1 PROTECTION FOR EVERY ENTERPRISE How Security Works Whitepaper Whitepaper Brochure
2 Why Mobile Security Matters More than Ever The BYOD trend has re-shaped enterprise mobility. While its pros and cons are debated endlessly in the media, there s no denying the fact that with consumerization comes the comingling of personal and work use cases and pure consumer devices offer no integrated protection against sensitive enterprise data leaking through personal channels. As enterprises mobilize business processes, more and more sensitive data passes through and resides on mobile devices. Meanwhile, risk-inherent personal use cases continue to grow, spanning: Social networking Personal email Untrusted personal apps Web browsing Instant Messaging, SMS/MMS, other P2P messaging MicroSD storage USB connectivity
3 How Balance Works By now, enterprises are well-aware that they need a robust security strategy and mobility platform to protect their data, their business and their users. In the past, if you wanted better mobile security, you had to sacrifice the user experience, and vice versa. This paradigm came to an end with Balance. To address these issues comprehensively, the platform was built from the ground up to deliver a first-rate user experience while meeting the complex and ever-shifting demands of enterprise security. In this document, we ll take a close look at the following features: Balance (for platformlevel separation of work and personal) World for Work (a corporate application storefront) Secure Connectivity 10 authentication The 10 Operating System Enterprise Mobility Management; IT Rules and Policy Sets Balance maximizes employee productivity and user satisfaction with a seamless, elegant, and intuitive user interface. And it controls security risks through: Complete protection for all data leak channels and mechanisms A tamper-resistant architecture that protects against abuse and attack All of these features and functions are controlled and enabled through the BES12 platform which IT administrators can use to manage not only 10 devices, but also ios, Android and Windows Phone for true multi-platform mobility management on a single, unified console.
4 Balance partitions work data from personal data using two completely separate file systems. To better understand the architecture behind Balance, take a look at the diagram below. Innovative Device Data Leak Prevention ENTERPRISE (WORK DATA SOURCES) BES12, Content Servers, Web Servers, Microsoft ActiveSync MDS BES Enterprise Wi-Fi Enterprise VPN Intranet Browsing Email PIM Work Space Work Apps Work File System (AES-256 Encryption) 10 User Interface Unified Apps ( Only) Unified App Controls Personal Space Apps Personal File System 3rd Party Apps PERSONAL (DATA LEAK CHANNELS) Personal apps Social networking Email and webmail Web browsing Instant messaging and other P2P SMS/MMS USB and Micro SD Other data channels Data Identification and Tagging Data Leak Controls Data Access/Transfer File Transfer Cut and Paste Other Not Permitted Work Space (Left) Work applications reside within the work file system. Work applications and work data are always protected by the work file system with AES-256 encryption. Only applications that reside in the work file system are able to connect through work communication channels, including BES12, enterprise Wi-Fi, enterprise VPN, and Intranet browsing. If you want to allow Personal Space traffic to use work connectivity options, you have that option. The appropriate communication channels are automatically provisioned to protect your sensitive enterprise data. User Interface (Center) The key to Balance is its interface. Data originating from an enterprise resource is automatically identified as work data, and any other data is automatically identified as personal. Work data can t be copied or cut/ pasted into a personal data channel, and files can t be moved from one file system to the other. The user interface allows some work and personal content to be displayed together for an ideal user experience, as in the case of the Hub; however, an abstraction layer prevents any data leakage between the Work Space and the Personal Space. The Work Space and Personal Space have separate wallpapers, so users always know at a glance which space they re in. Personal Space (Right) Personal applications reside within the personal file system. Personal applications include personal apps such as BBM and third-party personal apps for things like email, gaming and social networking (accessible in 10 v10.3 through both World and the Amazon Appstore). Applications that reside on the personal file system have access only to personal communication channels (listed on the right hand side of the diagram), often referred to as data leak channels. Again, you have the option to enable personal apps to use work connection options if you need or want to.
