Blackberry is known for its email and security rather than a company which produces fancy mobile phones. This is one of the reasons why Blackberry is preferred as a platform when it comes to corporate users. Many organizations provide Blackberry Phones to their employees to ensure their around the clock availability and connectivity for urgent matters.

This article will look at the security of Blackberry mobile devices from an organization’s perspectives.

We will cover “Blackberry Balance Technology” and understand major features of this technology that can help organizations push corporate policies on mobile devices to protect device & corporate data.

Objective:

The objective of this article is to introduce users to the technology and touch upon the features briefly. This article is not a how-to or a hands-on guide for implementing “Blackberry Balance Technology”. For step by step instructions on how to implement, one can refer to the product manuals or contact Blackberry support.

This article explains the features of “Blackberry Balance Technology” that can be utilized to secure the data that resides on the mobile device.

Background

Mobile devices are critical as all the employees given a corporate mobile phone connects to the organization’s network, even if it only for checking emails. If the device gets compromised, it can infect the organization’s network as well.

There are multiple ways in which an organization can protect corporate mobile devices; however the focus of this article will be on “Blackberry Balance Technology“.

The core focus of this technology is at the segregation of personal and work data. This is very important for a mobile device purchased by an organization for an employee – although provided for official purposes; it can also contain personal data – e.g. pictures and videos taken by the camera, etc. If organization’s policy permits users to install third party applications like Twitter, Facebook or similar apps, these apps store local data on phone, which as well is personal data.

System Requirements:

  • For Microsoft Exchange users – One must use BlackBerry Enterprise Server for Microsoft Exchange (5.0 SP3 or later)
  • For IBM Lotus Notes/Dominos users – One must use BlackBerry Enterprise Server for IBM Lotus Domino (5.0 SP3 or later)

    OR

  • BlackBerry Enterprise Server Express (5.0 SP3 or later)
  • Over and above these, one of the following devices running BlackBerry 6 is required:
  • BlackBerry Torch 9800 Smartphone (bundle 1478 or later)
  • BlackBerry Bold 9780 Smartphone (bundle 1478 or later)
  • BlackBerry Bold 9700 Smartphone (bundle 1478 or later)
  • BlackBerry Curve 9300 Smartphone (bundle 1478 or later)
  • BlackBerry Pearl 9100 Smartphone (bundle 1478 or later)
  • BlackBerry Curve 9330 Smartphone (bundle 1830 or later)
  • BlackBerry Bold 9650 Smartphone (bundle 1830 or later)
  • BlackBerry Style 9670 Smartphone (bundle 1830 or later)

Classification of Work Data and Personal Data

Before we understand how to exactly do work and personal data segregation, we need to understand two more concepts – IT Policy & IT Policy Rules. Blackberry Enterprise server works based on IT Policy. These Policies can be used to control and manage the following:

  • Blackberry Desktop Software
  • Blackberry Devices
  • Blackberry Web Desktop Manager

IT Policy & IT Policy Rules

An IT policy consists of multiple IT Policy rules. How these rules are configured defines how above mentioned devices (including mobile devices) behave.

Now that we have an understanding of what IT Policy Rules are, we’ll understand how these rules can be helpful in achieving our objective of data segregation.

The following is a pictorial representation of how policies, rules, mobile devices, and enterprise server create an ecosystem and what comes where:


During this article we will discuss following IT Policy rules:

  • Enable Separation of Work Content IT Policy rule

    When this rule is enabled, a Blackberry device classifies the data into work and personal data. Additional rules are required to be configured, however this is the primary rule that needs to be enabled.

  • Work Domains IT Policy rule

    This rule contains a list of domain names, email addresses, etc… which a Blackberry device identifies as work data.

  • Desktop Backup IT Policy rule

    This rule specifies which mobile device database can be backed up by backed up by the Blackberry Desktop Manager

  • Is access to Corporate Data API – application control policy rule

    Blackberry mobile devices check this rule to decide which non-work related applications needs to be granted access to work data

  • Disable Forwarding of Work Content using Personal Channels IT Policy rule

    This rule controls whether a Blackberry user can forward work data via personal channels such as SMS, MMS, and BBM.

Segregation of Data

Segregation of data can be achieved using “Enable Separation of Work Content IT Policy” rule. This rule is disabled by default. Once this rule is enabled, organizations can control data transfer between work applications and personal applications and many more tasks that control work data.

The device determines whether the data is work data or personal data, based on domain information of the organization. A list of domain names, email addresses, etc… can be configured into the “Work Domains IT Policy” rule.

