Protection and Securityin

• Control access by limiting file types accessed by different users

• Only authorized processes can operate on memory segments, CPU and other resources

Protection

Security

• Protect information integrity by ensuring authentication of system users

• Prevent unauthorized access

• Prevent unknown destruction of data

• Prevent accidental introduction of inconsistency

Most IT experts agree: BYOD (Bring Your Own Device) is the biggest trend affecting enterprises today.As business processes, more and more sensitive data passes through and resides on mobile devices.Meanwhile, risk-inherent personal use cases continue to grow, spanning:› Social networking › Personal email › Untrusted personal apps › Web browsing › Instant Messaging, SMS/MMS, other P2P messaging

Why Security Matters More than Ever

To address these issues comprehensively, the BlackBerry® platform has been built from the ground up to deliver a first-rate user experience, I'll take a close look at the following features:› BlackBerry® Balance™ (for platform level separation of work and personal) › BlackBerry® World™ for Work (a corporate application storefront) › BlackBerry® Secure Connectivity › BlackBerry 10 authentication

All of these features and functions are controlled and enabled through the BlackBerry® Enterprise Service 10 (BES10) platform – which IT administrators can use to manage not only BlackBerry 10 devices, but also iOS and Android™ devices, (with support for Windows® Phone coming soon) for true multi-platform mobility management on a single, unified console.

In the past, if you wanted better mobile security, you had to sacrifice the user experience, and vice versa. This Interface/model comes to an end with BlackBerry Balance.This controls security risks through:› Complete protection for all data leak channels and

mechanisms › A tamper-resistant architecture that protects against abuse and attack

BlackBerry® Balance™

Innovative Device Data Leak Prevention

Work Space (Left) Work applications reside within the work file system.› Work applications and work data are always protected by the work file system with ‘AES-256 encryption’. › Only applications that reside in the work file system are able to connect through work communication channels, including BlackBerry Enterprise Service 10, enterprise Wi-Fi, enterprise VPN, and Intranet browsing. If you want to allow Personal Space traffic to use work connectivity options, you have that option. › The appropriate communication channels are automatically provisioned to protect your sensitive enterprise data.

User Interface (Center) The key to BlackBerry Balance is its interface.› Data originating from an enterprise resource is automatically identified as

work data, and any other data is automatically identified as personal. › Work data can’t be copied or cut/ pasted into a personal data channel, and files can’t be moved from one file system to the other. › The user interface allows some work and personal content to be displayed together for an ideal user experience, as in the case of the BlackBerry® Hub; however, an ‘abstraction layer’ prevents any data leakage between the Work Space and the Personal Space. › The Work Space and Personal Space have separate wallpapers, so users always know at a glance which space they’re in.

Personal Space (Right) Personal applications reside within the personal file system.› Personal applications include personal BlackBerry® apps such

as BBM™ and third-party personal apps for things like email, gaming and social networking. › Applications that reside on the personal file system have access only to personal communication channels (listed on the right hand side of the diagram), often referred to as data leak channels. Again, you have the option to enable personal apps to use work connection options if you need or want to.

BlackBerry Enterprise Service 10(BES 10): Architecture

The Gold Standard in Secure Connectivity

BlackBerry has, for many years, been held up as the gold standard in secure connectivity. That doesn’t change with BlackBerry 10. Seamlessly enabling secure access to systems behind the firewall, as well as protecting work data in transit, is assured by the proven BlackBerry security model, which now extends to multi-platform. Simple and cost effective setup and ongoing admin is supported by the VPN-less, single outbound port 3101 connectivity model BlackBerry is renowned for –including certified end-to-end encryption. So there’s no need for third party connectivity or security solutions.

› Outside of the enterprise, any connection to BlackBerry Enterprise Service 10 via the BlackBerry infrastructure over Wi-Fi or cellular uses AES-256, which also protects the connection to Microsoft® Exchange and any other enterprise content servers. › The BlackBerry infrastructure-to-device leg has an additional layer of Transport Layer Security (TLS) to authenticate the BlackBerry infrastructure. › Outside of the enterprise, the BlackBerry infrastructure can be bypassed by connecting directly to BlackBerry Enterprise Service 10 by VPN, over Wi-Fi or cellular. › The device VPN supports IPsec and SSL. › Inside the enterprise, the device connects directly to BlackBerry Enterprise Service 10 and the LAN over corporate Wi-Fi

Note: For all of these options, Wi-Fi security is the industry standard Wi-Fi security noted in the legend. For additional security, end-to-end SSL is supported between BlackBerry 10 devices and the content servers.The user’s Personal Space and personal apps can directly connect to Wi-Fi and cellular, also supporting SSL if you so choose.› Users can also connect to their own private network VPN. › As

mentioned above, there’s also the option to allow Personal Space traffic to use work connectivity options (and this can be easily disabled by IT policy).

Why the BlackBerry 10 Operating System is Most Secure

The operating system is the most important component of mobile device security but it’s often overlooked. Unlike security tools, controls and features or corporate sandboxes, the security of the OS is generally more opaque to the observer. Operating system source code is typically not shared, and even if it is, it’s hard to assess the security of millions of lines of code.First and foremost, BlackBerry 10 is based on the QNX® Microkernel. So what does this mean for you? It means your enterprise gains several security benefits.The Security Benefits of the QNX Microkernel It contains less code (about 150,000 lines): › This small footprint helps eliminate vulnerabilities by making security verification and testing easier and more robust.It’s designed for resiliency: › The Microkernel isolates processes in the user space. › Unresponsive processes are restarted without affecting others, so that applications don’t crash the OS.It minimizes all root processes: › Only the most essential BlackBerry processes run as root. › Root processes are not available to non-BlackBerry parties, which makes the OS less vulnerable to security risks.

Authentication: Flexible Options for Passwords and Certificates

BlackBerry 10 supports two options for authentication: passwords and certificates. Passwords are generally used for device authentication.Flexible and granular password policies can be enforced on:› The Work Space: The administrator can require a user password for access to the Work Space. › The entire device: The administrator can also demand a password for access to the entire BlackBerry 10 device (a must-have for many high-security and regulated environments).BlackBerry 10 also supports certificate enrollment and automatic renewal, using the industry-standard Simple Certificate Enrollment Protocol (SCEP).› SCEP provides easy, scalable certificate enrollment and renewal. › Authentication is generally for Wi-Fi, VPN or Intranet. › All certificates are encrypted and protected within the BlackBerry 10 key store.

The QNX Microkernel diagram above illustrates how user processes cannot directly access other processes.

Contained and Constrained: Application and Malware Controls The best way to protect your enterprise from mobile malware is to use an operating system that’s designed to resist it. BlackBerry 10 uses a ‘contain and constrain’ design strategy to mitigate against malware risks. By sandboxing the user space, BlackBerry 10 can block malicious behavior: › Processes are constrained within the user space and the Microkernel carefully supervises inter-process communication. › Memory accessed by the user space is also authorized by the Microkernel. › Any process that attempts to address unauthorized memory is automatically restarted or shut down.Personal Application Controls › Access to Personal Space resources is limited and operates on an ‘app-by-app’ and ‘need-to-have’ basis.› The user gets the right information at the right time to make

an informed decision about what permissions to grant.

*Human Machine Interface(HMI)

The following diagram illustrates the device feeding process and the BlackBerry ‘chain of trust’. The secure process is centered on authentication to help guard against persistent OS attacks and rootkits.

Below are a few examples of the security mechanisms that are integrated into the BlackBerry 10 operating system to protect against attacks and arbitrary code execution.

THANK YOU