5 Containerization for ios and Android: Secure Work Space Your Corporate App Storefront: World for Work Balance protects against any data leakage or malicious attempts to access enterprise data. Balance is an industry-leading solution for the separation of work and personal on 10 devices. But in a multi-platform environment, you need to address the same issues on a range of devices. Secure Work Space is a containerization, application-wrapping and secure connectivity option that delivers a higher level of control and security to ios and Android devices, all managed through the single BES12 administration console. Managed applications are secured and separated from personal apps and data and users can access an integrated app for email, calendar and contacts, an enterprise-level secure browser, plus secure attachment viewing and editing with Documents To Go. User authentication is required to access secure apps, and work data cannot be shared outside the Secure Work Space. World for Work provides a simple, manageable and scalable tool for the secure deployment of enterprise applications. It installs applications into the Work Space on your users 10 devices, and these applications are secure by default. From here, Balance protects against any data leakage or malicious attempts to access enterprise data. World for Work gives you two options when it comes to deploying your enterprise applications: mandatory pushes or optional downloads. Mandatory Pushes You can set these up through the intuitive 10 admin console. These enterprise apps are automatically delivered and updated users don t need to do a thing. Optional Downloads Populate your enterprise catalogue with helpful, trusted applications that can be optionally downloaded by your employees. You can even choose to whitelist applications from the publicly accessible World in your private World for Work storefront.
6 BES12: Architecture Administrator s Computer Router Infrastructure Wireless Network Device APNs BES12 Databases BES12 Internal Firewall TCP Proxy Firewall Additional 3rd Party Apps* Infrastructure Wireless Network ios, Android and Windows Phone 8 Devices The Gold Standard in Secure Connectivity has, for many years, been held up as the gold standard in secure connectivity. That doesn t change with 10. Seamlessly enabling secure access to systems behind the firewall, as well as protecting work data in transit, is assured by the proven security model, which extends to cover multiple platforms. Simple and cost effective setup and ongoing admin is supported by the VPN-less, single outbound port 3101 connectivity model is renowned for including certified end-toend encryption. So there s no need for third party connectivity or security solutions. Outside of the enterprise, any connection to BES12 via the infrastructure over Wi-Fi or cellular uses AES-256, which also protects the connection to Microsoft Exchange and any other enterprise content servers. The infrastructure-to-device leg has an additional layer of Transport Layer Security (TLS) to authenticate the infrastructure. Outside of the enterprise, the infrastructure can be bypassed by connecting directly to BES12 by VPN, over Wi-Fi or cellular. The device VPN supports IPsec and SSL. Inside the enterprise, the device connects directly to BES12 and the LAN over corporate Wi-Fi. Note: For all of these options, Wi-Fi security is the industry standard Wi-Fi security noted in the legend. For additional security, end-to-end SSL is supported between 10 devices and the content servers. The user s Personal Space and personal apps can directly connect to Wi-Fi and cellular, also supporting SSL if you so choose. Users can also connect to their own private network VPN. As mentioned above, there s also the option to allow Personal Space traffic to use work connectivity options (and this can be easily disabled by IT policy). * including certificate authority, mail server, other web servers or content servers
7 Input Driver File System Authentication: Flexible Options for Passwords and Certificates Why the 10 Operating System is Most Secure Graphics Driver QNX Neutrino Microkernel Network 10 supports two options for authentication: passwords and certificates. Passwords are generally used for device authentication. Flexible and granular password policies can be enforced on: The Work Space: The administrator can require a user password for access to the Work Space. The entire device: The administrator can also demand a password for access to the entire 10 device (a must-have for many high-security and regulated environments). 10 also supports certificate enrollment and automatic renewal, using the industry-standard Simple Certificate Enrollment Protocol (SCEP). SCEP provides easy, scalable certificate enrollment and renewal. Authentication is generally for Wi-Fi, VPN or Intranet. All certificates are encrypted and protected within the 10 key store. The operating system is arguably the most important component of mobile device security but it s often overlooked. Unlike security tools, controls and features or corporate sandboxes, the security of the OS is generally more opaque to the observer. Operating system source code is typically not shared, and even if it is, it s hard to assess the security of millions of lines of code. First and foremost, 10 is based on the QNX Microkernel. So what does this mean for you? It means your enterprise gains several security benefits. The Security Benefits of the QNX Microkernel It contains less code (about 150,000 lines): This small footprint helps eliminate vulnerabilities by making security verification and testing easier and more robust. It s designed for resiliency: The Microkernel isolates processes in the user space. Unresponsive processes are restarted without affecting others, so that applications don t crash the OS. It minimizes all root processes: Only the most essential processes run as root. Root processes are not available to non- parties, which makes the OS less vulnerable to security risks. User Application HMI The QNX Microkernel diagram above illustrates how user processes cannot directly access other processes. Contained and Constrained: Application and Malware Controls The best way to protect your enterprise from mobile malware is to use an operating system that s designed to resist it. 10 uses a contain and constrain design strategy to mitigate against malware risks. By sandboxing the user space, 10 can block malicious behavior: Processes are constrained within the user space and the Microkernel carefully supervises inter-process communication. Memory accessed by the user space is also authorized by the Microkernel. Any process that attempts to address unauthorized memory is automatically restarted or shut down. Personal Application Controls Access to Personal Space resources is limited and operates on an app-by-app and need-to-have basis. The user gets the right information at the right time to make an informed decision about what permissions to grant.
