Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Scott Totzke

March 2008

Scott Totzke

 

 

 

 

 

Interviewee: Scott Totzke, Vice President, Global Security Group, Research In Motion

 


Subject:  Privacy on the BlackBerry® Enterprise Solution

 

 

Nymity: What are the typical privacy and security concerns that organizations have when it comes to deploying a wireless solution like BlackBerry?

Totzke:  Customers tend to have three areas that they are concerned with when it comes to wireless solutions. First and foremost, they need to protect the information that is sent outside of their network. Secondly, they need to manage their deployments with the ability to apply corporate and security policies on usage. Thirdly, they need to meet various regulatory and compliance requirements.

 

Keeping an organization’s information confidential is essential, so protecting data in transit has really become entrance criteria for any enterprise-level solution. The BlackBerry Enterprise Solution, for example, uses strong encryption that has been validated by various security standards bodies, such as the Federal Information Processing Standards (FIPS) program run by the National Institute of Standards and Technology (NIST) in the US, and the Communications Security Establishment (CSE) in Canada, as well as many others.

 

What we are also finding is that, as mobile devices become more powerful and can store more information on them, there is an increased focus on securing data at rest. With the BlackBerry Enterprise Solution, there is built-in functionality to encrypt all of the user data stored on BlackBerry® smartphones. Once you turn the feature on, and it is really transparent to the user, it provides strong encryption in the background.

 

Secondly, remote, centralized management is a key feature for most organizations. When you look at your BlackBerry smartphone, you really have what many would consider the first mobile personal computer – these devices are more powerful than the computer on your desk was a decade ago and they can store thousands of pieces of information, and you carry this device around with you all the time. I might leave home without my wallet but I never forget my BlackBerry. Organizations are recognizing that they need to be able to manage all aspects of these devices; from password policies to authorizing which third party applications can run on the handset. With the BlackBerry Enterprise Server software, there are more than 400 policies that administrators can set, giving them full control of a BlackBerry smartphone. That might sound like a lot of policies, but there is no one-size-fits-all approach to security. So BlackBerry Enterprise Server provides the flexibility required to map your security policy to your BlackBerry deployment, instead of having to make compromises for the sake of mobility.

 

The last piece that has really become important is being able to provide detailed logging capabilities for compliance reasons. Many of our customers have SOX [Sarbanes-Oxley Act] compliance requirements – this applies to all U.S. public company boards, management, and public accounting firms. In healthcare, you have to have HIPAA [Health Insurance Portability and Accountability Act] compliance or some other governance which requires that things like phone calls, email and attachments, text messages and the like, be logged so that they can be audited. Access to logs at the server means that organizations can use all of the features of their BlackBerry smartphone without having to make a binary decision about whether to disable a key feature like text messaging because they can’t properly control and audit the communications path.

 

Nymity: What security options does RIM provide for enterprise deployments?

 

Totzke:  As mentioned, it starts with the end-to-end encryption of the data sent between the BlackBerry Enterprise Server and a BlackBerry smartphone and builds from there. With the 400-plus IT policies on BlackBerry Enterprise Server, there are options for controlling virtually everything. Administrators can control third-party applications; you can set permissions for what an application can access on the handset, within the enterprise network. You can define complex password polices and even disable technology that might be considered a security risk for the environment. A great example of this might be the camera. If you are in a real estate organization, being able to take pictures of a property and send them to your client is essential, so cameras would be something that would most likely be allowed. If you are in a government research facility, there will be a completely different set of threats and risks – some cameras would most likely need to be disabled. Organizations can buy the same BlackBerry smartphone and configure policies to meet their very different security needs.

 

These flexible IT policies let you map your organization's security and acceptable use policies to your BlackBerry users so you can make decisions that are right for you, but there is much more included as part of the BlackBerry Enterprise Solution. The handset has a built-in firewall to prevent unauthorized connections and filter inbound traffic. S/MIME and PGP are supported for secure messaging, and smartcards can be used to provide two-factor authentication to the smartphone.

 

As you can see, there is a lot available here to really tighten the controls on the BlackBerry platform. One of our key design considerations when looking at providing a flexible approach to security has always been preserving the intuitive BlackBerry user experience. Even in an environment with very restrictive policies set, the end user won’t see much more than having to enter a more complex password.

 

Nymity: How can the enterprise protect the data stored on a BlackBerry smartphone should the device be lost or stolen?

 

Totzke:  Since smartphones are very personal in nature, they can go everywhere your users go. This means that there is a good chance that some are going to be lost, stolen or left behind. There are a number of considerations for organizations to take when planning how to deal with these types of situations.

 

The first consideration is setting a password policy and a timeout period. Administrators can set policies for 4 character passwords or 15 character passwords that have alpha, numeric and special characters. It all depends on what they feel is appropriate for their organization. Next is a policy for locking the handset after a period of inactivity. This could be one minute to one hour depending on what policy is set. Setting these two policies at least “locks the front door” by protecting a BlackBerry smartphone from unauthorized access. If someone keys the password incorrectly too many times, all of the data on the handset will be erased. If the information is extremely sensitive, then an organization can turn on content protection so that the data is stored in encrypted form. Again, this is a policy that the administrator can set.

 

The next step is allowing IT to have some remote capabilities. The BlackBerry Enterprise Server gives IT the ability to remotely lock a device in the event that it is lost or stolen and not password-protected. If needed, they can go a step further and send a command to remotely wipe the data from the smartphone. In both cases, the handset reports back to the server that the command has been processed so administrators can confirm that the action has been taken.

 

Nymity: What retention options does RIM offer for enterprise deployments?

 

Totzke:  At the core, the BlackBerry Enterprise Solution is an extension of an existing mail server, so all of the email, tasks, notes, calendaring and contact information is already retained as part of existing policies applied to the server. And since all other transactions, including activity such as peer-to-peer messages, phone calls and text messages, can be logged at the server, enterprise customers can leverage existing data retention policies to meet their needs. An important advantage for organizations using the BlackBerry platform is that even with BlackBerry smartphone users being out of the office and not connected to the corporate network, all transactions can be wirelessly logged and synchronized back to a central server for auditing purposes.

 

Nymity: Would an organization need to prepare for access requests for data contained on a former employee’s BlackBerry device?

 

Totzke:  Since the BlackBerry Enterprise Solution is tightly integrated with your existing IBM Lotus Domino, Microsoft Exchange or Novell GroupWise server, all of the email and personal information is already stored in your corporate server. With wireless logging of other transactions, the organization always has an up-to-date record of all data that can be archived and retrieved when necessary. Even if the employee wipes his device before returning it, the data will still exist on the corporate servers, so the procedures for archiving and accessing a BlackBerry smartphone user’s data are exactly the same as accessing data from any other former employee’s account.

 

 
  

 

 

Now Hiring

 

 

 

 

 

 


Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY