One of the more exciting products to come out of this year’s VMworld 2011 conference was a phone. This “phone” went well beyond the push-button, touch tone variety as it was an LG phone running a beta version of VMWare’s mobile hypervisor for Android that creates what we here at DCIG refer to as “vPhones.”
But the reason for DCIG’s excitement goes well beyond the “cool” factor. This technology has the potential to create the next big wave in cell phone and tablet computing that results in fundamental changes in how organizations grant secure access to their corporate networks.
VMWare’s new mobile hypervisor is exciting for a number of reasons. For security conscious organizations a hypervisor allows users to have both a “home” vPhone image and a “work” vPhone image on the same physical phone. This separation of roles enables users to play Angry Birds on their “home” vPhone image without compromising security settings on their “work” vPhone.
It also has a more practical application. Administrators now often carry two cell phones – one for home (that they pay for) and one for work (that the company pays for.) By adopting vPhones, users can potentially consolidate down to one phone and potentially even eliminate part or all of their cell phone connection expenses as their employer may opt to pick up some or even all of their expenses associated with their monthly cell phone service.
The trick to making this work is that the work vPhone needs to operate in a “trusted” status. As it stands now, organizations do not trust home cell phones or tablets running OSes such as Android to access the corporate network as users may install malicious or nefarious applications on their devices that end up negatively impacting production work environments.
However by creating a work vPhone image that can be locked down such that it complies with corporate requirements, it can theoretically safely reside alongside the home vPhone image on the same physical phone.
Now if the home vPhone image gets infected or becomes inoperable for some reason, it can be safely and securely addressed without any impact on the work vPhone image. Conversely, updates may be made to the work vPhone image without any worries as to how these changes might impact applications on the home vPhone image which simplifies testing and developing on the company’s side.
So on the surface this sounds ideal from both an end-user and a corporate perspective. Users can choose the phone they want, use it for both home and work purposes, keep home and work separate and maybe even get the company to pick up some or all of the tab. Meanwhile organizations may also be able to reduce the time and money spent on remote support as well as testing and developing and have happier employees in the process.
However, the devil is in the details and this is also true with the concept of vPhones. Putting two or more vPhone images on a single physical device creates a potentially thorny security problem: how does an organization authenticate that a specific work vPhone image has access to its corporate network when that work vPhone can potentially reside on any physical phone?
Identity is exceedingly important when dealing with mobile devices running trusted applications and the introduction of vPhones only promises to further complicate this matter.
For example, as vPhones start to proliferate and users show up in the work place with phones with both home and work vPhone images on them, companies will not want to give “home” vPhone images the same privileges as work vPhone images.
In this respect, one of the first challenges that companies will encounter is managing the amount of bandwidth on the office WiFi that they allocate to home vPhones while leaving work vPhones to the bandwidth that they need. This situation is difficult to accomplish today using standard username/password or even MAC based addressing techniques as it is both cumbersome and does not really take into account the use of vPhones in corporate environments.
This is where BlackRidge’s TAC technology looks to play a major role in the very near future. While not yet available for the Android operating system, its Transport Access Control (TAC) is a small driver that adds additional identity information to every TCP packet generated by the work vPhone.
This information is then used by TAC aware gateways to make decisions based on the TAC data included within the TCP packet. In so doing, packets from the work iPhone may be unconditionally accepted while packets generated by the home vPhone may be limited or even rejected.
The recently announced mobile hypervisor technology from VMware opens intriguing possibilities as hypervisors progress from servers and desktops all the way down to mobile devices. But this flexibility and new set of benefits come at a price.
Organizations need to start thinking now how they will handle what appears to be an almost certain migration of many applications onto mobile devices that will in turn access their corporate networks and potentially their most critical and trusted applications. These points of access need to be secured without encumbering those individuals who access the network.
BlackRidge’s TAC technology is right now the only solution that appears to meet this next wave of mobile access that organizations will need in the very near future, in a manner that they can deliver to their users the flexibility and cost-savings they want while ensuring their environment is secure in the manner they need.
If you liked this blog entry, I recommend you read the one Jerome Wendt wrote earlier this month on how the advent of vPhones will demand an equally mobile backend infrastructure.