8 The following diagram illustrates the device feeding process and the chain of trust. The secure process is centered on authentication to help guard against persistent OS attacks and rootkits. 10 Operating System Application 1 Application 2 Application 3 Application 4 Base file system verifies loaded application hashes Base File System (Read-only) XML Manifest of loaded applications (Cryptographically hashed) Verifies SHA256 hash matches loaded images 10 OS SHA256 of Base File System (Signed with EC521) Verifies OS with public EC521 Key World Boot ROM Public EC521 Key OS Signature Verification of Boot ROM Digital Signature CPU Embedded Boot ROM Software upgrades and application downloads (All downloads are verified with ECC signed SHA-2 hashes)
9 Below are a few examples of the security mechanisms that are integrated into the 10 operating system to protect against attacks and arbitrary code execution. Protection Mechanism Non-executable stack and heap Stack cookies Description Stack and heap areas of memory cannot execute machine code, protecting against buffer overflows Buffer overflow protection to prevent arbitrary code execution Robust heap implementations Address space layout randomization (ASLR) A form of protection against heap area of memory corruption that can lead to arbitrary code execution Random allocation of a process address space makes arbitrary code execution more difficult Compiler-level source fortification Compiler option replaces insecure code constructs where possible Guard pages A form of protection against heap buffer overflow and arbitrary code execution S/MIME Support A quick but important point. S/MIME is the most common standard for sender/ receiver email encryption. It s a great solution for intense security for email communications outside of the enterprise. If your enterprise requires it, you ll be happy to know that 10 supports S/MIME encrypted and signed emails out of the box. IT Rules and Policy Sets As with 7 OS and earlier, 10 allows you to use IT policies to control and manage devices in your organization s environment. And while 10 can enable the various policies required by regulated and highsecurity organizations, there s no need for hundreds of granular IT controls to plug data leaks your enterprise has automatic protection with Balance.
10 Enterprise Mobility Management 10 with BES12 supports the entire spectrum and mix of enterprise mobility management needs, from basic BYOD to high security. 10 support for the ActiveSync protocol will meet the needs of companies that take a relaxed approach to device management and security allowing them to synchronize with their email platform and enabling basic device management. Moving up a level, we have Silver level EMM, which is part of BES12. This is for enterprises that are more sensitive to the need to secure their corporate data and require greater security/device management capabilities. Highly regulated, government organizations and those businesses that take security very seriously require more stringent control over devices, and will need to enforce strict security policies. For these organizations, we offer Gold level EMM, which is also administered through BES12. This option gives you a whole host of policies to control virtually everything about the device. And, if you need or want the flexibility to allow corporate-provided 10 devices to be deployed with both a Work Space and Personal Space, you have the flexibility to do so, and the administrator controls to span both spaces with Gold level EMM. Supporting the entire spectrum and mix of EMM needs Level of EMM Policy LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 LEVEL 6 Open policy, low management needs Managed devices for some end-users and open for others Regular mobile policy for everyone Segmented mobile policy Mix of lockdown and managed devices 100% lockdown Gold Level EMM Silver Level EMM Small and medium size businesses Media and other non-security sensitive industries Large and medium enterprise security sensitivity Large enterprise with multiple different levels of device management and security Legal and professional services, oil and gas, financial services Large enterprise - high security Government, central agencies Regulated industries Basic Mobility Management (ActiveSync Only) Soho, small to medium businesses with no company policy
To find out more and to sign up for a free BES12 trial, head to blackberry.com/enterprise 1 1 60-day Free Trial Offer: Limited time offer; subject to change. Limit 1 per customer. Trial starts upon activation and is limited to 50 Gold subscriptions and 50 Secure Work Space for ios and Android subscriptions. Following trial, customer must purchase subscriptions to continue use of product. Not available in all countries. Subscriptions can be purchased direct or from authorized resellers. When a system is upgraded to production, the trial subscriptions will no longer be available. This Offer is void where prohibited and is subject to modification, extension or early termination at s sole discretion. ios is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. ios is used under license by Apple Inc. Apple Inc does not sponsor, authorize or endorse this brochure. Android is a trademark of Google Inc. which does not sponsor, authorize or endorse this brochure. 2014. All rights reserved., BBM and related trademarks, names and logos are the property of Limited and are registered and/or used in the U.S. and countries around the world. All other trademarks are the property of their respective owners.