 |
|
|
|
 |
   
|
|
|
Frequently Asked Questions (FAQ)
1. Is it necessary to use S/MIME or PGP to make the BlackBerry Enterprise Solution™ secure?All of the email messages sent between BlackBerry® devices and the BlackBerry Enterprise Server™ are encrypted. However, once a message goes to the mail server outside the corporate firewall, it is sent over the Internet. This is exactly what happens when you send an unencrypted message from a desktop or laptop computer. The S/MIME and PGP® solutions are designed to provide sender-to-recipient security, from the moment an email message leaves a BlackBerry device to the moment it reaches its destination. This ensures that the message cannot be read or modified anywhere along the way. 2. What are the differences between S/MIME and PGP? Which one should we invest in?S/MIME and PGP both allow you to sign and encrypt email messages to ensure confidentiality, integrity and authentication. The key difference is that they use different trust models. A trust model is a way of representing whether or not someone should be trusted, based on their relationships with other trusted entities. S/MIME uses a hierarchical “tree” trust model based on an existing Public Key Infrastructure (PKI). Root Certificate Authorities issue certificates to other Certificate Authorities (CAs) as well as to individuals. Those CAs in turn can issue their own certificates to other CAs and individuals. A person or group is trusted if and only if the Root CA is trusted. PGP uses a planar “web of trust” model. Root CAs issue PGP keys to other CAs and individuals. However, a key does not need to be traceable to a trusted Root CA in order to be trusted. For instance, a key can be trusted based on its relationship with an intermediary CA or with other individuals. Each trust model has its benefits and drawbacks. The biggest factor in deciding whether to invest in S/MIME or PGP security is your company standards (i.e. what you use on your desktop) and those of your partners and close contacts. Currently, a person using S/MIME cannot send an encrypted message to someone using PGP, and vice-versa. 3. Does my BlackBerry device need anti-virus software?Preventing malicious programs like viruses, trojans, worms and spyware (collectively referred to as “malware”) consists of two parts: detection and containment. Detection is the process of determining whether a program is malicious (i.e. malware). Effectively detecting malware is very difficult. It requires a huge frequently updated local database or a constant connection to an online database. While desktop computers can satisfy these requirements, mobile devices cannot. Mobile devices do not have enough storage space to hold a malware database, and a constant connection to the Internet cannot be guaranteed. Containment is the process of preventing a malicious program from causing damage once it has appeared. Containment is relatively easy. It simply requires controlling access to the device software and to other applications on the device. The BlackBerry Enterprise Solution focuses on containing malicious programs. The BlackBerry device software and all of the core applications are digitally signed to ensure integrity and to control access to the Application Programming Interfaces (APIs). Thus, the core BlackBerry functionality cannot be directly accessed by other applications. In addition, the BlackBerry Enterprise Server comes with 19 Application Control policies that allow the administrator to limit which applications can access internal or external domains, make network connections, access the phone, access email messages, etc. The administrator can also restrict the downloading of third-party applications and prevent them from using device ports or storing data on the device. 4. Can the security settings on the BlackBerry device be customized?Yes, the BlackBerry Enterprise Server comes with over 200 IT policies that allow administrators to customize and enforce device-side security settings. IT policies are delivered and enforced wirelessly. They are digitally signed to ensure integrity and cannot be changed or disabled by BlackBerry device users. For more information, see the BlackBerry Enterprise Server Policy Reference Guide (PDF). 5. What happens if a BlackBerry device is lost or stolen?We recommend that all users protect their BlackBerry device with a password that must be entered to unlock and use the device. This can be enabled by the user through the Security Options menu on the device or enforced with the “Password Required” IT policy on the BlackBerry Enterprise Server. The device can be set to automatically lock at specified time intervals (eg. every 30 minutes). The device can also be set to lock whenever it is holstered. If Content Protection is enabled on the device, then user data on the device is stored encrypted using AES-256. Thus, even if someone reads the user data directly from the device hardware, it is not technically feasible to decrypt the data without the device password. Users with the BlackBerry Smart Card Reader™ enjoy an extra level of protection. The device can be configured to automatically lock when the BlackBerry Smart Card Reader is outside of Bluetooth® communication range (normally around 30 feet). This feature is designed to provide proximity access control for the BlackBerry device. A lost or stolen BlackBerry device can also be remotely locked or even erased by the BlackBerry Enterprise Server administrator, provided that the Server can communicate with the device. The administrator can also remotely change the device password and delete applications from the device. 6. What if someone steals a BlackBerry device, changes the software and returns the device?Each time a BlackBerry device boots up, the Boot ROM checks the authenticity of the Java™ Virtual Machine and the Operating System. The Java Virtual Machine then checks the integrity of the BlackBerry software. If any of these checks fail, the device does not boot up. In order to successfully change the BlackBerry software, an unauthorized user would need to change the Boot ROM, which is non-trivial and requires access to the device hardware. Thus, the device software cannot be changed without access to the hardware. In addition to requiring proprietary knowledge, accessing the hardware leaves behind evidence that the device has been tampered with. 7. Why are BlackBerry messages routed through the BlackBerry Infrastructure?All email messages sent to and from BlackBerry devices are routed through the BlackBerry Infrastructure. This helps to amortize the cost of multiple redundant connections to carriers across all of the BlackBerry Enterprise Servers around the world. It also helps to simplify wireless for customers and to optimize protocols for wireless environments. Some customers are not comfortable with the idea of their email messages going through the BlackBerry Infrastructure. It is important to remember that the BlackBerry Enterprise Solution email messages sent through the BlackBerry Infrastructure are encrypted using state-of-the-art and industry-certified Triple DES or AES-256 encryption. The messages are encrypted with the customers’ own encryption keys, which are stored only in the BlackBerry Enterprise Server and the BlackBerry device. The operators of the BlackBerry Infrastructure do not have access to the encryption keys and thus cannot view the content of the messages. 8. Is BlackBerry NSA Suite B ready?Yes, all in-market BlackBerry devices are designed to support the NSA Suite B algorithms. |
||||||
