WHITE PAPER

Smart Containerization
A unique technology that manages security, performance, compliance
and support characteristics of any device, application, content or email
while preserving the quality of the mobile user experience

Nagi Prabhu
James Rendell
2 | CONTAINERIZATION ca.com

Introduction– what is “Containerization”?

con·tain·er·i·za·tion [kuh n-tey-ner-uh-zey-shuh n]

noun Transportation.
a method of shipping freight in relatively uniform, sealed, movable containers whose contents do not have to be unloaded at
each point of transfer.

Containerization as a technique was invented in the 20th century in ocean shipping to make transporting of freight simple, fast,
secure and efficient. In this technique freight is segregated by its type, placed in uniform size containers and transported using
various transportation methods. Though they are of uniform size, each container is treated differently based on what content it
holds. For example, some containers may be refrigerated while others may require humidity control, etc. A container may leave
a factory by truck and be transferred to a railroad car, then to a ship, and, finally, to a barge. Transfers of an un–containerized
cargo will result in theft, loss of efficiency and substantially add to the cost of transportation.

These principles have been adopted in enterprise mobility to keep enterprise data segregated on a mobile device. The principle
is that all enterprise data can be placed inside a “container,” keeping it separate from the users’ own data. By doing so,
enterprises can allow the employees to use their device, applications and data in a manner they please, but applying security
policies on the container so that the data inside it can remain protected.

Various mobility vendors have attempted to implement this seemingly simple technique differently and with varying degrees of
success but in the end, none has been completely accepted. Some of these different technologies are outlined below.

A. Using a Single On-Device Application

In this implementation, a single, proprietary, specialized application is required to access all the enterprise applications, with
fundamental common mobile PIM (Personal Information Management) applications such as email, calendar, contacts, etc.
being duplicated in proprietary form within the container app. These “parallel” apps require the end user to learn new, non–native user
interfaces for the basic mobile functions of messaging, email and web browsing, with the result that this form of containerized
solution is widely disliked by end users.

All applications, regardless of the type or sensitivity of the data that they access, are placed inside the container application.
The mobile device’s built-in applications or other third-party applications cannot access the container or the contents inside the
container. Such a specialized container approach is marketed as a security solution, on the premise that enterprise data is
separated out from personal data on board the device, enabling the enterprise to remove the container, and therefore all the
data inside it, as required.

Comparing this to the shipping analogy, this approach is like creating a single gigantic container and placing all cargo types
inside it regardless of whether the freight requires any special handling, is perishable, requires refrigeration and so on. A single
container approach quickly becomes unmanageable due to its size, is extremely inconvenient to load and unload, and is unable
to support the different types of handling required by different freight types. As a result in the real world we do not see freight
shipped this way and similarly in the enterprise mobility space, the approach does not enable enterprise data and apps to be
managed in a flexible and granular way.
3 | CONTAINERIZATION ca.com

B. Using Remote Access

Several software vendors have specialized in remote desktop access technology to provide a solution where the data and
applications are run on a desktop or server computer in the data center and access is provided to the computer over the network
by streaming the native PC user interface to the mobile screen. By simply drawing the desktop or server user interface on the
mobile device, all of the advantages and power of the mobile device’s native user interface are lost and the quality of the
experience of the end user becomes entirely dependent on a very high quality network connection remaining available while the
remote application is in use. From a security standpoint, the premise is that by keeping the data and applications running only
inside the data center and by not transferring the data on the mobile device, there is no chance of data loss or theft.

To extend our shipping container analogy, this solution would be akin to putting the cargo in containers and providing a webcam
feed to view the contents of the container and a remote control robot arm to access the cargo. This solution provides no value
as no cargo is physically being moved to the destination where it needs to be consumed.

C. Using Dual Personas

Certain device manufactures attempted to implement containerization through a technology known as “dual persona.” In this
method apps, email and content are secured by creating a container in the form of a duplicate environment on the phone. Users
are forced to keep all their personal apps, emails and data in one environment while enterprises use the second environment to
keep their apps and data. No interaction is allowed between the two environments. Enterprises can destroy the second
environment thereby destroying all the data and apps they would have placed on the device.

