PROTECTION FOR EVERY ENTERPRISE. How BlackBerry Security Works. Whitepaper. Brochure. Whitepaper

Similar documents
SEPARATING WORK AND PERSONAL

SECURE, CENTRALIZED, SIMPLE

Multi-Platform Enterprise Mobility Management. Perfectly balancing end-user and corporate needs

SIMPLIFY MULTI-PLATFORM ENTERPRISE MOBILITY MANAGEMENT

Enterprise Mobility Management

MaaS360 Secure Productivity Suite

ipad in Business Security Overview

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Managing Devices and Corporate Data on ios

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

Enterprise solution comparison chart

BlackBerry UEM + Samsung Knox

A Mobile Security Checklist: The Top Ten Threats to Your Enterprise Today. White Paper

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

Cisco Desktop Collaboration Experience DX650 Security Overview

Configuration Guide. BlackBerry UEM. Version 12.9

The Device Has Left the Building

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

BUILT FOR BUSINESS. 10 Reasons BlackBerry Smartphones Are Still the Best Way to Do Business. Whitepaper

Mobilize with Enterprise Security and a Productive User Experience

BlackBerry UEM Configuration Guide

Licensing Guide. BlackBerry Enterprise Service 12. Version 12.0

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Configuration Guide. BlackBerry UEM Cloud

Bring Your Own Device. Peter Silva Technical Marketing Manager

IBM Tivoli Directory Server

Google on BeyondCorp: Empowering employees with security for the cloud era

Mobility, Security Concerns, and Avoidance

Cloud FastPath: Highly Secure Data Transfer

SHA-1 to SHA-2. Migration Guide

Sophos Mobile in Central

TIBCO Cloud Integration Security Overview

Android Enterprise Device Management with ZENworks 2017 Update 2

Enterprise Mobile Management (EMM) Policies

Securing Enterprise or User Brought mobile devices

Security Enhancements

G/On OS Security Model


Windows Phone 8 Security

Enterprise Product Guide

Vendor: Cisco. Exam Code: Exam Name: Cisco Sales Expert. Version: Demo

Security Note. BlackBerry UEM

Comodo Certificate Manager

Verizon Software Defined Perimeter (SDP).

BYOD: BRING YOUR OWN DEVICE.

RHM Presentation. Maas 360 Mobile device management

JUNIPER NETWORKS PRODUCT BULLETIN

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

XenApp, XenDesktop and XenMobile Integration

Sophos Mobile Control startup guide. Product version: 7

ipad in Business Mobile Device Management

Systems Manager Cloud-Based Enterprise Mobility Management

CogniFit Technical Security Details

Sophos Mobile. installation guide. Product Version: 8

NSG100 Nebula Cloud Managed Security Gateway

NSG50/100/200 Nebula Cloud Managed Security Gateway

Deploying Lookout with IBM MaaS360

Solutions Business Manager Web Application Security Assessment

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

PCI DSS Compliance. White Paper Parallels Remote Application Server

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

VMware Tunnel Guide for Windows Installing the VMware Tunnel for your AirWatch environment

Cloud versus direct with VNC Connect

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

Chapter 9. Firewalls

VNC Connect security whitepaper. Cloud versus direct with VNC Connect

Microsoft Office 365 TM & Zix Encryption

ExtremeWireless WiNG NX 9500

Augmenting security and management of. Office 365 with Citrix XenMobile

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

Evolved Backup and Recovery for the Enterprise

Sophos Mobile in Central

Installation and Configuration Guide

Security+ SY0-501 Study Guide Table of Contents

Security: The Key to Affordable Unmanned Aircraft Systems

VMware AirWatch Integration with Apple Configurator 2 Guide Using Apple Configurator 2 and AirWatch to simplify mass deployments

Ceedo Client Family Products Security

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

Symantec Endpoint Protection Mobile - Admin Guide v3.2.1 May 2018


CompTIA A+ Certification ( ) Study Guide Table of Contents


BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Sophos Mobile. startup guide. Product Version: 8.1

Lookout Mobile Endpoint Security. Deploying Lookout with BlackBerry Unified Endpoint Management

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Discovering ZENworks 11

Integration with Apple Configurator 2. VMware Workspace ONE UEM 1902

Google Identity Services for work

Synchronized Security

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Windows ierīces Enterprise infrastruktūrā. Aris Dzērvāns Microsoft

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Achieving End-to-End Security in the Internet of Things (IoT)

White Paper : An Overview of Samsung KNOX

Managing BYOD Networks

Transcription:

