapping and MAM include:
- MAM vendors that offer pre-wrapped apps only support a small number of apps. As of May 2015, Google Play featured 1.5M apps while Apple App Store hosted 1.4 million apps.[iii] MAM vendors support a miniscule fraction of total apps, preventing organizations from supporting the business apps they need.
- Employees might dislike apps developed by MAM vendors. Some MAM vendors offer their own browser, email and calendaring apps. Unfortunately, your employees may complain that these apps are not as feature rich as their favorite browser, email client, or calendar app.
- SDK integration can be costly. Some MAM vendors offer SDKs that allow organization to wrap their own apps. Unfortunately, app development can be costly for smaller businesses, especially if businesses need to support multiple types and versions of mobile devices.
- Lack of coverage for all types of mobile devices. Employees with Blackberry, CyanogenMod, Windows Phone, and Firefox OS devices may be unable to access mobile resources if MAM vendors do not support these platforms.
- Even with app wrapping, sensitive data is still stored on devices. While MAM security measures like strong authentication and data encryption drastically reduce the risk of data loss, if phone owners choose weak passwords, then phone thieves may still gain access to sensitive apps and data.
As a result of these shortcomings, organizations may want to consider alternative approaches to mobile security before plowing ahead with an investment in MAM.
Alternative BYOD security solutions like virtual mobile infrastructure (VMI) mitigate security risks by preventing data from being downloaded and stored on mobile devices. Organizations can monitor app activity to prevent insider abuse and data loss. To learn some of the use cases for VMI, check out our choose your own adventure eBook, “What Virtual Mobile Infrastructure Can Do for You.”
Enterprises of all sizes have witnessed the emergence of the “Bring Your Own Device” phenomenon. Employees are bringing their phones and tablets to work and they want to use their devices to access business applications. With industry surveys indicating that 9 in 10 Americans use their smartphones for work, BYOD is not just a trend, it is a reality.
BYOD promises many benefits, but also poses challenges for IT security and operations teams. Small businesses, with equally small budgets and limited IT staff, face even greater headaches as they attempt to adopt IT solutions designed for large enterprises. But before we explore the drawbacks, let’s take a look at some of the advantages of BYOD.
Proponents claim that BYOD improves productivity and employee satisfaction and reduces capital costs. Employees can also work from anywhere—including at home and on the go—allowing an increasingly mobile workforce to respond to inquiries from coworkers and customers more quickly and simply work longer hours because employees are always connected. And employees can use their preferred devices rather than inheriting used laptops or being forced to use company-approved phones.
When employees purchase and use their own phones and laptops at work, everyone benefits, according to BYOD champions. A number of studies back up these claims. A Forrester Consulting report reveals that working hours increased 45 to 60 minutes per employee per week. The same report revealed that organizations saved $350 on phone acquisition costs and $90 per month per device on voice and data services.
BYOD offers small businesses many benefits. And—like it or not—BYOD has become an unavoidable reality as both rank and file employees and executives come to expect it. Unfortunately, many small businesses have started allowing users to access email and other applications from their phones before they had assessed the security and compliance implications. This leaves IT administrators at a crossroads as they try implement controls after they have rolled out access.
Just like large enterprises, small businesses need to provision and support business apps on their employees’ devices. They also need to protect business data and meet compliance requirements.
However, small businesses do not always have the financial resources of large enterprises. If they have developed custom business apps, they cannot port those apps to every type and version of mobile device. They also may not have the resources required to manage and maintain third-party apps, especially if these apps do not support all types of devices, versions of operating systems, or device peripherals.
Small businesses also need to consider security risks like data on lost and stolen devices or the threat of mobile malware. If employees are allowed to access sensitive data like customer records from their phones, then businesses may need to audit employee activity. On top of these requirements small businesses should enforce strong encryption and dual factor authentication to prevent snooping and unauthorized access.
