11
PROTECTION FOR EVERY ENTERPRISE Whitepaper How BlackBerry Security Works
Protection for Every Enterprise: How BlackBerry Security Works1
PROTECTION FOR EVERY ENTERPRISE
Whitepaper
How BlackBerry Security Works
Protection for Every Enterprise: How BlackBerry Security Works2
Why Mobile Security Matters More than Ever
Most IT experts agree: BYOD (Bring Your Own Device) is the biggest mobility trend affecting enterprises today. But with consumerization comes the co-mingling of personal and work use cases – and pure consumer devices offer no integrated protection against sensitive enterprise data leaking through personal channels.
As enterprises mobilize business processes, more and more sensitive data passes through and resides on mobile devices.
Meanwhile, risk-inherent personal use cases continue to grow, spanning:
› Social networking
› Personal email
› Untrusted personal apps
› Web browsing
› Instant Messaging, SMS/MMS, other P2P messaging
› MicroSD storage
› USB connectivity
Protection for Every Enterprise: How BlackBerry Security Works3
By now, enterprises are well-aware that they need a robust security strategy and mobility platform to protect their data, their business and their users.
To address these issues comprehensively, the BlackBerry® 10 platform has been built from the ground up to deliver a first-rate user experience while meeting the complex and ever-shifting demands of enterprise security. In this document, we’ll take a close look at the following features:
› BlackBerry® Balance™ (for platform-level separation of work and personal)
› BlackBerry® World™ for Work (a corporate application storefront)
› BlackBerry® Secure Connectivity
› BlackBerry 10 authentication
› The BlackBerry 10 Operating System
› Enterprise Mobility Management; IT Rules and Policy Sets
All of these features and functions are controlled and enabled through the BlackBerry® Enterprise Service 10 (BES10) platform – which IT administrators can use to manage not only BlackBerry 10 devices, but also iOS and Android™ devices, (with support for Windows® Phone coming soon) for true multi-platform mobility management on a single, unified console.
How BlackBerry Balance Works
In the past, if you wanted better mobile security, you had to sacrifice the user experience, and vice versa. This paradigm comes to an end with BlackBerry Balance.
BlackBerry Balance maximizes employee productivity and user satisfaction with a seamless, elegant, and intuitive user interface. And it controls security risks through:
› Complete protection for all data leak channels and mechanisms
› A tamper-resistant architecture that protects against abuse and attack
The BlackBerry 10 platform has been built from the ground up to deliver a first-rate user experience while meeting the complex and ever-shifting demands of enterprise security.
Protection for Every Enterprise: How BlackBerry Security Works4
Work Space (Left) Work applications reside within the work file system.
› Work applications and work data are always protected by the work file system with AES-256 encryption.
› Only applications that reside in the work file system are able to connect through work communication channels, including BlackBerry Enterprise Service 10, enterprise Wi-Fi, enterprise VPN, and Intranet browsing. If you want to allow Personal Space traffic to use work connectivity options, you have that option.
› The appropriate communication channels are automatically provisioned to protect your sensitive enterprise data.
User Interface (Center) The key to BlackBerry Balance is its interface.
› Data originating from an enterprise resource is automatically identified as work data, and any other data is automatically identified as personal.
› Work data can’t be copied or cut/pasted into a personal data channel, and files can’t be moved from one file system to the other.
› The user interface allows some work and personal content to be displayed together for an ideal user experience, as in the case of the BlackBerry® Hub; however, an ‘abstraction layer’ prevents any data leakage between the Work Space and the Personal Space.
› The Work Space and Personal Space have separate wallpapers, so users always know at a glance which space they’re in.
Personal Space (Right) Personal applications reside within the personal file system.
› Personal applications include personal BlackBerry® apps such as BBM™ and third-party personal apps for things like email, gaming and social networking.
› Applications that reside on the personal file system have access only to personal communication channels (listed on the right hand side of the diagram), often referred to as data leak channels. Again, you have the option to enable personal apps to use work connection options if you need or want to.
BlackBerry Balance partitions work data from personal data using two completely separate file systems. To better understand the architecture behind BlackBerry Balance, take a look at the diagram below.
