Slashdot Mirror
Dual Interface Mobile Devices To Address BYOD Issue
Lucas123 writes "Next year, smart phones will begin shipping with the ability to have dual identities: one for private use and the other for corporate. Hypervisor developers, such as VMware and Red Bend, are working with system manufacturers to embed their virtualization software in the phones, while IC makers, such as Intel, are developing more powerful and secure mobile device processors. The combination will enable mobile platforms that afford end users their own user interface, secure from IT's prying eyes, while in turn allowing a company to secure its data using mobile device management software. One of the biggest benefits dual-identity phones will offer is enabling admins to wipe corporate data from phones without erasing end users profiles and personal information."
It's already available.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
we heard you like to compute while you talk, so we put your boss's computer in your phone so you can slave away 24/7!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I don't understand who this would be attractive to, outside control-freak American corporations.
As a private citizen, why the hell would I want my personal phone to be designed in a way that allows the company I work for to take control of it and access my personal data (separate partitions be damned - when they take the device out of your view for "updates," what guarantee do you have they aren't hacking or imaging it? None)?
As a business owner, why the hell would I want sensitive company data to be stored locally on the personal device of an employee? What guarantee do I have that said employee won't try to access the information without permission, or better yet, take the phone and try to sell it to one of my competitors?
Now, say I was one of those aforementioned control-freak corporations - I would find this a wonderful idea! Not only would it give me an excuse and method to constantly track employees during their off time (oh, see, we're only monitoring the business partition of your phone, so it's totally legit!), it would also be one more frond on the proverbial cat-O-nine that I use to subjugate and mentally manipulate the people who work for me into docile compliance!
Perhaps I'm being excessively cynical, but I fail to see any positive value to such a system.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Until they can have dual SIM cards and run on two networks at the same time, it will be useless. If the company wants me to have a cellphone, they can pay for one. I prefer to keep both lines separate so I can completely ignore work the second I leave the office.
Do not look at laser with remaining good eye.
The point is you don't need (or even want) a hypervisor when you have a secure multi-user system with process isolation like Android.
Lack of a hypervisor support baked into the CPU is only a problem for hypervisor vendors.
The point is you don't need (or even want) a hypervisor when you have a secure multi-user system with process isolation like Android.
The processes might be isolated, but data access is not. Did you just give the Twitter app SD Card read/write access to the filesystem where the company data is? What could possibly go wrong?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Devil's advocate here. Having a low level hypervisor on the phone is something I've wanted for a long time. There are reasons that having two OS stacks that don't "see" each other on a level 1 hypervisor system would be , and it is less to deal with technical than legal reasons.
Reason 1: I can fire off a "kill" command from Exchange, and the business part gets zonked. The phone still is trackable and locatable. I can do this with a text message and TouchDown, but this way, all data related to work (or even perhaps a client) is gone, and assuming everything is encrypted with a key, I can be sure that the data is rendered unrecoverable, not just deleted or "wiped" (overwriting three times does not work with flash media due to wear levelling unless the low level controller is told to zap the individual cells themselves.)
Reason 2: Separation. I can sign off on the fact that there is absolutely -zero- mingling of personal and work/client data other than being on the same physical hardware (the same way a mainframe can separate LPARs). Confidential stuff never touches the same filesystem as personal data, so a rogue app that gets root would not be able to rummage inside the latest TPS reports.
With how contacts get slurped up by apps, someone storing work related contacts on their phone is likely going to have them vacuumed up by an app, which will aid greatly for spamming, as well as directed attacks (from a contact list with titles, org structures can be deduced, etc.) So, keeping business contacts completely away from personal ones, or contacts addressible by Facebook [1].
Having stuff completely separate minimizes the chance of "leakage". I can sort of do this with Android, but on the iPhone, there is no app like RoadSync or Touchdown to keep the Exchange stuff separate.
Reason 3: Legal/tax reasons. Having stuff separate also makes the legal eagles happy.
Of course, hypervisors are not perfect, but what they provide is separation that is useful in a legal sense (separate filesystems, separate CPU usage, separate RAM images.) It is easier to explain complete separation/isolation to a jury who hates your guts than to explain how unlikely it would be for a root exploit that would allow user "a" in a multi-user system to access user "b"'s stuff, from happening.
So, even though keeping work stuff in a single app is a working solution, the best from both a technical and legal viewpoint would be a level 1 hypervisor.
[1]: If I remember right, there was a bug in the FB app that might alter contacts about a year ago, and that would not be good with work stuff.