If these requirements were not tricky enough, many businesses must also contend with an ungainly assortment of internally-developed apps and apps from third party vendors. Each app might implement a different type of authentication, encryption and access control. Lax and uneven security controls might be one reason why, in a recent survey, 72 percent of IT professionals claimed that company data is at risks due to mobile device access.
Many BYOD Solutions Designed for Large Enterprises
Enterprises can turn to several solutions to help secure mobile data and streamline management of mobile apps. Security technologies like mobile device management (MDM) can help distribute mobile apps and manage the settings of mobile devices. MDM can even remotely lock or wipe a device. Unfortunately, MDM can be costly and difficult for small businesses to implement. Plus, some employees might not want their employer to control their phone or decide which apps they can install.
Alternatively, organizations can deploy virtual desktop infrastructure (VDI). With VDI, organizations host Windows applications centrally on data center servers rather than installing apps and data on mobile devices. Mobile users can access these applications from a Web browser or a mobile client.
VDI offers many advantages; VDI can support virtually any mobile device without forcing IT teams to port applications to various mobile operating systems. VDI also centralizes app management and data storage, keeping sensitive data in the data center and not on mobile devices that can easily get lost or stolen.
However, VDI is not designed for the faint of heart. VDI solutions are costly. They are typically designed for large enterprises usually require dedicated IT staff to manage. Plus, VDI is designed to make Windows desktop apps accessible to mobile users, but it doesn’t support the growing array of mobile apps that were designed for touch input and mobile screen sizes.
The BYOD Solution for Small Businesses: Virtual Mobile Infrastructure
To protect mobile data and streamline app management, small business can deploy Virtual Mobile Infrastructure (VMI). VMI addresses the security challenges imposed by BYOD, allowing small businesses to protect mobile data and achieve compliance. VMI is like VDI, but rather than virtualizing Windows applications, VMI virtualizes Android apps.
Because VMI hosts mobile apps on central servers, it allows small businesses to avoid data loss from lost and stolen phones. It satisfies compliance and improves security by allowing IT staff to enforce dual factor authentication and end-to-end encryption. Plus, if organizations want to, they can audit activity and make sure that users do not download or transfer large amounts of sensitive data.
In addition, VMI can make it easy for small businesses to extend coverage to any type of mobile device, including Android, iOS, Windows Phone, Blackberry, and Firefox OS. Either through native clients or HTML5-enabled browsers, mobile users can access the apps they need securely.
The major advantage, though, of VMI is that it is very cost effective to provision and manage. Most VMI solutions are much less expensive than VDI products. Plus, VMI solutions that support mobile app virtualization offer unbeatable density, allowing small businesses to host up to 100 concurrent app sessions on a single, rack-mountable server. IT administrators don’t need to bother with complex VM environments, OpenStack integration, and hypervisor management.
As a plug and play solution, VMI enables small businesses to protect mobile data and streamline app management. VMI levels the playing field for small businesses, allowing them to embrace BYOD initiatives without putting their data at risk.
To learn more about Virtual Mobile Infrastructure solutions and see if they would suit the needs of your small business, download our white paper: “7 Things You Need to Know about Virtual Mobile Infrastructure.”
 Cisco Partner BYOD Insights Study
 The Total Economic Impact of IBM Managed Mobility for BYOD, Forrester Consulting
 TEKsystems 2014 BYOD Study
The Bring Your Own Device (BYOD) phenomenon has not just pervaded corporate offices. Today, doctors, real estate agents, police officers, and many others are bringing their devices to work. With the proliferation of mobile devices in boardrooms and in classrooms, IT administrators must develop new ways to support a diverse array of tablets and phones. They must find new ways to provision software and to protect end user devices, while yielding control to the employees that purchased their own devices.