With regard to our shipping analogy, this solution is equivalent to dividing the ship into two halves with a thick, impenetrable
partition. The cargo is divided across the two sides with the partition preventing any movement of cargo between the two
halves. While the separation seems beneficial, if the job at hand requires cargo from both sides, then one will have to shuttle
back and forth between the two halves to complete the job.

D. Using Virtualization
Virtualization vendors create a container in the form of a “phone within a phone.” Inside the operating system that is present in
the mobile device another virtual device is created to host the enterprise application and data. By removing the virtual device,
one can easily remove the enterprise app and data. The assumption was that virtualization could be applied to all devices and
operating systems, however it turns out that this technique is incompatible with the majority of devices, such as most Android
implementations and Apple’s iOS, where the “low level hacks” needed to implement virtualization are prevented by the device
manufacturer.

The virtualization approach can be compared to placing one ship inside a larger ship. Besides the inconvenience of moving between
the two ships to perform any job, this would be extremely space inefficient. The ship hosted inside would consume the precious
cargo space of the main ship. Hardly any ships are built to host another ship inside themselves and most ships would not have
enough surplus engine power to drive the mass of an additional ship. This analogy is true for mobile devices: almost none are
adapted for virtualization and the resource consumption impact of having a “phone within a phone” is too great for most devices.
4 | CONTAINERIZATION ca.com

Although each of the techniques of containerization seems like a straightforward proposition on the surface, none of the
techniques above provide a holistic mobility management solution for the enterprise. In addition to the points above, the
existing containerization techniques suffer from a variety of other inherent drawbacks:

It’s all about the user: Existing containerization solutions are built only to address security challenges, completely missing the
opportunity to solve other problems such as performance management, application support and user experience management.
A strategic, future-proof approach to mobility management ensures that the users not only access apps and data securely, but
also enjoy a great experience while doing so. Market research indicates an increasing trend of individual users owning 2 or 3
devices simultaneously. Thus scaling user experience becomes even more critical when mobile applications are rolled out to
millions of devices across multiple platforms.

Not granular: Placing all of the data in a single container leads to all data being treated the same way. Thus, there is only one
security policy: the policy applied to, and enforced by, the container. Because the enterprise deals with many different types of
data, each with distinct management and security requirements, the “one size fits all” policy approach is too inflexible for
enterprise-wide use.

Not multi–channel: Current containerization solutions that operate only on mobile devices such as iOS and Android are
typically not multi–channel in nature. In a “Never, Never Land” enterprise where only mobile devices were allowed, this may not
have been an issue. But increasingly, mobile devices are just one of multiple device types that are used to access enterprise
applications and data. Because they operate in a “mobile silo,” these solutions require the enterprise to find additional, separate
security solutions for the other device types like laptops, desktop PCs, smart meters, IP cameras, etc. in use in the enterprise.

Not borderless: In today’s always on, always connected world characterized by pervasive mobile device use, the ability to
control the usage of data outside and inside the enterprise is of prime importance because outside the enterprise is precisely
where confidential data is exposed to the greatest risk. In short, security solutions have to be borderless.

Thus, despite the fact that these first generation containerization solutions are marketed as security tools, their effectiveness for
enterprise mobility management is severely lacking.

CA Smart Containerization™
CA Management Cloud for Mobility is powered by “Smart Containerization” technology from CA Technologies. Smart Containerization
associates a policy describing security, performance and support requirements with individual content, emails, apps or devices.
Thus, a single file, mail, app, or a device, is protected within a Smart Container, which enforces policies appropriate to the type
of content being managed. For example:

• A mobile app may have a policy controlling where (i.e. a geographic location or Wi-Fi network) it can execute.
• A single email may have an encryption policy applied to it based on its content, or the email may have a policy that prevents
it being forwarded outside the enterprise.
• A document may have a policy preventing it from being stored locally on the device.
• An application may have a policy that collects and reports the performance characteristics of the device or itself.
5 | CONTAINERIZATION ca.com

Smart Containerization solves the critical issues in first generation containerization solutions outlined below:

• Smart Containerization delivers high end-user acceptance by preserving a native device user experience. Applying a single
treatment to all the data and/or apps makes the container very intrusive when it comes to the user experience on the device.
The Smart Container is transparent and leaves the user experience of the device in its native form.
• Smart Containerization technology is multi–channel in nature, covering PCs and laptops as well as mobile devices.
• Smart Containerization is inherently borderless because policies can flow with data, content, apps and devices as they move.

