SEPARATING WORK AND PERSONAL How Balance Works at the Platform Level Whitepaper
2 Why balance matters in enterprise mobility As more and more business processes go mobile, IT faces an ever-increasing number of security challenges. Users now have access to a multitude of personal communication channels, such as social networking sites, untrusted personal applications, webmail, web browsing, and instant messaging. Without the proper structures in place, data-transfer mechanisms such as P2P file sharing, USB connectivity, media card swapping, Bluetooth and NFC data transfer can all pose a threat to the enterprise. In the past, better mobile security meant sacrificing the user experience, and vice versa. This paradigm comes to an end with Balance. Balance maximizes employee productivity and user satisfaction with a seamless, elegant, and intuitive user interface. Balance is built right into every 10 device and is available automatically when a device is enrolled with Enterprise Service 10 (BES10). Visit blackberry.com/business for details.
3 How Data Leak Protection is built in Balance partitions work data from personal data using two completely separate file systems. ENTERPRISE (WORK DATA SOURCES) BES10, Content Servers, Web Servers, Microsoft ActiveSync MDS BES Enterprise Wi-Fi Enterprise VPN Intranet Browsing Email PIM Work Space Work Apps Work File System (AES-256 Encryption) 10 User Interface Unified Apps ( Only) Unified App Controls Personal Space Apps Personal File System 3rd Party Apps PERSONAL (DATA LEAK CHANNELS) Personal apps Social networking Email and webmail Web browsing Instant messaging and other P2P SMS/MMS USB and Micro SD Other data channels Data Identification and Tagging Data Leak Controls Data Access/Transfer File Transfer Cut and Paste Other Not Permitted Balance architecture: Built-in Data Leak Protection Work Space (Left) Work applications reside within the work file system. Work applications and work data are always protected by the work file system with AES-256 encryption. Only applications that reside in the work file system are able to connect through work communication channels, including Enterprise Service 10, enterprise Wi-Fi, enterprise VPN, and Intranet browsing. If you want to allow Personal Space traffic to use these work connectivity options, you have that option. The appropriate communication channels are automatically provisioned to protect your sensitive enterprise data. User Interface (Center) The key to Balance is its interface. Data originating from an enterprise resource is automatically identified as work data, and any other data is automatically identified as personal. Work data can t be copied or cut/ pasted into a personal data channel, and files can t be moved from one file system to the other. The user interface allows some work and personal content to be displayed together for an ideal user experience, as in the case of the Hub; however, an abstraction layer prevents any data leakage between the Work Space and the Personal Space. The Work Space and Personal Space have separate wallpapers, so users always know at a glance which space they re in. Personal Space (Right) Personal applications reside within the personal file system. Personal applications include personal apps such as BBM and third-party personal apps for things like email, gaming and social networking. Applications that reside on the personal file system have access only to personal communication channels (listed on the right hand side of the diagram), often referred to as data leak channels. Again, you have the option to enable personal apps to use work connection options if you need or want to.
4 Double duty: How Balance handles crossover apps Work Space Personal Space WORK APPS UNIFIED APPS PERSONAL APPS World for Work Hub World Enterprise App 1 Calendar Social Media Apps Enterprise App 2 Contacts BBM Enterprise App 3 Remember BBM Video Chat Enterprise App 4 Universal Search Camera Enterprise App 5 DUAL APPS Phone Mobile Voice System File Manager File Manager Other IM and P2P Others Documents To Go Documents To Go Compass Browser Browser Calculator Music, Video and Pictures Music, Video and Pictures Android Runtime Some apps serve both purposes. Balance has the answer. Work applications Work apps are isolated to the Work Space only. World for Work operates in the Work Space, where users can see a list of applications that are approved by the enterprise, and can download them within the Work Space. Unified applications Native apps provide unified views into both Work and Personal Space content. This creates the unified user experience. For example, the calendar application will show content from both spaces (such as a work meeting and a dentist appointment), but the content is still segregated on the device, with built-in data leak protection (DLP). Dual applications Some apps operate in both the Work and Personal Spaces (Documents To Go, for example). These dual-purpose apps run as simultaneous instances, segregated by the 10 Platform. They are isolated, independent, and unaware of one another, so there s no mixing of data between the two. Personal applications Personal apps do not have access to work content, except under highly controlled situations. For example, some enterprises may allow personal applications like the phone, SMS or BBM to access work contacts. IT can lock out that access at a server level if appropriate. Any additional apps that a user installs are downloaded from the public World, and the user has full control over the applications that are installed into their Personal Space.