Because of the security and management challenges introduced by mobile devices, the BYOD trend has paved the way for another trend: Virtual Mobile Infrastructure (VMI). VMI allows organizations to host Android apps on servers and allow users to securely access the apps from their own phone or tablet. VMI enables organizations to:
- Develop apps once and support any mobile device
- Centralize and simplify mobile app management
- Monitor user activity for unauthorized access or data exfiltration
- Enforce strong authentication and encryption
But not all VMI solutions are equal. While VDI and app virtualization products have been around for over two decades, remote access solutions for Android are relatively new. Therefore, prospective customers must carefully evaluate potential solutions and make sure that the products they purchase will meet their performance requirements and will support their Android applications.
Mobile App Virtualization vs. Full OS Virtualization
There are two main VMI architectures today: virtualizing individual Android applications—also called mobile app virtualization—and running a full Android operating system. With mobile app virtualization, organizations can run multiple, isolated and secure app instances on a single Android operating system. Each user’s data is stored separately, ensuring that users can save their settings and access them later.
Mobile App Virtualization and Full OS Virtualization architectures. Mobile App Virtualization provides unprecedented performance and app density.
Because mobile app virtualization does not need to run a separate Android VM per user, it delivers eight to ten times better density compared to full OS virtualization. As a result, mobile app virtualization reduces the number of servers needed to host VMI, it lowers hardware and operating costs, and it streamlines management.
If organizations plan to host a unique Android VM for every user in the cloud, they could quickly rack up expensive bills. This is because most cloud providers charge for every VM instance. If an organization has one thousand concurrent users, they would need to pay for one thousand VMs. Managing VMs in a corporate data center would be equally expensive; organizations would incur higher IT management and capital costs. Plus, hosting a separate VM per user would necessitate high-performance storage hardware—similar to what Windows VDI customers must purchase today.
Instead, organizations should consider a VMI architecture based on mobile app virtualization. Rendering images inline and processing display data and input events at the application level, which is only possible with mobile app virtualization, maximizes performance and density. Combining mobile app virtualization with secure containers ensures that each user session is isolated. And mobile app virtualization brings other benefits like accelerating application “boot up time” when users launch VMI sessions.
Purpose-built Android Architectures Compared to QEMU Emulation
Besides relying on full OS virtualization, many VMI products use QEMU emulation to host Android instances. QEMU is an emulation tool that is useful developers to test Android on Intel servers. Unfortunately, using QEMU emulation limits VM density and it also makes it much more difficult to take advantage of server features like GPU acceleration. Mobile app virtualization using a purpose-built architecture offers immense advantages compared to full Android stack virtualization either using a QEMU emulation, hypervisors, or LXC style containers, such as:
- Zero latency new session establishment as there is no need to boot Android
- Very low server CPU and memory requirements; an Android instance will need approximately 2GB RAM, while an Android application will just need around 32 to 64MB RAM.
- The ability to avoid complex IT infrastructures like SAN, Network switches, VM IP address management because a single server is enough to serve a large number of users.
- Reduced hardware, operating, data center cooling, and space costs, because mobile app virtualization delivers 10x to 20x greater app density per server.
Seven Things You Need to Know about VMI
Mobile app virtualization is only one factor to consider when looking virtual mobile infrastructure solutions. You also must consider client support, usability, deployment, and other requirements. To help you develop your evaluation criteria, we have published a white paper that lists the seven features you should look for when evaluating VMI. To learn more, download the white paper “7 Things You Need to Know about Virtual Mobile Infrastructure.”
 Density estimate based on a 16 MB mobile app running on a 1 GB Android system.
In just under two weeks, Sierraware’s CEO, Gopal Jayaraman, will discuss risks introduced by certificate pinning at BSides San Francisco. Gopal’s session, at 10:00 A.M. on April 19th, gives you an important reason to wake up early on Sunday. If you are coming into San Francisco to attend RSA Conference 2015, be sure to attend. During his session, Gopal will explain why developers are implementing certificate pinning in their apps. He will describe how certificate pinning works and how it creates security black holes in corporate defenses.