This chart shows how

the containerization
techniques described Smart
Containerization
above stack up against
these criteria.
Granularity

Secure Container
Dual Persona

Virtualization Remote Access

Manageability
Size of the bubble indicates diversity of the things the container can manage

• Smart Containerization provides the granular control that enterprises require because content, emails, apps or devices can be
“self–defending” and describe their own security and support requirements to the container.
• A Smart Container enables all IT management domains an enterprise would like to perform on the mobile device, data and
applications—be it performance, security, support, user experience management, etc.

To relate Smart Containerization back to our shipping container analogy, Smart Containerization is equivalent to creating
multiple containers each optimized for different cargos, which enables one to match cargo transportation requirements to the
specific containers with appropriate attributes, e.g. ice cream and meat can be put in the same container since they both require
freezing, whereas vegetables may require a temperature controlled container but not one that freezes cargo since that might
destroy the vegetables, and so on.
6 | CONTAINERIZATION ca.com

Smart Containers would offer many benefits over and above simple protection of the contents:

• They would provide adaptive environmental controls such as humidity, light intensity and temperature based on the
containers’ contents.
• Smart Containers can optimize their energy consumption based on circumstances such as the ambient temperature or the
time of day.
• Smart Containers are aware of who is allowed to access the content inside, making it easy for authorized people to enter the
containers while blocking others from entering the container.

Adaptive, Smart Containers make it easy for the transporter to simply place the content in the container and let the container
take care of the contents from that point forward.

The following sections describe how the products within the CA Management Cloud for Mobility implement and enforce their
particular policy responsibilities powered by Smart Containerization.

Devices: CA Mobile Device Management (CA MDM)

CA MDM manages the inventory and configuration of a variety of mobile devices, as well as Windows PCs, and provides for
remote management of these devices in a secure, scalable manner. Smart Containerization for CA MDM begins with the device
hardware and software stack and works through to centralized granular policy control and
configuration of a multitude of device features camera, network access, GPS control, etc.

Mobile device platform features: An interesting development in the mobile space is that the
mobile device manufacturers are increasingly taking responsibility for the security, integrity and
robustness of the platform they provide. In just the same way as we expect automobiles to
provide built-in safety and security features, so the mobile device manufacturers are responding to consumer expectations that
mobile devices will also provide appropriate security features.

Notable amongst these are Apple’s security features in iOS 7, and the Samsung For Enterprise (SAFE) and KNOX security
capabilities for Samsung Android devices.

CA MDM’s support for Apple’s iOS 7 security features and Samsung’s Android security extensions enable Smart Containerization
protection to be applied to these devices—providing a firm foundation on which to deploy additional security capabilities to
control the use of apps, content and email. Typical features provided by these platforms, which can be centrally controlled via
CA MDM include:

Managed Open-In: On iOS 7, CA MDM can centrally control the list of apps allowed to open content of a given type, regardless
of whether additional apps are available to the user. For example, if an enterprise has a specific PDF reader that is an enterprise
standard, that PDF reader can be defined as the only reader app that can open PDFs attached to emails, downloaded via Safari,
etc. This enables the iOS 7 device to “Smart Containerize” selected data to specific apps on the device.
7 | CONTAINERIZATION ca.com

Per App VPN functionality enables an app to be “Smart Containerized” to a given network on both iOS 7 and Samsung Android.
For example a corporate application can be configured to automatically start and only function if a specified VPN connection is
available, thereby preventing a sensitive enterprise app from making unfettered use of the internet.