Innovative Device Data Leak Prevention
BES10, Content Servers, Web Servers, Microsoft ActiveSync
ENTERPRISE(WORK DATA SOURCES)
PERSONAL(DATA LEAK CHANNELS)
(AES-256 Encryption)
Personal File System
Not Permitted
BlackBerry Apps
WorkApps
Work File System
Data Identificationand Tagging
BlackBerry Email PIM
3rd Party Apps
BlackBerry 10User Interface
Data Leak ControlsData Access/Transfer
File TransferCut and Paste
Other
Unified App Controls
Unified Apps(BlackBerry Only)
Personal SpaceWork Space
BlackBerry MDS› BES› Enterprise Wi-Fi› Enterprise VPN› Intranet Browsing
› Personal apps› Social networking› Email and webmail› Web browsing› Instant messaging and other P2P SMS/MMS› USB and Micro SD› Other data channels
Protection for Every Enterprise: How BlackBerry Security Works5
Containerization for iOS and Android: Secure Work Space
BlackBerry Balance is an industry-leading solution for the separation of work and personal on BlackBerry 10 devices. But in a multi-platform environment, you need to address the same issues on a range of devices. Secure Work Space is a containerization, application-wrapping and secure connectivity option that delivers a higher level of control and security to iOS and Android devices, all managed through the single BlackBerry Enterprise Service 10 administration console. Managed applications are secured and separated from personal apps and data – and users can access an integrated app for email, calendar and contacts, an enterprise-level secure browser, plus secure attachment viewing and editing with Documents To Go®. User authentication is required to access secure apps, and work data cannot be shared outside the Secure Work Space.
Your Corporate App Storefront: BlackBerry World for Work
BlackBerry World for Work provides a simple, manageable and scalable tool for the secure deployment of enterprise applications. It installs applications into the Work Space on your users’ BlackBerry 10 devices, and these applications are secure by default. From here, BlackBerry Balance protects against any data leakage or malicious attempts to access enterprise data.
BlackBerry World for Work gives you two options when it comes to deploying your enterprise applications: mandatory pushes or optional downloads.
Mandatory Pushes
› You can set these up through the intuitive BlackBerry 10 admin console.
› These enterprise apps are automatically delivered and updated – users don’t need to do a thing.
Optional Downloads
› Populate your enterprise catalogue with helpful, trusted applications that can be optionally downloaded by your employees.
› You can even choose to whitelist applications from the publicly accessible BlackBerry World in your private BlackBerry World for Work storefront.
BlackBerry Balance protects against any data leakage or malicious attempts to access enterprise data.
Protection for Every Enterprise: How BlackBerry Security Works6
The Gold Standard in Secure Connectivity
BlackBerry has, for many years, been held up as the gold standard in secure connectivity. That doesn’t change with BlackBerry 10.
Seamlessly enabling secure access to systems behind the firewall, as well as protecting work data in transit, is assured by the proven BlackBerry security model, which now extends to multi-platform. Simple and cost effective setup and ongoing admin is supported by the VPN-less, single outbound port 3101 connectivity model BlackBerry is renowned for – including certified end-to-end encryption. So there’s no need for third party connectivity or security solutions.
› Outside of the enterprise, any connection to BlackBerry Enterprise Service 10 via the BlackBerry infrastructure over Wi-Fi or cellular uses AES-256, which also protects the connection to Microsoft® Exchange and any other enterprise content servers.
› The BlackBerry infrastructure-to-device leg has an additional layer of Transport Layer Security (TLS) to authenticate the BlackBerry infrastructure.
› Outside of the enterprise, the BlackBerry infrastructure can be bypassed by connecting directly to BlackBerry Enterprise Service 10 by VPN, over Wi-Fi or cellular.
› The device VPN supports IPsec and SSL.
› Inside the enterprise, the device connects directly to BlackBerry Enterprise Service 10 and the LAN over corporate Wi-Fi.
Note: For all of these options, Wi-Fi security is the industry standard Wi-Fi security noted in the legend. For additional security, end-to-end SSL is supported between BlackBerry 10 devices and the content servers.
The user’s Personal Space and personal apps can directly connect to Wi-Fi and cellular, also supporting SSL if you so choose.
› Users can also connect to their own private network VPN.