The Chain of Trust Can’t Be Trusted
Today, cybercriminals and even governments can easily exploit the certificate trust model. Malware can install fake root CA certificates on devices, certificate authorities (CAs) can issue fake certificates on behalf of nefarious organizations, and hardware manufacturers can add forged certificates to laptops. Recent news headlines illustrate that these dangers are real. For example, on March 20th, Google discovered that fake certificates had been issued for several Google domains. Unfortunately for Google, this is not the first time third parties had issued certificates without Google’s permission.
App Developers Are Fighting Back
To verify the identity of app servers, an increasing number of app developers are implementing certificate pinning. Certificate pinning prevents Man in the Middle (MitM) attacks and fraud due to fake certificates; with certificate pinning, an application checks that the server certificate matches the cert or hash “pinned” to the app. Today’s most popular mobile apps—including Facebook, Twitter, Dropbox and many more—use certificate pinning.
Certificate Pinning Reduces Security Visibility
While certificate pinning improves user privacy, it also creates a gap in corporate defenses. This is because security solutions like firewalls cannot decrypt pinned SSL traffic. Almost every type of network security product, including intrusion prevention, data loss prevention (DLP), forensics, and advanced threat protection (ATP) platforms cannot detect threats hidden in pinned traffic; certificate pinning creates a black hole in organizations’ defenses.
Sierraware’s session at BSidesSF will explain the threats imposed by certificate pinning. Attend the session to learn creative strategies that can help IT Security teams regain visibility into all traffic, including traffic encrypted with certificate pinning.
When: Sunday, April 19, 2015 at 10:00 A.M.
Where: Security BSides San Francisco at the OpenDNS office, 135 Bluxome St. San Francisco, CA 94107
Attend our session and let us know what you think.
On an unrelated note, go Duke in the NCAA finals!
Virtual Mobile Infrastructure, or VMI, solves a wide range of challenges for different stakeholders within organizations. To help demonstrate the many use cases for VMI, we have published a new Choose Your Own Adventure eBook entitled “What Virtual Mobile Infrastructure Can Do for You.”
But first, will give you a little background on VMI. VMI, like its Windows counterpart, Virtual Desktop Infrastructure, allows users to access remotely hosted mobile applications from any device. Sierraware’s solution, SierraVMI, virtualizes Android applications and uses our unique Firefall container technology to isolate and protect application each instance. Customers can optionally provision operating system containers or bare-metal virtualization for isolation, but Sierraware’s app virtualization offers the best performance and density.
Now, back to the eBook. To make easy to understand who can benefit from VMI, we have published a new Choose Your Own Adventure eBook with nine possible endings. Just select the character you want to see how they would benefit from VMI. Or compare VMI to alternative approaches like deploying VDI, securing mobile apps in-house, or implementing Mobile Device Management (MDM).
Check out “What Virtual Mobile Infrastructure Can Do for You” and then tell us what you think.
Virtual Mobile Infrastructure (VMI) serves many purposes: it helps app developers accelerate development, it streamlines IT operations, and it empowers security teams to protect data. But perhaps the most unheralded use case for VMI is allowing cloud providers to deliver mobile applications—and more specifically, video games—as a service.
Why, you ask, would cloud providers want to offer such services? Cloud providers could generate new revenue streams from online advertising or from subscription-based gaming services. With high density mobile app virtualization and compression algorithms optimized for mobile devices, cloud providers can host Android-based games at a very low cost. But before we get into the nitty gritty details of mobile gaming, let’s take a step back and look at the history of gaming as a service.
PC-based Gaming as a Service
Gaming as a Service sprung up several years ago as a way for gamers to play PC-based games without needing to set up high-end gaming computers with graphic cards or buy, download and install individual video games. Services like OnLive, Gaikai, NVIDIA GRID, and others have tried to address this market with varying degree of success.
Unfortunately, PC-based Gaming as a Service is a costly venture. Hosting providers must contend with server hardware and graphics cards, expensive Microsoft Windows VDI or remote desktop licenses, and data center costs such as power and cooling. 3D video games with vector graphics require powerful graphics processing units (GPUs), limiting the number of games that can be played on a single server.
