• Control access by limiting file types accessed by
• Only authorized processes can operate on memory
segments, CPU and other resources
• Protect information integrity by ensuring
authentication of system users
• Prevent unauthorized access
• Prevent unknown destruction of data
• Prevent accidental introduction of inconsistency
Most IT experts agree: BYOD (Bring Your Own Device) is the biggest trend
affecting enterprises today.
As business processes, more and more sensitive data passes through and
resides on mobile devices.
Meanwhile, risk-inherent personal use cases continue to grow, spanning:
› Social networking
› Personal email
› Untrusted personal apps
› Web browsing
› Instant Messaging, SMS/MMS, other P2P messaging
Why Security Matters More than Ever
To address these issues comprehensively, the BlackBerry® platform
has been built from the ground up to deliver a first-rate user
experience, I'll take a close look at the following features:
› BlackBerry® Balance™ (for platform level separation of work and
› BlackBerry® World™ for Work (a corporate application storefront)
› BlackBerry® Secure Connectivity
› BlackBerry 10 authentication
All of these features and functions are controlled and
enabled through the BlackBerry® Enterprise Service 10
(BES10) platform – which IT administrators can use to
manage not only BlackBerry 10 devices, but also iOS
and Android™ devices, (with support for Windows®
Phone coming soon) for true multi-platform mobility
management on a single, unified console.
In the past, if you wanted better mobile security, you
had to sacrifice the user experience, and vice versa. This
Interface/model comes to an end with BlackBerry
This controls security risks through:
› Complete protection for all data leak channels and
› A tamper-resistant architecture that protects against
abuse and attack
Work Space (Left) Work applications reside within the work file
› Work applications and work data are always protected by the
work file system with ‘AES-256 encryption’.
› Only applications that reside in the work file system are able
to connect through work communication channels, including
BlackBerry Enterprise Service 10, enterprise Wi-Fi, enterprise
VPN, and Intranet browsing. If you want to allow Personal
Space traffic to use work connectivity options, you have that
› The appropriate communication channels are automatically
provisioned to protect your sensitive enterprise data.
User Interface (Center) The key to BlackBerry Balance is its interface.
› Data originating from an enterprise resource is automatically identified as
work data, and any other data is automatically identified as personal.
› Work data can’t be copied or cut/ pasted into a personal data channel, and
files can’t be moved from one file system to the other.
› The user interface allows some work and personal content to be displayed
together for an ideal user experience, as in the case of the BlackBerry® Hub;
however, an ‘abstraction layer’ prevents any data leakage between the Work
Space and the Personal Space.
› The Work Space and Personal Space have separate wallpapers, so users
always know at a glance which space they’re in.
Personal Space (Right) Personal applications reside within the
personal file system.
› Personal applications include personal BlackBerry® apps such
as BBM™ and third-party personal apps for things like email,
gaming and social networking.
› Applications that reside on the personal file system have
access only to personal communication channels (listed on the
right hand side of the diagram), often referred to as data leak
channels. Again, you have the option to enable personal apps
to use work connection options if you need or want to.
BlackBerry Enterprise Service 10(BES 10): Architecture
The Gold Standard in Secure Connectivity
BlackBerry has, for many years, been held up as the gold
standard in secure connectivity. That doesn’t change with
Seamlessly enabling secure access to systems behind the
firewall, as well as protecting work data in transit, is assured by
the proven BlackBerry security model, which now extends to
multi-platform. Simple and cost effective setup and ongoing
admin is supported by the VPN-less, single outbound port
3101 connectivity model BlackBerry is renowned for –
including certified end-to-end encryption. So there’s no need
for third party connectivity or security solutions.
› Outside of the enterprise, any connection to BlackBerry Enterprise
Service 10 via the BlackBerry infrastructure over Wi-Fi or cellular
uses AES-256, which also protects the connection to Microsoft®
Exchange and any other enterprise content servers.
› The BlackBerry infrastructure-to-device leg has an additional layer
of Transport Layer Security (TLS) to authenticate the BlackBerry
› Outside of the enterprise, the BlackBerry infrastructure can be
bypassed by connecting directly to BlackBerry Enterprise Service
10 by VPN, over Wi-Fi or cellular.
› The device VPN supports IPsec and SSL.
› Inside the enterprise, the device connects directly to BlackBerry
Enterprise Service 10 and the LAN over corporate Wi-Fi
Note: For all of these options, Wi-Fi security is the industry standard
Wi-Fi security noted in the legend. For additional security, end-to-
end SSL is supported between BlackBerry 10 devices and the content
The user’s Personal Space and personal apps can directly connect to
Wi-Fi and cellular, also supporting SSL if you so choose.
› Users can also connect to their own private network VPN. › As
mentioned above, there’s also the option to allow Personal Space
traffic to use work connectivity options (and this can be easily
disabled by IT policy).
Why the BlackBerry 10 Operating System is Most Secure
The operating system is the most important component of mobile device security but it’s often
overlooked. Unlike security tools, controls and features or corporate sandboxes, the security of the OS is
generally more opaque to the observer. Operating system source code is typically not shared, and even
if it is, it’s hard to assess the security of millions of lines of code.
First and foremost, BlackBerry 10 is based on the QNX® Microkernel. So what does this mean for you? It
means your enterprise gains several security benefits.
The Security Benefits of the QNX Microkernel It contains less code (about 150,000 lines):
› This small footprint helps eliminate vulnerabilities by making security verification and testing easier and
It’s designed for resiliency:
› The Microkernel isolates processes in the user space. › Unresponsive processes are restarted without
affecting others, so that applications don’t crash the OS.
It minimizes all root processes:
› Only the most essential BlackBerry processes run as root. › Root processes are not available to non-
BlackBerry parties, which makes the OS less vulnerable to security risks.
Authentication: Flexible Options for Passwords and Certificates
BlackBerry 10 supports two options for authentication: passwords and certificates. Passwords
are generally used for device authentication.
Flexible and granular password policies can be enforced on:
› The Work Space: The administrator can require a user password for access to the Work
› The entire device: The administrator can also demand a password for access to the entire
BlackBerry 10 device (a must-have for many high-security and regulated environments).
BlackBerry 10 also supports certificate enrollment and automatic renewal, using the industry-
standard Simple Certificate Enrollment Protocol (SCEP).
› SCEP provides easy, scalable certificate enrollment and renewal. › Authentication is
generally for Wi-Fi, VPN or Intranet.
› All certificates are encrypted and protected within the BlackBerry 10 key store.
The QNX Microkernel diagram above illustrates how user
processes cannot directly access other processes.
Contained and Constrained: Application and Malware Controls
The best way to protect your enterprise from mobile malware
is to use an operating system that’s designed to resist it.
BlackBerry 10 uses a ‘contain and constrain’ design strategy to
mitigate against malware risks.
By sandboxing the user space, BlackBerry 10 can block
› Processes are constrained within the user space and the
Microkernel carefully supervises inter-process communication.
› Memory accessed by the user space is also authorized by the
› Any process that attempts to address unauthorized memory is
automatically restarted or shut down.
Personal Application Controls
› Access to Personal Space resources is limited and operates on
an ‘app-by-app’ and ‘need-to-have’ basis.
› The user gets the right information at the right time to make
an informed decision about what permissions to grant.
*Human Machine Interface(HMI)
The following diagram
illustrates the device
feeding process and the
BlackBerry ‘chain of
trust’. The secure
process is centered on
authentication to help
guard against persistent
OS attacks and rootkits.
Below are a few examples of the security mechanisms that are integrated into the BlackBerry 10
operating system to protect against attacks and arbitrary code execution.