› As mentioned above, there’s also the option to allow Personal Space traffic to use work connectivity options (and this can be easily disabled by IT policy).
BlackBerry Enterprise Service 10: Architecture
TCP Proxy
Firewall
BlackBerry Infrastructure
WirelessNetwork
iOS and AndroidDevices
BlackBerryDevice
Wireless Network
BlackBerry Infrastructure
APNs
Internal Firewall
BlackBerry Router
Administrator’s Computer
BES10Databases
BES10
Additional 3rd Party Apps*
* including certificate authority, mail server, other web servers or content servers
Protection for Every Enterprise: How BlackBerry Security Works7
Authentication: Flexible Options for Passwords and Certificates
BlackBerry 10 supports two options for authentication: passwords and certificates. Passwords are generally used for device authentication.
Flexible and granular password policies can be enforced on:
› The Work Space: The administrator can require a user password for access to the Work Space.
› The entire device: The administrator can also demand a password for access to the entire BlackBerry 10 device (a must-have for many high-security and regulated environments).
BlackBerry 10 also supports certificate enrollment and automatic renewal, using the industry-standard Simple Certificate Enrollment Protocol (SCEP).
› SCEP provides easy, scalable certificate enrollment and renewal.
› Authentication is generally for Wi-Fi, VPN or Intranet.
› All certificates are encrypted and protected within the BlackBerry 10 key store.
Why the BlackBerry 10 Operating System is Most Secure
The operating system is arguably the most important component of mobile device security but it’s often overlooked. Unlike security tools, controls and features or corporate sandboxes, the security of the OS is generally more opaque to the observer. Operating system source code is typically not shared, and even if it is, it’s hard to assess the security of millions of lines of code.
First and foremost, BlackBerry 10 is based on the QNX® Microkernel. So what does this mean for you? It means your enterprise gains several security benefits.
The Security Benefits of the QNX Microkernel It contains less code (about 150,000 lines):
› This small footprint helps eliminate vulnerabilities by making security verification and testing easier and more robust.
It’s designed for resiliency:
› The Microkernel isolates processes in the user space.
› Unresponsive processes are restarted without affecting others, so that applications don’t crash the OS.
It minimizes all root processes:
› Only the most essential BlackBerry processes run as root.
› Root processes are not available to non-BlackBerry parties, which makes the OS less vulnerable to security risks.
The QNX Microkernel diagram above illustrates how user processes cannot directly access other processes.
Contained and Constrained: Application and Malware Controls The best way to protect your enterprise from mobile malware is to use an operating system that’s designed to resist it. BlackBerry 10 uses a ‘contain and constrain’ design strategy to mitigate against malware risks.
By sandboxing the user space, BlackBerry 10 can block malicious behavior:
› Processes are constrained within the user space and the Microkernel carefully supervises inter-process communication.
› Memory accessed by the user space is also authorized by the Microkernel.
› Any process that attempts to address unauthorized memory is automatically restarted or shut down.
Personal Application Controls
› Access to Personal Space resources is limited and operates on an ‘app-by-app’ and ‘need-to-have’ basis.
› The user gets the right information at the right time to make an informed decision about what permissions to grant.
Grap
hics
Driv
er
Input Driver File System
Netw
ork
User Application HMI
QNXNeutrino
Microkernel
Protection for Every Enterprise: How BlackBerry Security Works8
The following diagram illustrates the device feeding process and the BlackBerry ‘chain of trust’. The secure process is centered on authentication to help guard against persistent OS attacks and rootkits.
CPU Embedded Boot ROM
Boot ROM Public EC521 Key OS Signature
Verification of Boot ROM Digital Signature
BlackBerry 10 OS SHA256 of Base File System (Signed with EC521)
Base File System(Read-only) XML Manifest of loaded applications (Cryptographically hashed)
Verifies OS with public EC521 Key
Verifies SHA256 hash matches loaded images
BlackBerry World
Base file system verifies loaded application hashes
Software upgrades and application downloads (All downloads are verified with ECC signed SHA-2 hashes)
Application 1 Application 2 Application 3 Application 4
BlackBerry 10 Operating System
Protection for Every Enterprise: How BlackBerry Security Works9
Below are a few examples of the security mechanisms that are integrated into the BlackBerry 10 operating system to protect against attacks and arbitrary code execution.
