Businesses are continuously looking for cost effective and faster ways to deliver critical functions to their mobile workforce and one of the biggest barrier to its successful adaption has been security consideration. Banking, insurance, investments, retail, healthcare cannot afford to deploy mobility solutions that could possibly compromise on their critical data.
The first step towards making solution secure is to choose the device that exhibits high level of inherent security. The article explores on how BlackBerry, iPhone and Windows Mobile device score on some of the key criteria necessary in selecting the device for enterprise use.
There are different components that make the device platform safe and secure for business use. The most important amongst it is authentication. The robust IT policy would prevent from unauthorized person from accessing the enterprise data. BB (BlackBerry) allows the IT department, through use of the BlackBerry Enterprise Server (BES) tools, to set a policy mandating the user to log in to the device via a strong password. The iPhones require connection to a PC running iTunes for its initial activation with carrier and creates a complete image, including all of the data on the device, thus posing a potential security threat. Windows Mobile does provide for password locking of the device and does support a number of third party applications that create two-factor authentication (e.g., Biometric reader, card readers).
Data storage on the device and external SD card is a key requirement for mobile workforce to access business critical information in offline mode. BB provides ability to encrypt all data on the device, including data stored on SD cards enabling full protection to critical data. The iPhone does not provide data encryption mechanism on the device, either for selected files or for the entire data store. So if an unauthorized user is able to get beyond the password, then all data is exposed to that user. Windows Mobile provides the ability to encrypt peripheral SD cards, although the main memory of the device is not so encrypted.
Enterprise-grade mobile platform should include a method for assessing signatures of application that, when checked by the device, can determine an authentic, non-tampered application from one that has been modified. BB provides an inherent mechanism for verifying the signature of each installed application to assure the application has not been tampered with. Further, IT may enforce policies to allow or disallow individual applications from running on the device.
For iPhone, applications require a digital certificate issued by Apple and to obtain the certificate the company must register with Apple. A Distribution Provisioning Profile must then be created and loaded to each device through end user intervention. There is no direct OTA mechanism for corporate to download the application. Loading applications to the iPhone requires either uploading that application to Apple’s App Store for delivery, or by connecting each device to a PC and “side loading” the application through iTunes. This process requires users to initiate any downloads to the device from their PC or requires that IT retrieve each iPhone and “side load” through a master PC within IT control. However, a “Jailbreak” program is available on the Internet that bypasses the iPhone security and allows unsigned applications to run on the device and thus represents a significant threat to the security of the device.
Windows Mobile has limited ability to verify individual applications. It does allow the “signing” of executables and setting specific policies to limit which applications can run on a device. Windows Mobile does provide for OTA downloading of applications through third party applications, and IT departments can deploy applications on their own without intervention.
A device that cannot be remotely managed will add significant amounts of TCO and additional support burdens to organization deploying it. Businesses evaluating devices should examine whether the device OS offer hooks to manage all aspects of the platform such as device setup, monitoring, uploading, display of device characteristics, asset management, lock-down, software upgrades etc. If such capability is not inherently available within the OS, it is highly unlikely any security and/or management tools will be able to competently manage all aspects of remote management. BB has been designed to be managed by a set of policies that can be easily created and deployed through the standard BES. Polices are delivered OTA directly to the device and configured automatically without user knowledge or intervention required. Data of each device in terms of its memory use, battery condition and overall health is available for analysis. iPhone and Windows mobile has to rely on third party management application for providing the remote management capabilities. Windows mobile 6.0 does make some log files and other hygienic data available to IT administrator.
Many industries require that devices be validated and approved by governmental agencies to ensure that they meet stringent security testing and specifications before they can be deployed to mobile workers. BB has attained numerous validations/certifications for its devices and has the ability to select the most common encryption algorithms (e.g., AES, 3DES) to protect the data on the device, and provides a complete remote device wipe capability as well. Windows Mobile 6 device do provide encryption capability for a variety of common standards (3DES, AES etc.) and do provide for remote device wipe through the ActiveSync capabilities.
While each may have strengths and shortcomings, the most secure platform for business use is the BB platform. Windows Mobile has continued to improve over a period of time and with third party applications one can enhance security majors and consider the platform for mobility deployment.