This tip is a part of the SearchSecurityChannel.com resource guide, Securing mobile devices: A resource guide for...
The BlackBerry PlayBook, first shipped in April 2011, is a product portfolio expansion that will have an immediate impact on BlackBerry security solution providers.
Based on the QNX operating system acquired by Research In Motion Ltd. (RIM) from Hartman International, this "business grade" tablet is RIM's response to Apple Inc.'s consumer-focused iPad. RIM designed the PlayBook to appeal to businesses that already standardize on BlackBerry phones and want to offer workers a compatible tablet. But the PlayBook is not a stand-alone 3G tablet. Rather, in its current form, it is an easy-to-use display for Web surfing and interacting with BlackBerry apps.
Building a bridge for BlackBerry PlayBook security
Early adopters will find they can use the PlayBook in two ways:
1. BlackBerry phone subscribers can use the PlayBook to conduct both work and personal activities on the tablet's high-resolution 7-inch LCD (1024 x 600 pixel) display. For example, the PlayBook delivers a richer email experience than a 3.2-inch (480 x 360 pixel) BlackBerry Torch. However, the PlayBook does not have its own POP/IMAP email client. Instead, users must pair their PlayBook with their BlackBerry, using Bluetooth as a secure bridge to reach the phone's mailbox and 3G wireless network.
2. Individuals without BlackBerry phones can still buy PlayBooks for personal use, such as browsing the Internet over Wi-Fi, checking personal webmail, and using HTML5 or Adobe AIR Web apps from Adobe Systems Inc. Several hundred PlayBook Web apps are now available, including friendly front-ends for sites such as Facebook and Twitter. To rapidly grow this list, RIM is developing application players (sandboxed emulators) to let PlayBooks run Java and Android apps. As with all PlayBook software, third-party Java and Android application developers are encouraged by RIM to offer apps tweaked for the PlayBook, which (upon approval by RIM) will be distributed by BlackBerry App World.
The file system used by work apps to temporarily cache work data is encrypted with AES-256 and a BlackBerry Bridge work key. That key is stored on the BlackBerry phone and only shared between the two devices when actively bridged via Bluetooth.
To reduce the personal security risks of tablet theft or loss, BlackBerry PlayBook users may configure a tablet password and an inactivity timeout. However, unlike BlackBerry phones, PlayBooks do not encrypt persistently stored data. Instead, strict run-time separation is maintained between personal apps and work apps running on a PlayBook. Work data (e.g., mail messages, calendar entries) is never stored on the PlayBook itself. The file system used by work apps to temporarily cache work data is encrypted with AES-256 and a BlackBerry Bridge work key. That key is stored on the BlackBerry phone and only shared between the two devices when actively bridged via Bluetooth.
This compartmentalization reduces risk of work data loss or theft, while diminishing the need for employers to manage or secure the tablet itself. Employers using BlackBerry Enterprise Server (BES) 4.0 or later can configure IT policies on BlackBerry phones to enable or disable PlayBook bridging, but have no other control over PlayBook tablets, their settings, or access to any personal data stored on them.
Understanding RIM's tablet play
This BlackBerry-centric security model is behind RIM's decision to release the PlayBook without a native email client (at least initially). Unfortunately, it also limits the tablet's appeal to non-BlackBerry customers. As a Wi-Fi client, the PlayBook can obtain 3G/4G Internet access through portable hotspots found on other vendor smartphones. The PlayBook can also be used to reach webmail, including TLS-protected corporate webmail. However, unless a PlayBook connects to a BES-activated BlackBerry, all apps are considered personal and their data is not encrypted. This exposure, combined with the lack of support for alternative approaches like Remote Desktop Protocol (RDP) from Microsoft, could be a deal-stopper for non-BlackBerry enterprises.
But RIM has bigger long-range plans for the PlayBook. In an interview, spokesperson David Heit, revealed RIM’s plans to add modes that turn the PlayBook into a true corporate endpoint. First, a VPN mode will be used to enable secure remote access to enterprise Web portals, delivering virtualized views of corporate data. Eventually, a managed device mode may be offered so enterprises can safely install sensitive business applications (and resident data) on the tablet. At that point, the PlayBook will need to be managed and secured in the same manner as BlackBerry phones, which is by using a future incarnation of BES, although RIM has not yet announced any such plans.
New opportunities for solution providers
VARs can start earning additional revenue now by selling the PlayBook to BlackBerry customers and educating them about the security implications of BlackBerry Bridge connections. To this end, VARs may provide "cheat sheets" on BlackBerry PlayBook security topics, such as preparing a BES and the BlackBerry fleet to be PlayBook-ready, and how to securely pair a tablet with a BES-activated BlackBerry.
Consultants can help existing BlackBerry customers understand the PlayBook security model, including:
- How PlayBooks are activated and paired via Bluetooth.
- How Bridge keys are established.
- How a paired PlayBook gains access to a corporate WLAN.
- How PlayBook work and personal data separation is maintained.
- How tablet OS integrity is verified.
- How PlayBook software is installed using BlackBerry Desktop and/or BlackBerry App World.
- How to decommission a lost or stolen PlayBook.
Consultants can also help non-BES customers develop security best practices for employee-liable PlayBooks, such as how to set passwords, configure WLAN credentials, use PlayBook Private Browsing and pair PlayBooks with personal Wi-Fi hotspots or non-BES-managed BlackBerry phones. Workers who buy BlackBerry phones may opt for PlayBooks, and employers must understand the business implications, even if they don't use BES to enforce policies.
Finally, BlackBerry Hosted Service partners that sell BES to SMBs may consider offering PlayBook support as an a la carte option. Although BES can’t fully manage PlayBooks today, customers that want to secure work data must enable BlackBerry-PlayBook Bridge connections in BES and may also want to report on related activities. Partners can begin working with customers on these tasks now, with an eye toward expanding PlayBook support as the PlayBook evolves in the future.
If the PlayBook enjoys market success, many other opportunities may arise for security solution providers. VARs may develop AIR, Java or Android apps to deliver value-added security services for PlayBooks. When VPN mode is realized, systems integrators may assemble PlayBook bundles, paired with secure enterprise portals, to deliver safe access to unmanaged PlayBooks. But such opportunities are still a way off. For now, providers should focus on securing PlayBook Bridge-connected tablets for BES customers.
About the author:
Lisa Phifer is President of Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year network industry veteran, Lisa has been involved in mobile wireless security since 1996. She is a technical editor for Information Security Magazine, site expert for SearchNetworking, and frequent contributor to many other TechTarget websites.