Once the policy is enabled:

  • Blackberry Enterprise Server will not synchronize personal data
  • Applications can determine whether they can access personal data, work data or both based on the configuration
  • Work related applications like Email applications (and similar other) can delete data from the device.

Specific rules can further be implemented for third party applications as well as to configure whether work data can be accessed by these applications. These applications can be developed by RIM or any other vendor or individual developers (e.g. game developers). Unless the policy permits, these third party applications will not be able to access work data.

Corporate Data that can be protected

The following work data can be controlled using the “Enable Separation of Work Content IT policy” rule:

  1. Work Emails and attachments
  2. Calendar entries for outlook/lotus dominos
  3. Work Email Addresses/Contacts, Tasks, Memos, etc…
  4. Files downloaded from corporate network
  5. Work Application generated files which are stored on memory cards (in case where they are used to extend device’s memory)

Once data is classified as work data, it cannot be reclassified as personal data, hence defining the policy should be done with due care.

The following are some of the examples of personal data:

  • Non-corporate Email addresses/Contacts which do not match the domain name(s) specified in the policy.
  • Phone data (call logs get deleted upon deleting work data)
  • Browser Cache, Media Files, Passwords, SMS, instant messages (unless it is a corporate chat application developed for blackberry), etc…

Actions that can be performed after Data Classification is completed

The following are some of the things that can be controlled by setting the “Enable Separation of Work Data IT policy” rule:

  • Copying and pasting of work data

    Copy pasting work data into personal applications can be allowed or restricted based on organization’s expectations.

    Applicable Rule: “Enable Separation of Work Content IT Policy rule”

  • Forwarding work data

Forwarding work data using SMS, MMS,etc… can be controlled.

Applicable Rule:“Disable Forwarding of Work Content using Personal Channels IT Policy rule”

  • Transferring of work data to personal application

    If a user tries to transfer work data to personal applications such as twitter, the same can be restricted/allowed based on the policy configurations.

    Applicable Rule: “Is Access to Corporate Data API application control Policy rule”

  • Deleting work data from the device

When an employee quits the company, in order to protect data, organizations can even wipe the work data from the mobile device. This way critical corporate data like emails, attachments, call logs, contacts, etc… can be removed permanently from the device while leaving the personal data of the employee intact.

These kinds of policies make more sense where an organization supports BYOD (Bring Your Own Device) Policy and allows an employee to configure their device to download corporate emails. The device is still the employee’s asset and hence it cannot be collected back from the employee when he quits the organization.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

However, in such a situation, if work data can be wiped out from the device, it can help organizations in protecting their data.

This can be achieved using “Blackberry Administrative service”. Once configured, organizations can remotely wipe the data using option – “Delete only organization data”

Detailed information on configuration is out of this articles scope.

  • Control Blackberry Mobile Device’s Browser

    The internet is full of rogue sites and visiting a rogue site can lead to downloading of malicious software on user’s mobile device.

    To protect against these risks, organizations can control the Blackberry’s internal Browser and ensure that it only connects to the internet via Blackberry Enterprise Server – which is controlled by the organization.

Applicable rules: “Allow other Browser services IT Policy rule”

Additionally, the following are some more rules that can be explored. These rules can control the Blackberry browser further:

“Allow IBS Browser IT Policy rule”, “Allow Hotspot Browser IT Policy rule” and”Enable WAP Config IT Policy rule”.

  • Backing up of work data

    Organizations can even restrict users from backing up the work data if required.

    Applicable rule:“Desktop Backup IT Policy rule”

    This rule is not enabled by default, however if required, it can be configured.

Blackberry Balance Technology is very powerful and effective as itcan help organizations protect corporate data. The types of rules that are packed into the technology makes it useful for organizations to implement a Bring Your Own Device (BYOD) policy if required – that can not only improve employee satisfaction, but also saves money – as new corporate devices don’t need to be purchased if any employee already has blackberry device.

References:

http://docs.blackberry.com/en/admin/deliverables/27987/Corporate_Data_1388491_11.jsp

http://docs.blackberry.com/en/admin/deliverables/25767/Using_IT_policy_to_manage_BESolution_security_810036_11.jsp

http://docs.blackberry.com/en/admin/deliverables/45873/BlackBerry_Enterprise_Server_Express-Policy_Reference_Guide-1325787534383-5.0.4-en.pdf

http://docs.blackberry.com/en/admin/deliverables/27987/Personal_Devices_policy_group_1337524_11.jsp

http://docs.blackberry.com/en/admin/deliverables/4222/Desktop_Backup_204186_11.jsp