Cellrox is a startup that’s addressing BYOD issues by creating lightweight virtual personas for Android devices. I recently spoke with Omer Eiferman, their CEO, to find out more about the product.
Of course when we talk about BYOD, separating corporate and personal personas, and virtualization, we can’t help but also talk about VMware Horizon Mobile. Horizon Mobile and Cellrox have a lot in common, but there are significant differences in both their underlying technologies and usage models, which I’ll point out when appropriate.
For context, let’s step back a second and look at why Cellrox exists in the first place. The point is simple: prevent corporate data from leaking into personal apps, and protect the privacy of users’ personal apps and data. Common approaches to this problem are through virtualization and mobile application management (MAM). MAM applies security policies like passwords, VPNs, remote wiping, and encryption to individual applications. Since Apple won’t allow iOS to be virtualized, virtualization solutions are limited to Android devices, while MAM solutions are available for both platforms. And MAM is exploding right now—there are dozens of solutions on the market from vendors large and small, and it’s pretty safe to call MAM established—while neither Cellrox nor VMware Horizon Mobile are shipping yet. (For a primer on MAM and mobile device management, check out this article from Brian.)
These add up to some tough challenges for any mobile virtualization solution, but virtualization certainly has its advantages, as well. Since MAM involves protecting individual apps, the apps have to be specially built or modified to work with a management system and in order to be able to communicate with each other. With virtualization-based solutions personal apps and data live in one environment and corporate data and apps live in another, on the same device. Security policies for corporate apps are applied to the whole environment, so ordinary, unmodified apps can work in all their usual ways. (This issue is particularly sensitive for email. Third-party managed clients miss out on a lot of the integrated features afforded to built-in clients; again, this isn’t a problem when you’re simply managing the entire environment.)
Besides virtualization, there are other Android-only mobile management products on the market. For example, 3LM and Samsung SAFE are third-party mobile device management APIs that build on native Android to address a few more BYOD issues. The bottom line is that even if a solution doesn’t support iOS, we shouldn’t dismiss it.
Now that we’ve established the landscape that Android virtualization is coming in to, let’s dig into the particulars of Cellrox.
About Cellrox virtual personas
Cellrox was founded in 2011, but the technology used has earlier roots in an academic research project at Columbia University. Known as Cells, the computer science department at Columbia has published an excellent paper describing the project.
Cellrox isn’t complete OS virtualization. Instead, virtualization is limited to the the user space, creating multiple personas that share a common Linux kernel. Since the kernel is shared, all of the personas have to be similar versions of Android. With VMware Horizon Mobile, the personal environment is native, acting as a host to the virtual corporate environment, which can be any version of Android. Which way is better? You decide: Cellrox emphasizes that all the personas will have the same look and feel as the original OS; VMware emphasizes the ability to have a common corporate provisioning target.
Multi-tasking between the various personas works much the same way as how multi-tasking between different Android apps works. Only persona is in the foreground at any given time, while apps running in the other personas function just like any other background app—things like music players, calls, and notifications will still work. It’s this singular focus that makes mobile virtualization take a lot less overhead than say, running Windows on a Mac using a type 2 client hypervisor.
Cellrox has stated that phones running their product can support 5 virtual personas, and even more for tablets. Why would anybody want so many personas? A user could have a guest persona or a persona for other family members in addition to their corporate and personal personas, but the most interesting use case comes with having multiple work personas with different levels of security.
Using the personas
Remember that unlike with mobile app management, with virtualization, security policies are applied to the entire virtual environment or persona. If there’s a sensitive financial app that needs an extra-long password and a VPN, then all of the other work apps in the persona get the long password and VPN, too. Naturally this is super annoying for a user to deal with every time they want to do something less sensitive, like checking email. But since Cellrox supports several personas, sensitive apps can get a tightly locked down environment, while other work apps can get a less-restricted environment. Having to go to different personas to launch the different apps could be annoying for users, but Cellrox also allows app shortcuts from one persona to another—all the apps can appear together in one place, but tapping an icon for a more sensitive app can open it in a different virtual persona.
This ability to have apps launch into different personas completely transparent to the user is absolutely the killer feature of Cellrox. This gives more granular control over apps, but still without having to manage (or modify) the apps themselves. For comparison, VMware Horizon Mobile only supports one guest, so that means all of the work apps get the same policies, or that if you want different policies for different apps, then you’ll need some mobile application management tools.
Cellrox provides a management console to assemble and provision personas, and IT can set policies to control the flow of data between personas. Alternatively, a persona can simply be managed using a conventional mobile device management product.
The go-to-market strategy of Cellrox is through carriers and OEMs. This is key, because the product does require heavily modifying Android, something that most users probably aren’t comfortable letting IT do. On the other hand, if IT is simply provisioning a persona that the user’s phone can already accommodate, then it will be much easier to swallow.
Like VMware, Cellrox now faces the hurdle of gathering OEM and carrier partners. (They have announced one so far.) A large support base would mean that BYOD could actually happen organically with this product. But even if Cellrox support isn’t widespread, though, the virtualized Android could still work well as corporate-issued devices.
For now we’ll be waiting for more partnership announcements, and nn the meantime, it remains to be seen how much the Android-only limitation will hinder the adoption of virtualization-based mobile devices.