MPV – Multiple Persona Virtualization, mobiles and Android
The increasing acceptance of BYOD (Buy or Bring Your Own Device) is forcing change on enterprises and on how they adapt to smart devices (including smartphones, tablets and laptops). Constellation has already reported (Note 1) on how smart device responsibility may leave IT for better suited departments like HR or Finance. The EU is doing its bit — with ever increasing insistence on clear separation of personal and business-owned data and apps. Now from Cellrox in Israel comes a plausible and practical solution — Multiple Persona Virtualization (or MPV) for Android.
The starting premise for MPV is that BYOD owners want their employers to separate their personal smart device environment from that of their employers (or that this will become obligatory because of legislation). This makes sense. The apps+data that an individual buys and uses are distinct from those that that same individual may wish to use in his or her employment (that are owned by the employer organization). When an employee leaves, however, the employer wishes to be certain that enterprise assets are not removed from that employer organization. Equally, the employee does not wish all of his or her personal data and apps be wiped — just because he or she used that smart device for work at that employer. A whole industry has grown up around offering different degrees of security and mobility management (Note 2), with 40-60 vendors offering some form of solution, albeit with varying different constraints and capabilities.
In one sense, adopting twin personas (personal and business) is not radical. Twin personas reflect natural practice as well as the two different ownerships. Once you accept the principle the task becomes the management of that separation so that each persona is content and is without risk of either being caught out by the other:
- the employee does not want his or her environment accessible by the employer
- similarly the employer, once access has been given to enterprise systems for the employee, wishes to know that the employee cannot remove what does not belong to the employee.
Thus far, if the principles seem simple, execution to respect this complexity is not. Various of the current implementations have flaws that the ill-intentioned can exploit (to the detriment of either device owner or employer or both).
Now consider MPV. Cellrox, an Israeli start-up based in Tel Aviv, has taken 10 years of academic research (much of performed at Columbia University, New York) and combined this with the consistent Israeli talent for addressing computer security. It has created what you might call ‘Multiple Persona Virtualization’. In so doing it greatly extends and hardens the separation of an owner’s data+apps and enterprise-owned data+apps, albeit for Android devices in the first instance.
But Constellation Research believes that the implications of what Cellrox is developing go deeper than the immediate need for separation of an owner’s and an employer’s apps+data. Today the working presumption is that it is the employer’s apps+data which need protection ‘from the employee’. This seems overly one-sided:
- why should not the owner’s apps+data enjoy similar levels of assured protection?
- indeed, why should there not be the possibility for multiple personas on a device, suited to various separated purposes (each persona separated as needed from other personas)?
Take, for example, the Board Directors of a publicly quoted company. Each Director might need one persona for market sensitive Board matters and another for more general enterprise matters (as well as the persona for his or her personal use). Or a lawyer or doctor might wish to segregate, via personas, different clients or patients from their professional practice environment. Or a consultant working for several enterprises might prefer different personas for each client in order to work with each client’s different systems. If this might be delivered, and done in a demonstrable way, then compliance (particularly demonstrating that separation is enforced) becomes simpler and more reliable (though one can never remove the individual dimension from the compliance equation).
The Cellrox approach is to introduce lightweight virtualization on Android devices, via what it names its ThinVisor (its first products, aimed initially at SMB, are slated to arrive early in Q2, 2012). In essence Cellrox slides its ThinVisor lightweight virtualization:
- – not between the hardware and the OS (like ESX or KVM)
- – not as a guest (as in VMware’s workstation)
- – between the Android (Linux) kernel and the ‘OS environment’.
As Cellrox says (Note 3) this delivers: “mobile virtualization by transparently remapping OS resource identifiers so that they can be utilized by processes within each virtual Persona. File system paths, process identifiers (PIDs), IPC identifiers, network interface names and user names (UIDs) must all be virtualized to prevent conflicts and ensure that processes running in one Persona cannot access processes in the other Personas“.
The point is that each persona is distinct, runs in its own space and is separate. Furthermore, the use of ‘between kernel and ‘OS environment’ addresses the rooting problem plus locates security at the lowest practical level. When you install the ThinVisor (which an enterprise can do via a separate mobile device management application or the owner can do from a designated URL), a previously rooted device will have the rooting displaced — in effect re-establishing a secure kernel. You then can access or deny device capabilities — like GPS, cameras, GPUs, etc — by persona.
What is more, the lightweight virtualized approach avoids performance penalties. Even on an original Samsung Galaxy Nexus S smartphone it was possible to have up to 5 personas virtualized, and on a tablet (unidentified) up to 16. Constellation Research saw the Qualcomm Neocore OpenGL graphics performance benchmark for Android (Note 4) running on a Samsung Galaxy S II first in one and then in two parallel executing personas — with no apparent performance degradation in either persona.
Do not think, however, that this is the equivalent of VMware’s ESX, KVM or Hyper-V-type virtualization, running on the ‘bare metal’ and capable of supporting multiple different OSs within individual virtual machines. It is not. There is only one kernel which, being Android, is Linux-based. Do not expect to run Windows or iOS on the Android ThinVisor: that is not Cellrox’s objective.
Its objective is to bring secure, separate personas to Android devices and enable these to execute in parallel. It has spent much time on the interface, because working with multiple personas can become confusing unless there is clarity. Different personas are able to inter-communicate (or communicate in one designated direction), but only if so authorized; the default position is no inter-persona communication.
Now permit your imagination to stretch. If you can have MVPs on Android, how elegant it would be if those personas (remembering that they contain both apps and data) could ‘slide’ across to run on other operating systems. That could certainly change how we operate with smartphones and tablets. Alas, it is not yet in sight.
But what is in sight is yet another set of changes that device mobility enables for the enterprise and for the device owner. The more mobility speeds up, the more doors and opportunities open — along with the management challenges that Constellation Research likes to address with clients.
- Note 1: “MoDM, MADM and MEM: Report 2 – Managing Mobile Devices in the Enterprise” (published January 2012 and addressing market trends plus key capabilities enterprises should expect in MoDM, MADM and MEM mobile management software)
- Note 2: “MoDM, MADM and MEM: Report 3 – 100+ Mobile Management Capabilities Relevant to Enterprise Customers” (published January 2012 and providing a reference and comparison base as to what capabilities the following vendors offer: Airwatch, Amtelnet, Boxtone, Capricode, Equinux, FAMOC, Fiberlink, Good Tech, Kaseya, MAD, Nukona, SAP, SoTI, Tangoe and Trellia).
- Note 3: http://www.cellrox.com/wp-content/uploads/2012/02/Cellrox-ThinVisor-Architecture.pdf
- Note 4: Neocore is an OpenGL-ES 1.1 graphics performance benchmark for Android devices. It shows off some of the techniques that are possible on accelerated platforms (such as 1-pass light maps and bump mapping).