In this Q&A, Global Security Group Director Scott Totzke explains how the BlackBerry solution was architected to minimize security threats to mobile data and devices. Plus, Scott highlights just a few of the functions IT can use to customize settings that impact security, such as applications downloaded by users. Further resources are provided at the end of the article.
What features and tools does the BlackBerry device platform offer to protect against malware, denial-of-service attacks and similar security risks?
Security has always been one of the central pillars of the BlackBerry Enterprise Solution™. From the very beginning we decided that security must be an integral part of the architecture. As a result, there are a number of unique features in BlackBerry Enterprise Server and the BlackBerry Wireless Handheld that limit the actions an application can perform, helping protect against malicious attacks and mitigating the effects of malware.
The BlackBerry Enterprise Solution has Application Control features that restrict the privileges a third-party application has, like restricting inter-process communications and network access. System administrators can set IT policies in BlackBerry Enterprise Server to block third-party applications from being loaded on to a device. The Java™ operating system on BlackBerry devices is also designed to prevent one application from causing problems (either accidentally or maliciously) in another application. Access to sensitive APIs is controlled by “code signing” to ensure that files haven't been corrupted or tampered with, and will only allow authentic and authorized applications to run. These capabilities significantly reduce the impact that malicious applications can have on a device.
What features and tools does the BlackBerry Enterprise Server offer to protect against malware, denial-of-service attacks and similar mobile security risks? For example, could an enterprise use its BlackBerry Enterprise Server to weed out malware so that it's never sent to the device?
As mentioned, BlackBerry Enterprise Server allows an IT manager to set policies on what applications can be installed on a device and what privileges an application has. This granular control helps administrators to ensure that an application can only access information and resources that are explicitly authorized. This greatly limits any potential negative impact that an application can have on the device. Giving IT control over what applications can run and what privileges these applications have not only has security benefits, but can also help to reduce support costs since the IT department only needs to worry about tested and authorized applications being installed on a BlackBerry device.
BlackBerry Enterprise Server also sits behind the corporate firewall, polling the email system for messages to send to the BlackBerry device. A malicious email attachment sent to the enterprise has to traverse the perimeter anti-spam, anti-virus and other email security defenses that an enterprise has in place. Since the BlackBerry Enterprise Server is an extension of an existing inbox, it only accesses messages that end up in the email server (Microsoft® Exchange,. IBM® Lotus® Domino® or Novell® GroupWise®), so it benefits from those email security defenses.
Another method of attack on a device is to pass malware through an open Bluetooth® connection. With BlackBerry Enterprise Solution the Administrator can limit what Bluetooth profiles are allowed. For example, allowing only headsets or taking it a step further by either limiting the coverage area of the Bluetooth radio in a device or completely disabling Bluetooth so applications cannot access it.
Compared to other enterprise-class mobile platforms (i.e., Symbian™, Palm, Windows Mobile™), what are the security strengths of the BlackBerry Enterprise Solution?
There are four key areas that we focus on for BlackBerry Enterprise Solution security. These are:
1. Data Confidentiality
First and foremost, the BlackBerry Enterprise Solution is designed to help ensure the confidentiality of your data. Protecting email or application data transmitted between your enterprise and your BlackBerry device is essential and should be considered an entrance requirement for any enterprise mobility solution. More and more it is becoming critical to also protect the data stored on the device, so in addition to the AES-256 encryption for data stored on the device as an out-of-the-box feature.
2. Administration and Management Tools
Providing robust configuration management tools to the IT organization is another key requirement. BlackBerry provides a range of tools including application control, password management and local database encryption. This must be seamless and something that the end user can not circumvent. It is important that our customers have the tools needed to address their corporate governance policies, especially if there are legislative requirements that they must adhere to.
3. Security Standards
Supporting and conforming to Internet standards is another area that we feel is important. We aren’t inventing new standards or asking customers to change the way they operate; we support open standards such as S/MIME, PGP, TLS, SSL and PKI (glossary). Some customers may have compliance issues requiring the use of smart cards, S/MIME or PGP to address the confidentiality of the information that they send via email over the Internet; we need to have these solutions available to the BlackBerry user so that there is not a trade off between mobility and security.
4. Security Validation
The last area is providing independent assurances to our customers, or really taking a hard look at the "Trust But Verify" approach and doing whatever we can to meet the needs of our customers when it comes to external validations of our product or particular components within the solution.
BlackBerry was the first mobile device to obtain a FIPS-140 validation for the embedded encryption technology and we remain an active participant in this program with ten validations that cover both our device and server encryption modules. While the FIPS program is great for the North American market it does not address the needs of some of our international customers, so we are also working with various security certification bodies around the world including the Fraunhofer Institute in Germany and CESG in the UK. In fact, last week the BlackBerry Enterprise Solution became the first and only mobile solution to have been tested and approved by the UK government.
RIM has also taken a proactive course of action on vulnerability issues. RIM has a Security Research Team that works with the engineering and software development teams as well as external groups to analyze areas of potential attack on BlackBerry. In cases where potential vulnerabilities have been identified, we've acted quickly to determine the scope of the issue, disseminate that information to customers with possible workarounds, and to develop fixes in a timely manner. We've also developed relations with external security advisory groups such a US-CERT and Secunia.
Is the BlackBerry platform open in the sense that it's relatively easy for a third party to develop add-on security tools?
The majority of developers creating applications for BlackBerry are really focused on extending business processes out to the device. We've had more than 60,000 downloads of the BlackBerry Java Development Environment (JDE), and there are hundreds of business applications already developed. So, it is relatively easy for a third party to develop for BlackBerry. In terms of security add-ons, we've seen many products in the areas of identity management, two-factor authentication and compliance management.
What other companies are developing add-on security features for the BlackBerry platform? (I'm particularly interested in solutions for malware rather than, say, two-factor authentication.)
Some of the companies that have developed add-on security products for the BlackBerry Enterprise Solution include Credant Technologies, Entrust, PGP, RSA Security, Trust Digital and Voltage Security. For malware, enterprises should be putting in place comprehensive perimeter security solutions that filter for spam and malware. Some of the players in that space include CipherTrust, IronPort Systems, SurfControl, Symantec Corporation and Tumbleweed Communications.
Find out more:
BlackBerry and RSA SecurID - Protecting your Corporate Data from Unauthorized Access – Webcast, May 10, 2006
Security White Paper - PDF
Wireless IT Policy and IT Administration - PDF
PGP Support Package
BlackBerry Security with the S/MIME Support Package - PDF
Wireless Enterprise Activation White Paper - PDF
BlackBerry Smart Card Reader
BlackBerry Enterprise Server Documentation, Technical Advisories and White Papers
For the latest information go to: blackberry.com/security
Glossary of Terms:
Courtesy of whatis.com
S/MIME - Secure Multi-Purpose Internet Mail Extensions, a secure method of sending email
PGP – Pretty Good Privacy is a secure method of sending email over the Internet
TLS – Transport Layer Security ensures privacy between users and applications on the Internet
SSL – Secure Socket Layer is a commonly-used protocol for sending messages on the Internet
PKI – Public Key Infrastructure is a method of securing the exchange of data over an unsecure network, such as the Internet.
Back to Top