In this tip, we explore BlackBerry security capabilities most directly related to data protection. You'll discover how tight IT controls and protection options can be combined to safeguard your enterprise's valuable data on a BlackBerry.
For many employers, the data on a handheld is far more valuable than the device itself. According to Ponemon Institute, the average cost of a data breach has now reached $197 per compromised record. The vast majority of breaches involve laptops, but it's just a matter of time before some CEO's lost BlackBerry makes headlines. Or is it?
Under my thumb
Most BlackBerry users carry a device that is centrally configured and monitored by their employer. Although BlackBerrys have long been available to individuals, BlackBerry has until recently been marketed almost exclusively to corporations. In particular, mobile device management through the BlackBerry Enterprise Server (BES) has been a big part of BlackBerry's business appeal.
IT staff use BES to deploy IT and application policies that control how a BlackBerry operates, the programs it can run, and how it will protect data. Global policies are defined for the entire domain and refined to reflect the needs of each group. All authorized BlackBerry users are bound to an IT policy, which can be pushed to their handhelds over-the-air during "wireless enterprise" activation.
Through IT policies, employers can enforce common mobile security needs like mandating device passwords with a minimum length, complexity and update frequency; requiring inactivity timeouts; preventing user changes to read-only parameters; and permitting voice calls on locked handhelds. They can also disable riskier features like Bluetooth or IM and control whether and how data is encrypted.
Application policies go beyond those native capabilities, letting employers control custom and third-party applications installed on the device and the resources they are permitted to access. For example, an application can be permitted to reach internal and/or external domains or prohibited from using Bluetooth or GPS.
Controls like these can reduce risk. For example, BlackBerrys have flown under the radar for mobile malware by running only IT-vetted applications. This may change as consumers configure their own BlackBerrys to run non-business applications.
Digging into data
No matter who manages a BlackBerry, that device's content can be protected through a combination of hardware, software and policies. When the content-protection option is enabled, a random 256-bit AES content-protection key is used to produce a public/private key pair. The content-protection key and private key are then encrypted with a temporary key, derived from the user's password, and stored in flash memory.
As long as the BlackBerry is unlocked, data received by or typed into the device will be encrypted with the content-protection key. Once the device is locked, that content cannot be read until the user enters the correct password, allowing the content-protection key to be decrypted. Furthermore, any messages received while the device is locked are encrypted with the previously generated public key and cannot be decrypted with the private key until the user's password has been entered.
This scheme prevents someone from picking up a locked BlackBerry and viewing user data (including text typed into the BlackBerry), any data saved by the BlackBerry Web browser (including its cache), calendar entries, address book contacts, memos, tasks, and email messages (including bodies and attachments). Further options can encrypt files written to external memory and passwords saved by a Password Keeper application.
IT policies control whether or not content protection is used and the length (strength) of associated keys. Policies also control whether users can make exceptions, like viewing the address book on a locked BlackBerry. It is important to realize, however, that content protection depends on the user's password. This entire scheme can be defeated by an easy-to-guess password.
To deter password compromise, define IT policies that discourage practices like reuse and simple password incrementing. Combine those with secure data wipe after max. password attempts or device loss/theft. BlackBerry policies also let you automatically wipe a device if it isn't unlocked within a defined period or if the battery becomes too weak to receive a remote wipe command.
Going the distance
These measures protect data at rest on a BlackBerry, but what about data in transit? The BlackBerry operating system is well known for including transport encryption, but it actually supports multiple methods -- some of which affect stored data too.
Every message sent to a BlackBerry through a wireless carrier is routed through RIM's BlackBerry infrastructure. For customer privacy, each message is encrypted with 3DES or AES and keys known only to the BES and the handheld. The BES decrypts each message before relaying it to your company's messaging server (e.g., Microsoft Exchange, IBM Lotus Domino).
Some newer BlackBerrys support further over-the-air encryption options, including IPsec tunneling to a corporate VPN gateway and Wi-Fi data encryption using WPA/WPA2. All of these methods deter eavesdropping on messages in transit. But some companies require end-to-end encryption, from sender to recipient. How can a recipient know that a message was not modified or viewed on the messaging server?
BlackBerry handhelds support end-to-end encryption through optional PGP or S/MIME clients. For example, when the BES delivers an S/MIME-protected message to a BlackBerry, both BlackBerry transport encryption and S/MIME data encryption are applied. Upon receipt, the handheld removes BlackBerry transport encryption, but S/MIME data encryption remains until the recipient views the message.
In this tip, we explored BlackBerry security capabilities most directly related to data protection. We have shown how tight IT controls and protection options can be combined to keep BlackBerry data safe. To learn more about the BlackBerry security architecture, including capabilities that go well beyond data protection, visit www.blackberry.com/security. Remember: Your handheld vendor can only supply the tools to secure your mobile workforce -- it's up to you to apply them wisely.
About the author:
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in June 2008