Advanced app controls on Samsung Android allow CA MDM to centrally control app installation and removal, as well as to
blacklist and whitelist apps and centrally wipe an app’s data.

Email provisioning controls allow for centralized email account configuration and removal.

Device feature controls allow central administration of individual hardware components such as Bluetooth, WiFi and camera
as well as storage encryption.

Enterprise Single Sign On enables the mobile device to integrate with a Microsoft ActiveDirectory or other Kerbero–based
authentication environment.

Secure web browsing capabilities allow for URL blacklisting and whitelisting as well as centralized control of browser privacy
options and enforcement of an HTTP proxy for secure internet browsing from the mobile device.

CA MDM can control the distribution of apps to mobile devices via an Enterprise App Store. When used in conjunction with CA Mobile
Application Management, CA MDM can distribute Smart Containerized enterprise apps to mobile devices.

CA MDM also supports many other device platforms including Windows Phone 8, BlackBerry and all other generic Android-based
devices (Android 2.2 and above).

Smart Containerization via CA MDM allows an enterprise to apply robust, granular, security policies regardless of the type of device in use.

Apps: CA Mobile Application Management (CA MAM)

CA MAM enables advanced, granular control over the use of
apps on the mobile device and the availability of specific
device features to each mobile app. In essence, each app is
“wrapped” with a Smart Container that applies granular policy
control to the app.

The diagram to the right illustrates how Smart Containerization

is applied selectively to two apps on a mobile device:

• The CA Corporate Escalation app has a policy attached to it

that specifies it can only be executed when the device is
located at CA Islandia Headquarters or CA Ditton Park EMEA
Headquarters and that camera access is allowed, however
Copy/Paste from the app will be prevented.
• The CA Business Intelligence app, which is an analytics and
reporting app, has a policy attached to it that specifies that it
can only be executed on a weekday, is allowed to access the
internet and to have data Copy/Pasted.
8 | CONTAINERIZATION ca.com

CA MAM’s Smart Containerization policies allow apps to be controlled in many granular ways:

Identity: The specific users or groups that are allowed to Apps: The specific app or apps the policy relates to.
execute an app or are prohibited from executing it.

Geofencing: An app can be configured to only execute when Time Fencing: The time windows when an app may, or may
the device is in a certain location or can be prevented from not, be executed.
executing when the device is in a certain location.
9 | CONTAINERIZATION
Network: An app can be explicitly “locked” to a specific WiFi
network segment, e.g. an app can only be used when on a
corporate WiFi network.
Features: An app can be enabled or disabled for access to many
device features, e.g. Copy/Paste, GPS, Camera, Contacts, etc.
ca.com
Selective wipe: Where access to an app is forbidden, there are
additional options to lock access to the app and to permanently,
but selectively, wipe any data stored on the device by the app.
Smart Containerization via app wrapping through CA MAM is
an ideal complement to device security features. Where the
device in use does not provide specific platform security
features then CA MAM adds a much-needed layer of control.
Where the device does provide built-in security features, CA MAM
adds security controls to the app that are not provided through
the devices own, built–in security functions.
10 | CONTAINERIZATION ca.com

Content: CA Mobile Content Management (CA MCM)

CA MCM provides a platform to enable secure collaboration where content is shared between users with mobile, as well as
non-mobile, devices.

CA MCM applies Smart Containerization protection to data on the mobile device to ensure that only authorized users can view
content and to prevent abuse of sensitive content by preventing local copying and copy/pasting of content.
11 | CONTAINERIZATION ca.com

The content owner can control who should have access to

content. Authorized content users have the ability to comment
on content in real-time. Content updates are instantaneously
available to authorized users as content is updated.

CA MCM manages the back-end connections to multiple data

stores and repositories, such as cloud-based file sharing
services, enterprise content management systems such as
SharePoint and commonly-used SaaS applications such as
Salesforce.com.