5 Protecting data in motion The personal and work sides of the device actually operate separate routing tables, so we can segregate the data in transit, as well as data at rest. Administrator s Computer Router Infrastructure Wireless Network Device APNs BES10 Databases BES10 Internal Firewall TCP Proxy Firewall Additional 3rd Party Apps* Infrastructure Wireless Network ios and Android Devices The proven security model, which now extends to multiple platforms, seamlessly enables secure access to systems behind the firewall and protects work data in transit. Simple and cost effective setup and ongoing admin is supported by the VPN-less, single outbound port 3101 connectivity model is renowned for including certified end-to-end encryption. So there s no need for third party connectivity or security solutions. * including certificate authority, mail server, other web servers or content servers Outside of the enterprise, any connection to Enterprise Service 10 via the infrastructure over Wi-Fi or cellular uses AES-256, which also protects the connection to Microsoft Exchange and any other enterprise content servers. The infrastructure-to-device leg has an additional layer of Transport Layer Security (TLS) to authenticate the infrastructure. Outside of the enterprise, the infrastructure can be bypassed by connecting directly to Enterprise Service 10 by VPN, over Wi-Fi or cellular. The device VPN supports IPsec and SSL. Inside the enterprise, the device connects directly to Enterprise Service 10 and the LAN over corporate Wi-Fi. Note: For all of these options, Wi-Fi security is the industry standard. For additional security, end-to-end SSL is supported between 10 devices and the content servers. The user s personal space and personal apps can directly connect to Wi-Fi and cellular, also supporting SSL if you so choose. Users can also connect to their own private network VPN. As mentioned above, there s also the option to allow personal space traffic to use work connectivity options (and this can be easily disabled by IT policy).
6 Policies and controls: Enterprise Mobility Managementent (EM The innovative 10 container-managed security design greatly simplifies the setup and management of IT controls. This serves to reduce the number of IT settings and controls required, without compromising on the benefit those controls provided in previous Enterprise Server environments. Below, find out more about the 3 levels of EMM control available with 10. Level of EMM Policy LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 LEVEL 6 Open policy, low management needs Managed devices for some end-users and open for others Regular mobile policy for everyone Segmented mobile policy Mix of lockdown and managed devices 100% lockdown Gold Level EMM Silver Level EMM Small and medium size businesses Media and other non-security sensitive industries Large and medium enterprise security sensitivity Large enterprise with multiple different levels of device management and security Legal and professional services, oil and gas, financial services Large enterprise high security Government, central agencies Regulated industries Basic Mobility Management (ActiveSync Only) Soho, small to medium businesses with no company policy Enterprise Mobility Management 10 with Enterprise Service 10 supports the entire spectrum and mix of enterprise mobility management needs, from basic BYOD to high security. 10 support for the ActiveSync protocol will meet the needs of companies that take a relaxed approach to device management and security allowing them to synchronize with their email platform and enabling basic device management. Moving up a level, we have the Silver level EMM 1 option, which is part of Enterprise Service 10. This is for enterprises that are more sensitive to the need to secure their corporate data and require greater security/device management capabilities. Highly regulated, government organizations and those businesses that take security very seriously require more stringent control over devices, and will need to enforce strict security policies. For these organizations, we offer Gold level EMM 2, which is also administered through Enterprise Service 10. This option gives you a whole host of policies to control virtually everything about the device. And now, if you need or want the flexibility to allow corporate-provided 10 devices to be deployed with both a Work Space and Personal Space, you have the flexibility to do so, and the administrator controls to span both spaces with Gold level EMM.
7 What s included with Enterprise Service 10 and Silver level EMM licenses A single intuitive management console to manage your devices, users, groups, apps and services, including reporting and dashboard capabilities Full Mobile Device Management (MDM) for 10 smartphones, ios and Android devices Balance technology, providing a secure Work Space and Personal Space on 10 devices World for Work: a fully integrated corporate app storefront Ability to manage instances of Enterprise Server 5.0.3 and above through the Enterprise Service 10 management console
8 Ready to try Enterprise Service 10? Run a free trial for 60 days with no impact on your existing setup. 3 Head to blackberry.com/business EZ PASS Free perpetual BES10 licenses for all existing and other MDM licenses. Limited time offer. 4 Learn more at blackberry.com/ezpass 1 Silver level EMM provides the management and control feature set for 10, ios and Android devices previously known as EMM Corporate. 2 Gold level EMM provides the management and control feature set for 10 devices previously known as EMM Regulated, and also covers the containerization option for ios and Android management known as Secure Work Space for ios and Android. Gold level EMM is available with BES10 v10.1 and later. 3 60-day Free Trial Offer: Limited time offer; subject to change. Limit 1 per customer. Trial starts upon activation and is limited to 50 Silver licenses for devices and 50 Gold licenses with Secure Work Space for ios and Android. Following trial, customer must purchase service to continue use of product. Not available in all countries. A trial system can be upgraded to a production system at any time by adding a production key purchased or acquired from an authorized reseller. When a system is upgraded to production, the trial licenses will no longer be available. 4 Between now and January 31, 2015. Additional Terms and Conditions will apply. Screen images simulated. ios is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. ios is used under license by Apple Inc. Apple Inc does not sponsor, authorize or endorse this brochure. Android is a trademark of Google Inc. which does not sponsor, authorize or endorse this brochure. 2014. All rights reserved., BBM and related trademarks, names and logos are the property of Limited and are registered and/or used in the U.S. and countries around the world.