1 PROTECTION FOR EVERY ENTERPRISE How Security Works Whitepaper Whitepaper Brochure

2 Why Mobile Security Matters More than Ever The BYOD trend has re-shaped enterprise mobility. While its pros and cons are debated endlessly in the media, there s no denying the fact that with consumerization comes the comingling of personal and work use cases and pure consumer devices offer no integrated protection against sensitive enterprise data leaking through personal channels. As enterprises mobilize business processes, more and more sensitive data passes through and resides on mobile devices. Meanwhile, risk-inherent personal use cases continue to grow, spanning: Social networking Personal email Untrusted personal apps Web browsing Instant Messaging, SMS/MMS, other P2P messaging MicroSD storage USB connectivity

3 How Balance Works By now, enterprises are well-aware that they need a robust security strategy and mobility platform to protect their data, their business and their users. In the past, if you wanted better mobile security, you had to sacrifice the user experience, and vice versa. This paradigm came to an end with Balance. To address these issues comprehensively, the platform was built from the ground up to deliver a first-rate user experience while meeting the complex and ever-shifting demands of enterprise security. In this document, we ll take a close look at the following features: Balance (for platformlevel separation of work and personal) World for Work (a corporate application storefront) Secure Connectivity 10 authentication The 10 Operating System Enterprise Mobility Management; IT Rules and Policy Sets Balance maximizes employee productivity and user satisfaction with a seamless, elegant, and intuitive user interface. And it controls security risks through: Complete protection for all data leak channels and mechanisms A tamper-resistant architecture that protects against abuse and attack All of these features and functions are controlled and enabled through the BES12 platform which IT administrators can use to manage not only 10 devices, but also ios, Android and Windows Phone for true multi-platform mobility management on a single, unified console.

4 Balance partitions work data from personal data using two completely separate file systems. To better understand the architecture behind Balance, take a look at the diagram below. Innovative Device Data Leak Prevention ENTERPRISE (WORK DATA SOURCES) BES12, Content Servers, Web Servers, Microsoft ActiveSync MDS BES Enterprise Wi-Fi Enterprise VPN Intranet Browsing Email PIM Work Space Work Apps Work File System (AES-256 Encryption) 10 User Interface Unified Apps ( Only) Unified App Controls Personal Space Apps Personal File System 3rd Party Apps PERSONAL (DATA LEAK CHANNELS) Personal apps Social networking Email and webmail Web browsing Instant messaging and other P2P SMS/MMS USB and Micro SD Other data channels Data Identification and Tagging Data Leak Controls Data Access/Transfer File Transfer Cut and Paste Other Not Permitted Work Space (Left) Work applications reside within the work file system. Work applications and work data are always protected by the work file system with AES-256 encryption. Only applications that reside in the work file system are able to connect through work communication channels, including BES12, enterprise Wi-Fi, enterprise VPN, and Intranet browsing. If you want to allow Personal Space traffic to use work connectivity options, you have that option. The appropriate communication channels are automatically provisioned to protect your sensitive enterprise data. User Interface (Center) The key to Balance is its interface. Data originating from an enterprise resource is automatically identified as work data, and any other data is automatically identified as personal. Work data can t be copied or cut/ pasted into a personal data channel, and files can t be moved from one file system to the other. The user interface allows some work and personal content to be displayed together for an ideal user experience, as in the case of the Hub; however, an abstraction layer prevents any data leakage between the Work Space and the Personal Space. The Work Space and Personal Space have separate wallpapers, so users always know at a glance which space they re in. Personal Space (Right) Personal applications reside within the personal file system. Personal applications include personal apps such as BBM and third-party personal apps for things like email, gaming and social networking (accessible in 10 v10.3 through both World and the Amazon Appstore). Applications that reside on the personal file system have access only to personal communication channels (listed on the right hand side of the diagram), often referred to as data leak channels. Again, you have the option to enable personal apps to use work connection options if you need or want to.

