How VMware MVP improves mobile device security

When VMware announced its Mobile Virtualization Platform, virtualization admins were intrigued, but questions about mobile device security arose as time went on.

    Requires Free Membership to View

The idea behind VMware’s mobile virtualization technology is simple: Take an end user’s phone and add a virtualization layer to it, providing a personal and corporate phone all in one. VMware MVP consists of a single virtual machine (VM) running on top of a kernel with a special paravirtualziation driver, and leaves the standard mobile operating system unmodified. (At this time, VMware MVP is only supported on Android phones.)

But before you dive into VMware MVP, it’s important to understand mobile device security methods -- and where issues may crop up. The security capabilities provided by VMware MVP for corporate environments include:

Encryption. Both your personal and corporate VMs run within the same kernel as the Android OS, so some security professionals have questioned whether it’s possible to hop from the standard mobile OS into the corporate VM or even see traffic as it traverses into the VM.

To address this concern, VMware MVP encrypts the VM within the phone’s internal available memory. This VM and its mobile OS image can only be downloaded from Horizon Mobile, a VMware management portal that allows admins to provision and manage mobile devices, push applications to the devices, and recover corporate data when it gets lost. The Horizon Mobile requirement ensures that corporate VMs can only be deployed by the enterprise, boosting security.

Mobile device management. The corporate mobile device image includes software components and services that reside partly on the mobile device and partly on enterprise back-end servers. This software provides more secure device management, provisioning, tracking, locating and wiping of entire devices.

Application delivery. With VMware MVP, applications are also encrypted and securely delivered down to the corporate mobile device image. That means the data will reside partly on the phone and partly at the company’s data center. If the device is lost or stolen, administrators can use centralized management tools to wipe apps or even an entire VM from the phone.

Antivirus. To boost mobile device security, you can also integrate an OS antivirus tool into VMware MVP. Antivirus software monitors the onboard VM and prevents any unauthorized modification of data to fully protect the image from any rogue content. Administrators can manage antivirus clients from the data center.

Secure decryption. To improve VMware MVP security, the only way to decrypt a VM is to first be connected to the enterprise environment. That’s because access to the encrypted VM is not stored locally and is not directly tied to the user’s corporate password. Additionally, VMware imposes a time limit on how long a VM can be disconnected from the data center before it is wiped; this is a configurable VMware MVP setting. That said, it might be possible to grab the encrypted image before the time limit and decrypt the VM using phone forensic tools.

VMware MVP isn’t perfect however. For example, one remaining mobile device security concern is that VMware MVP still only supports a single SIM, forcing users with a different personal and corporate phone numbers to carry two smartphones. That leaves the user with more room for error and a wider attack surface for potential hackers.

This was first published in January 2012

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.