Monday, July 20, 2009

Securing our Blackberries

New Massachusetts Data Protection regulations require us to secure mobile devices.

At BIDMC, we have nearly a 1000 Blackberries and hundreds of iPhones. The Blackberry has well developed enterprise control features, so we're starting our mobile security effort with them.

In the interest of sharing our experience with the IT Community, you'll find our proposed policies here. It's a work in progress and we're still fine tuning our approach. To better under the impact on users, several IT staff including me will be testing these new settings.

There are an amazing array of settings to secure Blackberries - you'll find the complete configuration guide here.

It's clear that organizations are finding the balance between security and ease of use to be challenging. Here's a few describing others experiences:

Timeout issues

Password Policy issues

I'll let you know how our IT pilot goes and publish our final policies/settings as we rollout to our users.

9 comments:

Bernz said...

Policies are good. They are a basis. But enforcing those policies still needs to happen.

Both the iPhone and Blackberries have server-based packages for deployment and control of the devices so you can enforce these policies. This assumes that these devices are owned by your business and not by individuals.

If the devices are owned by individuals, you can enforce by using the various VPN settings so anyone who connects with these devices to the VPN is immediately checked for settings. If settings do no match up to the corporate standard, devices are rejected.

I think your policies are spot-on, though: Encrypt the air, encrypt the device, make sure you authenticate and authorize.

Mike Quinto said...

Thank you for sharing this. We have had a challenge with end user purchased devices and control. I feel like i am stuck between a rock and a hard place.

We don't provide the device. They are all end user provided. Control of those devices seems over bearing and unfair.

However, we just ran into a situation where there was an urgent message not delivered to a device due to end user folder settings. Of course IT was to 'blame'. My only option is to now control any device on our BES as if it were provided by the organization.

Thanks for the policy jump start.

Mike

Ran said...

First for full disclosure - I work at Onset Technology - a provider of compliance and security solutions for Blackberry and other smartphones.

As smartphones begin to make inroads into the enterprise, smartphone security is rapidly becoming a top concern for IT. Smartphone security threats come from a variety of vectors, including e-mail, webmail, Instant Messaging, SMS, Multimedia Messaging Service, Bluetooth, and file downloads from the Web via Wi-Fi and cellular data networks.

Onset Technology has developed a smartphone compliance solution to allow organizations to easily extend regulatory compliance to all of their smartphones. Onset’s solution is a client-server solution, delivering a comprehensive suite of features to exert maximum supervision and control. With Onset Technology customers can easily meet HIPAA and other compliance regulations for electronic communication.

Onset offers the following independent packages (i.e. users may license any combination of packages according to their specific needs):
- Archive – A secure and robust message archiving solution that allows for capturing all incoming and outgoing messages (text, SMS, MMS, IM, PIN, etc.), encapsulated in an e-mail format.
- Enforce - Pre-emptive review and approval of outbound messages (lexicon based and RegEx)
- Control - Complete control over smartphone interfaces (BT, Camera, USB, etc.)
- Encrypt - Selective and policy based encryption of data in transit and data at rest

Anonymous said...

What a facinating article. I’m looking for a marketing expert to help with a project, could you help? Please come visit my site Fresno Business Directory when you got time.

Fritz said...
This comment has been removed by the author.
Fritz said...

John,

Thanks for the info and the policy list. Can you share with us what are your policies with regards to SMS/MMS/WEBmail/Personal Email on the BB and iPhone? Are you allowing users to use these communication methods? I am an IT director working at a european financial institute that uses mostly BB's and some Symbian based smartphones. Our US compliance officers requested that unless we can archive, control and monitor these type of communications methods the same as we do for email, we need to set the policies so that the users can ONLY use email. This brings alot of push back from the business divisions that are used to work with each other and with the clients using any type of communications. Did you find a way to control, secure and monitor communications other then email?
Sorry for the poor english,

Medical Quack said...

Very timely information on the Blackberries as I will be doing an interview this week about healthcare applications with one of their VPs. Myself I have pretty much been a Windows Mobile user so this will be good information for me to share and learn.

It's been a while since working and connecting through their server to Exchange, but I remembered the licensing used to be a big ticket item with the number required for each device and don't know if it has changed, but will inquire there too.

Ran said...

Shaul,

See my comment above on what Onset is able to do. However, we do not support iPhones at the moment. Only Balckberry and Windows Mobile devices (6.1 and above).

Ran

Unknown said...

Thank you for sharing! People will hate this one (although there is something for everyone to hate when you lock down a BB).

Periodic Challenge Time = 60min This means that even if you are active on the device you will get password challenged after 60 mins. This makes sense if your BB is stolen, because someone could continue to receive your e-mail as long as they kept the device active. BUT....the chance of somebody getting to this point with a 5 min inactivity seems to me to be nearly impossible. If an attacker is this sophisticated and determined to get at your e-mail, they would not go through the physical hassle of stealing your BB, it would be easier to just own your exchange account.