5 Containerization for ios and Android: Secure Work Space Your Corporate App Storefront: World for Work Balance protects against any data leakage or malicious attempts to access enterprise data. Balance is an industry-leading solution for the separation of work and personal on 10 devices. But in a multi-platform environment, you need to address the same issues on a range of devices. Secure Work Space is a containerization, application-wrapping and secure connectivity option that delivers a higher level of control and security to ios and Android devices, all managed through the single BES12 administration console. Managed applications are secured and separated from personal apps and data and users can access an integrated app for email, calendar and contacts, an enterprise-level secure browser, plus secure attachment viewing and editing with Documents To Go. User authentication is required to access secure apps, and work data cannot be shared outside the Secure Work Space. World for Work provides a simple, manageable and scalable tool for the secure deployment of enterprise applications. It installs applications into the Work Space on your users 10 devices, and these applications are secure by default. From here, Balance protects against any data leakage or malicious attempts to access enterprise data. World for Work gives you two options when it comes to deploying your enterprise applications: mandatory pushes or optional downloads. Mandatory Pushes You can set these up through the intuitive 10 admin console. These enterprise apps are automatically delivered and updated users don t need to do a thing. Optional Downloads Populate your enterprise catalogue with helpful, trusted applications that can be optionally downloaded by your employees. You can even choose to whitelist applications from the publicly accessible World in your private World for Work storefront.

6 BES12: Architecture Administrator s Computer Router Infrastructure Wireless Network Device APNs BES12 Databases BES12 Internal Firewall TCP Proxy Firewall Additional 3rd Party Apps* Infrastructure Wireless Network ios, Android and Windows Phone 8 Devices The Gold Standard in Secure Connectivity has, for many years, been held up as the gold standard in secure connectivity. That doesn t change with 10. Seamlessly enabling secure access to systems behind the firewall, as well as protecting work data in transit, is assured by the proven security model, which extends to cover multiple platforms. Simple and cost effective setup and ongoing admin is supported by the VPN-less, single outbound port 3101 connectivity model is renowned for including certified end-toend encryption. So there s no need for third party connectivity or security solutions. Outside of the enterprise, any connection to BES12 via the infrastructure over Wi-Fi or cellular uses AES-256, which also protects the connection to Microsoft Exchange and any other enterprise content servers. The infrastructure-to-device leg has an additional layer of Transport Layer Security (TLS) to authenticate the infrastructure. Outside of the enterprise, the infrastructure can be bypassed by connecting directly to BES12 by VPN, over Wi-Fi or cellular. The device VPN supports IPsec and SSL. Inside the enterprise, the device connects directly to BES12 and the LAN over corporate Wi-Fi. Note: For all of these options, Wi-Fi security is the industry standard Wi-Fi security noted in the legend. For additional security, end-to-end SSL is supported between 10 devices and the content servers. The user s Personal Space and personal apps can directly connect to Wi-Fi and cellular, also supporting SSL if you so choose. Users can also connect to their own private network VPN. As mentioned above, there s also the option to allow Personal Space traffic to use work connectivity options (and this can be easily disabled by IT policy). * including certificate authority, mail server, other web servers or content servers

7 Input Driver File System Authentication: Flexible Options for Passwords and Certificates Why the 10 Operating System is Most Secure Graphics Driver QNX Neutrino Microkernel Network 10 supports two options for authentication: passwords and certificates. Passwords are generally used for device authentication. Flexible and granular password policies can be enforced on: The Work Space: The administrator can require a user password for access to the Work Space. The entire device: The administrator can also demand a password for access to the entire 10 device (a must-have for many high-security and regulated environments). 10 also supports certificate enrollment and automatic renewal, using the industry-standard Simple Certificate Enrollment Protocol (SCEP). SCEP provides easy, scalable certificate enrollment and renewal. Authentication is generally for Wi-Fi, VPN or Intranet. All certificates are encrypted and protected within the 10 key store. The operating system is arguably the most important component of mobile device security but it s often overlooked. Unlike security tools, controls and features or corporate sandboxes, the security of the OS is generally more opaque to the observer. Operating system source code is typically not shared, and even if it is, it s hard to assess the security of millions of lines of code. First and foremost, 10 is based on the QNX Microkernel. So what does this mean for you? It means your enterprise gains several security benefits. The Security Benefits of the QNX Microkernel It contains less code (about 150,000 lines): This small footprint helps eliminate vulnerabilities by making security verification and testing easier and more robust. It s designed for resiliency: The Microkernel isolates processes in the user space. Unresponsive processes are restarted without affecting others, so that applications don t crash the OS. It minimizes all root processes: Only the most essential processes run as root. Root processes are not available to non- parties, which makes the OS less vulnerable to security risks. User Application HMI The QNX Microkernel diagram above illustrates how user processes cannot directly access other processes. Contained and Constrained: Application and Malware Controls The best way to protect your enterprise from mobile malware is to use an operating system that s designed to resist it. 10 uses a contain and constrain design strategy to mitigate against malware risks. By sandboxing the user space, 10 can block malicious behavior: Processes are constrained within the user space and the Microkernel carefully supervises inter-process communication. Memory accessed by the user space is also authorized by the Microkernel. Any process that attempts to address unauthorized memory is automatically restarted or shut down. Personal Application Controls Access to Personal Space resources is limited and operates on an app-by-app and need-to-have basis. The user gets the right information at the right time to make an informed decision about what permissions to grant.