Smart Containerization solves a traditional problem where

different back-end repositories—email, file share, web download, etc.—each have to be individually secured. In that legacy
environment, the security attributes were defined according to the channel (email, file share permissions, web application
permissions, etc.) and these may not be consistent between channels or appropriate for the content. Smart Containerization
through CA Mobile Content Management makes the back-end repositories abstract to the user and applies security policy
directly to the specific item of content, rather than inferring the policy based on the repository it was stored in.

Although CA MCM provides an easier way for users to securely share and collaborate on sensitive content than simply emailing it
around, it is of course still the case that email has a vital role to play in the enterprise, hence the secure management of content
via the CA MCM platform is complemented by CA Mobile Email Management, a platform to enable sensitive emails to be protected.

Email: CA Mobile Email Management (CA MEM)

As noted in the introduction, Smart Containerization can apply to
a single email, as well as a single app or single document.
CA MEM applies policy-based public key encryption to emails
that have been identified as containing sensitive data. Many of
the emails that users exchange are not actually sensitive. Often
an email simply contains non-sensitive, trivial or publicly
available information and applying protection to such emails is a
waste of resources and inconvenient for the user. For example, in
the simplistic containerization model a user has to open up a
special email client to access their corporate email only to find a
new email message discussing a team social event!

In contrast CA MEM encrypts only the sensitive emails. The

encryption is based on the recipients’ public key and the
recipient must authenticate using the corresponding private
key in order to decrypt their email.
12 | CONTAINERIZATION ca.com

Smart Containerization through CA MEM solves the critical

issues with simplistic containerization in various ways:

Native client experience: As noted in the introduction, end

users are highly resistant to security solutions that require
them to use a separate, proprietary client that duplicates
basic mobile device functions. CA Mobile Email Management
integrates with the mobile device’s native email client, which
provides a far more satisfactory user experience.

Cross platform: CA MEM integrates with webmail and

Outlook email clients, providing email Smart Containerization
functionality on any device available to the user for email
access. If the device is internet enabled, CA MEM can support it.

Borderless: CA MEM can encrypt emails for users who are not
yet enrolled, generating a public/private key pair and retaining the keys in escrow, along with the encrypted email until the user
enrolls. Additionally the solution works seamlessly inside and outside the enterprise. External users are equally able to enroll on
the system to manage sensitive email content as are enterprise users. The ability to provide protection policies that apply to the
email, without dependencies on the user being an internal enterprise user in order to security policy to be applied is a key
benefit of Smart Containerization.

Multi-Factor Authentication: As illustrated above, the mobile device therefore becomes an authentication factor in its own
right. This ensures robust proof of identity when accessing sensitive email content.

AT&T
13 | CONTAINERIZATION

Summary
Containerization emerged as a simple approach to securing corporate data on the mobile device, however,
its simplicity also came with a number of critical weaknesses in terms of not being granular enough for
today’s enterprise requirements, nor robust enough to resist emerging advanced threats. In addition, being
limited in scope to managing data only on mobile devices within the enterprise meant the solution was
too restrictive for today’s enterprises strategic requirements. Couple these enterprise issues with the fact
that end users hate the way these containerization technologies force the user to abandon the mobile
devices’ native user experience and it’s easy to see why enterprises are anxious for a replacement
technology to emerge.

Smart Containerization by CA Technologies is unique in delivering the best user interface experience that
end users insist on and provides advanced security features such as support for the latest platform
security features, complete management benefits beyond security and robust multi-factor authentication,
as well as being truly borderless and multi-channel—supporting mobile, as well as non-mobile, devices.

For further information about Smart Containerization by CA Technologies, please contact your CA account team and
visit ca.com/mobility.

Connect with CA Technologies at ca.com

CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables
them to seize the opportunities of the application economy. Software is at the heart of every business,
in every industry. From planning to development to management and security, CA is working with
companies worldwide to change the way we live, transact and communicate – across mobile, private
and public cloud, distributed and mainframe environments. Learn more at ca.com.

Copyright © 2014 CA. All rights reserved. This document is for your informational purposes only, and does not form any type of warranty about the products or offerings
described herein. CS200-70516_0914