S/MIME Support
A quick but important point. S/MIME is the most common standard for sender/receiver email encryption.
It’s a great solution for intense security for email communications outside of the enterprise. If your enterprise requires it, you’ll be happy to know that BlackBerry 10 supports S/MIME encrypted and signed emails out of the box.
IT Rules and Policy Sets
As with BlackBerry® 7 OS and earlier, BlackBerry 10 allows you to use IT policies to control and manage devices in your organization’s environment. And while BlackBerry 10 can enable the various policies required by regulated and high-security organizations, there’s no need for hundreds of granular IT controls to plug data leaks – your enterprise has automatic protection with BlackBerry Balance.
Protection Mechanism Description
Non-executable stack and heap Stack and heap areas of memory cannot execute machine code, protecting against buffer overflows
Stack cookies Buffer overflow protection to prevent arbitrary code execution
Robust heap implementations A form of protection against heap area of memory corruption that can lead to arbitrary code execution
Address space layout randomization (ASLR)
Random allocation of a process’ address space makes arbitrary code execution more difficult
Compiler-level source fortification Compiler option replaces insecure code constructs where possible
Guard pages A form of protection against heap buffer overflow and arbitrary code execution
Protection for Every Enterprise: How BlackBerry Security Works10
Enterprise Mobility Management
BlackBerry 10 with BlackBerry Enterprise Service 10 supports the entire spectrum and mix of enterprise mobility management needs, from basic BYOD to high security.
BlackBerry 10 support for the ActiveSync® protocol will meet the needs of companies that take a relaxed approach to device management and security – allowing them to synchronize with their email platform and enabling basic device management.
Moving up a level, we have Silver level EMM, which is part of BlackBerry Enterprise Service 10. This is for enterprises that are more sensitive to the need to secure their corporate data and require greater security/device management capabilities.
Highly regulated, government organizations and those businesses that take security very seriously require more stringent control over devices, and will need to enforce strict security policies. For these organizations, we offer Gold level EMM, which is also administered through BlackBerry Enterprise Service 10. This option gives you a whole host of policies to control virtually everything about the device.
And now, if you need or want the flexibility to allow corporate-provided BlackBerry 10 devices to be deployed with both a Work Space and Personal Space, you have the flexibility to do so, and the administrator controls to span both spaces with Gold level EMM.
Supporting the entire spectrum and mix of EMM needs
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 LEVEL 6
Small and medium size businesses
Media and other non-security sensitive industries
Large enterprise with multiple di�erent levels of device management and security
Government, central agencies
Regulated industries
Open policy, low managementneeds
Managed devicesfor some end-usersand open for others
Regular mobile policy for everyone
Segmented mobile policy
Mix of lockdown and managed devices
100% lockdown
Level of EMM Policy
Gold Level EMM
Silver Level EMM
Basic Mobility Management(ActiveSync Only)
Soho, small to medium businesses with no companypolicy
Large and medium enterprise security sensitivity
Legal and professional services, oil and gas, financial services
Large enterprise - high security
To find out more, and to sign up for a FREE 60 day BES10 trial, head to www.blackberry.com/business1
EZ PASSFree perpetual BES10 licenses for all existing BlackBerry and other MDM licenses. Limited time o�er.2
Learn more at blackberry.com/ezpass
1 60-day Free Trial Offer: Limited time offer; subject to change. Limit 1 per customer. Trial starts upon activation and is limited to 50 Silver licenses for BlackBerry devices and 50 Gold licenses with Secure Work Space for iOS and Android. Following trial, customer must purchase service to continue use of product. Not available in all countries. A trial system can be upgraded to a production system at any time by adding a production key purchased or acquired from an authorized reseller. When a system is upgraded to production, the trial licenses will no longer be available.
2 Between now and January 31, 2015. Additional Terms and Conditions will apply.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. iOS is used under license by Apple Inc. Apple Inc. does not sponsor, authorize or endorse this brochure. Android is a trademark of Google Inc. which does not sponsor, authorize or endorse this brochure.
© 2014 BlackBerry. All rights reserved. BlackBerry®, BBM™ and related trademarks, names and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. All other trademarks are the property of their respective owners.