8 The following diagram illustrates the device feeding process and the chain of trust. The secure process is centered on authentication to help guard against persistent OS attacks and rootkits. 10 Operating System Application 1 Application 2 Application 3 Application 4 Base file system verifies loaded application hashes Base File System (Read-only) XML Manifest of loaded applications (Cryptographically hashed) Verifies SHA256 hash matches loaded images 10 OS SHA256 of Base File System (Signed with EC521) Verifies OS with public EC521 Key World Boot ROM Public EC521 Key OS Signature Verification of Boot ROM Digital Signature CPU Embedded Boot ROM Software upgrades and application downloads (All downloads are verified with ECC signed SHA-2 hashes)

9 Below are a few examples of the security mechanisms that are integrated into the 10 operating system to protect against attacks and arbitrary code execution. Protection Mechanism Non-executable stack and heap Stack cookies Description Stack and heap areas of memory cannot execute machine code, protecting against buffer overflows Buffer overflow protection to prevent arbitrary code execution Robust heap implementations Address space layout randomization (ASLR) A form of protection against heap area of memory corruption that can lead to arbitrary code execution Random allocation of a process address space makes arbitrary code execution more difficult Compiler-level source fortification Compiler option replaces insecure code constructs where possible Guard pages A form of protection against heap buffer overflow and arbitrary code execution S/MIME Support A quick but important point. S/MIME is the most common standard for sender/ receiver email encryption. It s a great solution for intense security for email communications outside of the enterprise. If your enterprise requires it, you ll be happy to know that 10 supports S/MIME encrypted and signed emails out of the box. IT Rules and Policy Sets As with 7 OS and earlier, 10 allows you to use IT policies to control and manage devices in your organization s environment. And while 10 can enable the various policies required by regulated and highsecurity organizations, there s no need for hundreds of granular IT controls to plug data leaks your enterprise has automatic protection with Balance.

10 Enterprise Mobility Management 10 with BES12 supports the entire spectrum and mix of enterprise mobility management needs, from basic BYOD to high security. 10 support for the ActiveSync protocol will meet the needs of companies that take a relaxed approach to device management and security allowing them to synchronize with their email platform and enabling basic device management. Moving up a level, we have Silver level EMM, which is part of BES12. This is for enterprises that are more sensitive to the need to secure their corporate data and require greater security/device management capabilities. Highly regulated, government organizations and those businesses that take security very seriously require more stringent control over devices, and will need to enforce strict security policies. For these organizations, we offer Gold level EMM, which is also administered through BES12. This option gives you a whole host of policies to control virtually everything about the device. And, if you need or want the flexibility to allow corporate-provided 10 devices to be deployed with both a Work Space and Personal Space, you have the flexibility to do so, and the administrator controls to span both spaces with Gold level EMM. Supporting the entire spectrum and mix of EMM needs Level of EMM Policy LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 LEVEL 6 Open policy, low management needs Managed devices for some end-users and open for others Regular mobile policy for everyone Segmented mobile policy Mix of lockdown and managed devices 100% lockdown Gold Level EMM Silver Level EMM Small and medium size businesses Media and other non-security sensitive industries Large and medium enterprise security sensitivity Large enterprise with multiple different levels of device management and security Legal and professional services, oil and gas, financial services Large enterprise - high security Government, central agencies Regulated industries Basic Mobility Management (ActiveSync Only) Soho, small to medium businesses with no company policy

To find out more and to sign up for a free BES12 trial, head to blackberry.com/enterprise 1 1 60-day Free Trial Offer: Limited time offer; subject to change. Limit 1 per customer. Trial starts upon activation and is limited to 50 Gold subscriptions and 50 Secure Work Space for ios and Android subscriptions. Following trial, customer must purchase subscriptions to continue use of product. Not available in all countries. Subscriptions can be purchased direct or from authorized resellers. When a system is upgraded to production, the trial subscriptions will no longer be available. This Offer is void where prohibited and is subject to modification, extension or early termination at s sole discretion. ios is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. ios is used under license by Apple Inc. Apple Inc does not sponsor, authorize or endorse this brochure. Android is a trademark of Google Inc. which does not sponsor, authorize or endorse this brochure. 2014. All rights reserved., BBM and related trademarks, names and logos are the property of Limited and are registered and/or used in the U.S. and countries around the world. All other trademarks are the property of their respective owners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback