The success of an organization is tied directly to its employees’ ability to make smart decisions and serve its customers. Countless articles in the media speak to how mobilizing data applications improves customer service and efficiency, helps accurately track, place and monitor the status of supplies and services and report on sales and business trends. The blackberry.com site also includes white papers, case studies and ROI assessment tools to build the business case for mobile data applications.
The greatest concern IT professionals share with us is being able to meet their organization’s growing mobile data requirements while maintaining a secure network. In this IT Policy Spotlight we review the measures Research In Motion (RIM) has taken to ensure that deploying applications to BlackBerry® devices doesn’t compromise your organization’s security policies and how the IT administrator centrally manages all application and data access.
BlackBerry Enterprise Solution Application Control
Security in a mobile solution must be comprehensive, ranging from password controls to logging mechanisms to protecting devices from malware and viruses. To be most effective, the administrator must be given the tools to control a device and its applications, as well as the different elements involved in a mobile solution – and that is exactly the case with the BlackBerry® Enterprise Solution.
When it comes to the mobile applications that drive business, the BlackBerry Enterprise Solution uses IT policy controls to allow users unimpeded access to the critical applications they need to do their job, while containing malicious programs that could impact business continuity or compromise sensitive data.
With 19 Application Control IT policies, the BlackBerry® Enterprise Server allows the administrator to limit the resources and user data available to a given application. For example, restrictions can be imposed on internal or external domains, the phone, Bluetooth®, USB and user data such as email and PIM. And because administrators can specify limitations on a per application basis, they can grant elevated permissions to trusted applications.
The BlackBerry Enterprise Server provides fine grained control over all aspects of the platform, giving the administrator full control over applications, configuration and transport. The administrator can manage all options centrally and update all BlackBerry devices instantly and wirelessly.
Using IT policy rules to control third party application functionality on the BlackBerry device
BlackBerry Enterprise Server includes IT policy rules that let administrators control RIM applications on the BlackBerry device, plus rules designed to enable the control of third party applications.
Using IT policies, IT administrators can permit or prevent the installation of third party applications on the BlackBerry device. Administrators can also limit the permissions of third party applications, including:
- which resources (for example, email, phone and BlackBerry device key store) third party applications can access on the BlackBerry device
- the types of connections that a third-party application running on the BlackBerry device can establish (local connections, internal connections and external connections, for example)
- whether or not an application can access the user authenticator framework API, which permits the registration of drivers to provide two factor authentication to unlock the BlackBerry device
Virus and Firewall Protections: containing malware on the BlackBerry device
Not all applications for mobile devices are malicious. In fact, most of them aren’t—but organizations need to be confident that the solutions they deploy to their mobile users won’t put their IT infrastructure at risk. And they need to ensure they don’t expose company and customer data to unauthorized users.
The most common approach for preventing the transmission and proliferation of malware on a computer is to install virtual real-time anti-virus scanning software. This software is designed to detect and contain malware. While desktop computers can easily accommodate anti-virus software, wireless devices are constrained by memory, processing power and battery life.
Detecting malware requires a large, frequently-updated, local database or a constant connection to an online database. As a result, the device is constantly downloading new data and running processes. These tasks can have a significant impact on battery life, increase network traffic and slow other device operations. As a result, the BlackBerry solution focuses on using IT policies to proactively prevent a BlackBerry device from loading or running unauthorized code in order to protect against malware.
This proactive approach to malware protection ensures that malware that might gain access to the BlackBerry device cannot cause damage to the device, its applications, its data or to the corporate network.
See Protecting the BlackBerry Device Platform Against Malware for more information on containing malware.
Using code signing to limit access to BlackBerry device application data
While RIM doesn’t inspect or verify third-party applications that run on BlackBerry devices, it does control the use of BlackBerry device APIs—sensitive packages, classes, or methods—to prevent unauthorized applications from accessing data on the BlackBerry device. Each third party application requires authorization to run on the BlackBerry device. Unless digitally signed by the RIM signing authority system, MIDlets cannot access the memory of other applications, or the persistent data of other MIDlets.
Before a user can run a third-party application that uses the RIM controlled APIs on the BlackBerry device, the RIM signing authority system must first authorize and authenticate the application code using public key cryptography.
Third party application developers must visit http://www.blackberry.com/developers/downloads/jde/api.shtml to register with the RIM signing authority system. Doing so will allow the developer to access the controlled APIs and use the BlackBerry Signature Tool, a component of the BlackBerry® Java™ Development Environment (BlackBerry® JDE), to request, receive and verify a digital code signature from RIM.
To find out more about BlackBerry Application Control policies, access the BlackBerry Enterprise Server Policy Reference Guide, which includes all the IT Policies available with the BlackBerry Enterprise Solution.
Application control policies are only one component of maintaining a secure mobile solution. Next month, we’ll review camera and expandable media policies and the role they play in protecting your corporate data.