Mobile virtualization boasts an array of use cases — from cost savings for mobile device manufacturers to security for “Obamaberries” and other superphones. It also can give mobile devices dual personas. A hot topic today is the use case that’s also of greatest interest to smartphone and tablet users — enterprise mobility – using virtualization in the enterprise to support secure corporate connectivity and productivity on-the-go.
Most discussions of enterprise mobility focus exclusively on the benefits of giving mobile workers access to corporate data, networks and applications. In theory, that means making workers more productive while saving on capital equipment costs. In practice, enterprise mobility often forces a choice between corporate security, or worker productivity and personal freedom.
Mobile workers around the world increasingly prefer to use their own smartphones, tablets, and other wireless devices for both professional and personal communications and computing. This consumerization of enterprise IT, a natural consequence of smartphone and mobile applications growth, puts new pressures on companies to accommodate and secure employee-owned mobile devices.
Historically, IT security concerns have resulted in employee mobile devices running the RIM (BlackBerry) operating system or Microsoft Windows variants as the primary “supported” mobile devices in corporate environments. However, the overwhelming popularity of new devices including the iPhone, iPad and a wide range of Android smartphones has resulted in employees increasingly sneaking their own personal devices into the workplace.
A number of technical and process-based approaches are commercially available to address requirements for enterprise mobility security. Currently, enterprise IT looks to Mobile Device Management (MDM) and endpoint security technologies such as encryption and anti-virus software, to bolster enterprise mobility. These technologies are necessary and powerful, but leave critical requirements unmet. In particular, MDM and endpoint security rely on the integrity of the underlying smartphone operating system (OS) and software stack, which are still vulnerable to exploits. Even the security software that protects the device may be susceptible, threatening both the integrity of the mobile device and any information that passes through it.
Many of these company-imposed restrictions also make mobile devices too cumbersome for personal use, limiting productivity and increasing corporate vulnerability as users ditch the proper procedures. Implementing enterprise security policy usually entails restrictions on freedom to fully use the capabilities of the device (e.g., blacklisting online destinations, curtailing application download and use). The unfortunate result is that employees continue to carry a second, personal device, leaving many benefits of enterprise mobility unrealized.
Enter mobile virtualization
In data centers, virtualization separates the hardware from the software running on it, allowing for consolidation of separate, disparate physical systems into multiple virtual machines on one server. Mobile virtualization effects a similar consolidation by merging multiple dedicated embedded processors onto a single CPU.
Mobile virtualization provides a secure, isolated and robust run-time environment for programs (including operating systems), which is indistinguishable from actual “bare metal” hardware. This environment is called a virtual machine (VM). The virtual machines can become a container for guest software, imitating computer hardware and isolating guests from one another. Providing the virtual machine environment and managing VM resources is a software layer called a hypervisor.
Enterprise desktop virtualization programs are typically application-level (Type II) hypervisors: They let users run additional OSes and applications, such as Windows on MacOS, or Linux on Windows. But, to be effective and truly secure, mobile virtualization should employ Type I hypervisors, “bare metal” technology comparable to blade and server virtualization in the enterprise data center.
Not all Type I hypervisors are created equal. Some mobile virtualization platforms offer superior performance and finer granularity than others. A smaller trusted compute base and stricter hardware-enforced separation among virtual machines assures a more secure mobile virtualization solution. The fine-grained “capabilities” available with some hypervisors make it easier for integrators and architects to configure and control communication among virtual machines, without compromising performance or security.
Such fine-grained control allows mobile system designers to expose select characteristics of a shared devices (e.g., a sound chip or wireless interface) giving one trusted guest OS full read/write permissions to it, but more restricted access to a second untrusted guest, either directly or through a virtual device driver. Access controls like these are fast and hardware-enforced using processor-based memory management, and impose little or no power consumption or response-time overhead.
Mobile virtualization software itself (a microvisor), also imposes minimal cost in the software bill of materials of a smartphone or other mobile device, and, in fact, can substantially reduce those costs in three ways. First, consolidating multiple CPUs onto a single chipset saves on silicon. Second, systems with fewer hardware components cost less to test and are inherently more reliable, improving manufacturing yields and margins. Third, fewer components draw less power, allowing use of smaller, cheaper batteries or letting users squeeze more life and talk time.
These savings are more than just “cost shavings.” – Tear-downs from OK Labs and industry analysts show that mobile hardware consolidation can yield savings of upwards of $65 on total device expenses of $150-$250. Such steep cost reduction improves margins, makes smart devices more accessible, and even opens new segments for affordable “mass market” smartphones.
Dump the dual-phone lifestyle
Effective enterprise mobility rests on three pillars: security, privacy, and freedom to fully use the capabilities of the device. Of the various options for implementing enterprise mobility securely while preserving end-user privacy and freedom, only mobile virtualization consistently balances all three pillars. Other solutions attempt to implement the form of dual persona functionality, but miss the substance of underlying security, and of preserving privacy and freedom.
Mobile virtualization lets enterprise IT secure access to enterprise assets and services, while ensuring user privacy and preserving intact smartphone user experience. All on a single off-the-shelf smartphone or tablet! And, mobile virtualization lets users adopt the mobile device of their choice, while allowing corporate IT departments to manage sensitive data on those devices with enterprise-level security and compliance.
Steve Subar is founder and CEO of Open Kernel Labs.