Problem solve Get help with specific problems with your technologies, process and projects.

Create a BlackBerry security policy based on BES or BES Express

Mobile security expert Lisa Phifer outlines the many ways security solution providers can secure their customers’ BlackBerry devices.

Despite competitive pressures from Apple Inc.’s iOS4 and Google Inc.’s Android, Research In Motion Ltd.’s (RIM) BlackBerry continues to be popular among security-conscious enterprises and small-to-medium businesses (SMBs).

Solution providers can tap into this interest by helping customers safeguard corporate and employee-owned BlackBerry smartphones. In this article, we’ll explore key aspects of managing and securing BlackBerry devices and non-BlackBerry smartphones using a policy that emphasizes multi-platform device management software from RIM.

BlackBerry security for enterprises
Security solution providers have long enjoyed revenue opportunities driven by RIM's success in the enterprise; most notably, value-added resale, systems integration, consulting and hosting services related to BlackBerry Enterprise Server (BES).

The BlackBerry operating system includes a robust collection of native security capabilities that employers or individuals can use to secure smartphones, including:

  • Passwords to lock phones on-demand after inactivity or when holstered, backed by policies that auto-wipe ("memory scrub") the phones after repeated password failure or low battery.
  • Content protection to encrypt data (e.g., messages, contacts, calendars, memos, tasks) with Advanced Encryption Standard (AES), preventing access by anyone without the phone's password.
  • Native transport protection that encrypts messages sent and received between a BlackBerry phone and an enterprise or carrier-operated messaging gateway.
Today a BlackBerry security policy that can be managed through BES will be far richer than policies natively supported by Android or even Apple iOS4 devices

Traditionally, enterprise administrators have provisioned BlackBerry IT and application policies on employer-issued smartphones using BES, which is a BlackBerry mobile device manager and messaging gateway commonly deployed at the corporate network edge. For example, administrators could define IT policies to require complex passwords, enable content protection, or block risky connections, using BES to maintain installed policies and remotely wipe lost BlackBerry smartphones.

Over time, RIM added new policy options to BES to facilitate employer control over employee-purchased smartphones used for business. For example, BES 5.0 added policies to disable application downloads from the BlackBerry App World or to specify permitted applications. With BlackBerry 6.0, a BlackBerry Balance package adds the ability for IT to segregate work and personal content, remotely delete work content without losing personal content, and prevent work content from being forwarded over personal channels (e.g., destinations reached through the BlackBerry Internet Service).

Today, a BlackBerry security policy that can be managed through BES will be far richer than policies natively supported by Android or even Apple iOS4 devices. For this reason, employers in sensitive or regulated industries (e.g., financial, healthcare) may continue to standardize on BlackBerry phones, at least for high-risk workers. Security solutions providers should thus continue to search for new revenue opportunities in this traditional BlackBerry "sweet spot." For example:

  • Consultants can help enterprises map regulatory requirements onto BES policies and commands, such as Federal Information Processing Standard (FIPS)-compliant cryptographic modules and memory scrub or complementing password locks with smart card authentication.
  • Systems integrators can not only design BES installations, but can also run post-deployment penetration tests to find and mitigate vulnerabilities, especially where BES has been integrated with back-office enterprise and unified communication servers (e.g., BlackBerry Mobile Voice System).
  • Value-added resellers can deliver "high-security" bundles that appeal to security-sensitive enterprises. For example, offering Secure/Multipurpose Internet Mail Extensions (S/MIME) or a Pretty Good Privacy (PGP) Support Package to financial services customers that must prove message authenticity and integrity.

BlackBerry security for SMBs
With RIM's expansion into both SMB and consumer markets, enterprise opportunities are just the tip of the iceberg for security solution providers that specialize in BlackBerry devices.

BlackBerry Hosted Service partners can reap incremental revenue by offering services that target SMBs that lack the IT infrastructure or expertise to deploy their own BES. For example, AppRiver LLC, Apptix and USA.NET Inc. sell hosted mail services for BlackBerry with security features like antispam and antivirus filtering. Hosted service providers can differentiate themselves by addressing new security needs (e.g., eDiscovery) and improving existing security services (e.g., reputation-based filtering).

However, RIM recently lowered the bar by releasing BlackBerry Enterprise Server Express: free software that can be installed on an SMB's Microsoft Exchange or IBM Lotus Domino server to synchronize mail with up to 75 BlackBerry phones. BES Express supports just 75 policies, a fraction of the 550+ policies supported by BES.

BES Express could put a dent in the basic BlackBerry Hosted Services market. However, SMBs who try to deploy BES Express may still find firewall integration and policy development daunting. Enter systems integrators, who can use BES Express to offer inexpensive entry-level packages to SMB customers seeking to avoid recurring BlackBerry Hosted Service fees.

Furthermore, as BlackBerry devices become more popular, employers face a tough choice: Either let those workers secure their own phones with BlackBerry Desktop Manager and BlackBerry Internet Service, or take on the IT burden of using BES or BES Express to centrally manage and secure those phones. For enterprises with in-house resources and BlackBerry expertise, the answer is clear. But smaller businesses may need BlackBerry-savvy consultants to educate them about the security features and policies supported by each approach, best practices for securing employee-owned devices (e.g., BlackBerry Balance segregation), security options for individuals (e.g., BlackBerry Protect backup) and residual risks (e.g., unencrypted text messages).

Integrated security management for non-BlackBerry smartphones
Recent market competition has forced RIM to move beyond BlackBerry phones. After the iPhone upset the smartphone market, RIM released several touchscreen BlackBerry phones. Alas, those new BlackBerry devices did little to curb consumer enthusiasm for Apple iPhones, and now Android smartphones. Employers desperately searching for some way to secure these non-BlackBerry devices have started to deploy multi-platform mobile device managers (e.g., AirWatch LLC or BoxTone). Earlier in 2011, RIM launched a counter-attack by acquiring mobile device management (MDM) vendor Ubitexx.

Once this acquisition is sorted out, security solutions providers specializing in BlackBerry will have a new arrow in their quiver. Consultants and systems integrators can look forward to helping BES customers understand what Ubitexx brings to the table and how Ubitexx's ubi-Suite MDM will interact and collaborate with BES (or BES Express) to deliver a complete view of their entire mobile workforce. VARs and hosted service providers may want to expand their portfolios to include ubi-Suite, offering one-stop shopping to meet all mobile device management and security needs.

These are just a few of the many possible revenue opportunities open to security solution providers that specialize in BlackBerry. Given recent changes in the mobile device landscape, solution providers may not want to limit their focus to BlackBerry. However, security solution providers should definitely include BlackBerry in their repertoires and take advantage of the rich security features of BES.

About the author:
Lisa Phifer is President of Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year network industry veteran, Lisa has been involved in mobile wireless security since 1996. She is a technical editor for Information Security Magazine, site expert for, and frequent contributor to many other TechTarget websites.

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.