The proliferation of smartphones and tablets have set in motion a tectonic shift in gaming development and consumption. Video game research firm NewZoo predicts that mobile gaming revenue will overtake console-based games in 2015, generating $30.3B USD worldwide.[i] According to NewZoo, mobile gaming “gives gamers the possibility to play games anywhere at any time, pushing overall time spent on games in the U.S. up 40% in only two years.”[ii] With the huge influx of new gamers lured in to playing mobile games, Gaming as a Service must evolve to meet today’s mobile requirements.
Mobile Gaming as a Service Advantages
Besides addressing the growing market of mobile video game players, Mobile Gaming as a Service solves other unique challenges like:
- Supporting many different devices: The mobile market is very fragmented. While almost all PC-based games are built to run on x86 processors with NVIDIA and AMD GPUs, the mobile market has more than 20 different chip set and software combinations. With OpenGL ES, Metal, Windows DirectX, Amazon Fire and other graphics APIs, mobile game developers must spend time and effort porting their games to a multitude of different devices. Developers must contend with high-end smartphones with 64-bit processors and 4GB RAM or greater, while the vast majority of phones sold today run on less powerful, integrated chips. Even app developers like Facebook had to release a low-end version of its app to make it usable on entry-level Android phones.
Solution: Mobile Gaming as a Service eliminates this problem; developers just need to build a game for Android platforms and they are done. They don’t need to worry about GPU or memory or other aspects of the client device.
- Piracy: Game publishers have reported startling piracy statistics; developer Ustwo observed that only 5% of Android users had paid for their hit game “Monument Valley.”[iii] The percentage of legal purchases was even lower for game studio Lucky Frame, with 144 copies of their game “Gentlemen!” purchased, but 50,030 copies pirated.[iv] It is easy for modern-day pirates to unlock games sold in the Google Play Store and Amazon Appstore and then post them on torrent sites. Besides piracy, game developers are seeing mobile ad-blockers put a dent in mobile advertising revenue.
Solution: If game developers release versions of their mobile apps strictly for gaming services, then they can squash piracy. Because the games and the mobile ads are streamed to users’ screens, they will be more difficult for ad-blocking software to detect and stop.
- Disk size limitations: With PC-based games, developers can create powerful games that can exceed 50 GB in size because of high-resolution textures and graphics. Large file sizes are not an issue with consoles and computers that have massive disk drives. Mobile devices, on the other hand, may have only 4 GB or less in disk space. As a result, game developers must often build isometric-view games and low resolution textures; they are unable to fully unleash their creativity.
Solution: With hosted games, game creators do not need to worry about size limitations. With Mobile Gaming as a Service, app developers can begin to develop games that look and feel like PC games.
- Protracted software update processes: When developers issue software upgrades, patches, and new game packs, they need to send these updates to multiple app stores and wait for app stores to review and post the updates. It may take weeks or months before users download important updates to their devices.
Solution: With Mobile Gaming as a Service, developers can work directly with cloud providers to rapidly upgrade mobile games. By streamlining software updates, developers can reduce the time and cost of maintaining mobile apps.
Microservers and VMI: A Love Story
A confluence of factors make Mobile Gaming as a Service possible. Technologies like VMI and mobile app virtualization allow cloud providers to host hundreds of gaming sessions on a single server. Today’s improved cellular networks and widespread WiFi coverage mean that mobile users will be able to access online gaming services from just about anywhere. But one of the most important innovations that will drive down the cost of cloud gaming is ARM microservers.
ARM microservers are a new category of servers built on a large number of low-cost ARM Systems on a Chip (SoCs). Many upcoming ARM microservers use the same SoCs as mobile devices, so they natively support mobile graphics APIs. Any mobile app developed for mobile devices should be able to run on a microserver without modification. Hosted games can depend on back-end servers for pre-rendering, match making, and other many other offload functionalities without any network, bandwidth or battery usage restrictions posed by a game running directly on a tablet or smartphone.
Mobile Gaming as a Service will allow mobile games to come closer in quality to console and PC games because it frees developers of disk size and component limitations. It will also empower game developers to build bigger, better games without losing sleep about piracy. The future of mobile gaming will be in the cloud.
[ii] http://fortune.com/2015/01/15/mobile-console-game-revenues-2015/; the author of this blog post has personally experienced similar increases in time spent on mobile games.
(SPOILER: VDI Is Much More Expensive)
There are many reasons to move from Virtual Desktop to Virtual Mobile Infrastructure (VMI). But one of the most important considerations is cost. VMI is much more cost effective than Windows-based VDI for several reasons.
Before we compare the upfront and ongoing expenses of all three solutions, let’s take a look at each one and their respective benefits and drawbacks. VDI is well known and understood; it’s a technology that allows organizations to host Windows desktops in a data center and access those desktops remotely from any device. Since application developers traditionally designed business applications for Windows, VDI provides a great way to access those applications from laptops, thin clients, or even mobile devices.
However, VDI also has its share of limitations. First, Windows itself is a bulky operating system and requires about one to two gigabytes of memory per virtual machine (VM). This means that even the most powerful servers can only host a small number of desktop environments per server. The unwieldy size of Windows also means that organizations with thousands of VDI clients will need to set up complex virtual environments that include complicated VM management, clustering, storage, and more. Large-scale VDI deployments are not for the faint of heart.
Now, let’s take a look at VMI and mobile app virtualization. Intel coined the term Bring Your Own Device (BYOD) back in 2009, when managers observed that employees were increasingly bringing in their own smartphones to work to access corporate applications. One year later—in 2010—Apple unveiled the iPad which accelerated the BYOD trend and ushered in the era of the tablet. Fast forward five years. Today, employees not only bring their phones and tablets to work, but companies have integrated mobile devices, both employee and corporate-owned, into all aspects of business.
Organizations now develop business apps for mobile devices, not just Windows desktops. However, organizations still face the same IT operations, security, and software device compatibility challenges that Windows VDI helped solve. VMI for Android fills the void, by offering remote access, centralized app management, and security for mobile applications. Like VDI, VMI allows users to remotely access applications and operating systems hosted remotely. But VMI is developed expressly for mobile clients, not desktops, and it hosts Android applications, not Windows.
VMI offers the following features tailored for mobile devices:
- Low bandwidth connections – Support for a wide range of video compression algorithms that is optimized for 3G cellular networks.
- Common smartphone hardware – Sensors adjust compression based not only on bandwidth but device CPU and GPU capabilities–customized for the unique graphics rendering capabilities of ARM-based devices.
- High-density cloud deployment – SierraVMI’s multi-tenant architecture with secure containers allows organizations to host mobile app virtualization services in the cloud.
More importantly, with VMI and mobile app virtualization, users can access applications that were designed for touch input and mobile screen sizes, not for Windows desktops.
And then, of course, there is cost. Organizations can deploy VMI for a fraction of the price of VDI. Because of its greater density, organizations can gain even greater savings with mobile app virtualization than with VMI. The table below reveals our estimated costs of Windows app virtualization and virtual desktop infrastructure from Citrix or VMware for a company with 1,000 users for one year.
Cut BYOD Budget by 90% with VMI
Windows App Virtualization
|Microsoft Operating System||
|Storage, Networking and IT Costs||
- Android requires no per-user license fees
- VMI reduces hardware expenses because it is more efficient than Windows-based virtualization
- VMI is easy to deploy with minimal IT changes
Because VMI offers higher density per server, VMI and mobile app virtualization dramatically lower hardware costs. In addition, IT managers don’t need to oversee complicated environments with dozens of servers and advanced VM migration, VM management, and other components, so they can also reduce operating costs.
- Page 1 of 2