05-21-2008 07:14 PM - edited 05-21-2008 07:21 PM
My CEO is concerned about the security of corporate data that resides on Blackberry devices. Most of my corporate Blackberry users have company owned devices and run off of my Blackberry Exchange Server where I have the ability to send the wireless command "Erase data and disable Blackberry device" in the event that the handheld is lost or stolen.
I have a couple of users who have their own private Blackberry devices and use Blackberry Desktop Software v 4.2 to sync their device with their workstation in the office. Can you think of a way that I can protect corporate data on these phones in the event that they are lost or stolen? Is there perhaps a third party add-on you are aware of? I have heard that blackberry handheld devices are incapable of encryption, but am not positive.
05-25-2008 02:43 PM
Wow, you have been horribly misinformed. The BlackBerry devices are capable of encryption and are even secure enough for the major governments of the world.
Regarding employees that are using Desktop Manager to sync with personally owned devices. If they dont have an account on the BES server they cant sync their email, just PIM information. It possible that they setup up a forwarding rule to send all messages to a BIS enabled account. You should probably set a company wide policy that personally owned devices are not allowed. Force all BlackBerry devices to connect to the BES server where you can force security settings to protect company information.
05-26-2008 12:00 PM
I agree with d_fisher - this needs to be a company policy. We only allow personal BlackBerrys if the person is willing to accept the corporate policies being pushed to their devices. Note: If you go this route, you will also need to create a policy that allows wipes to remove policies to be used when they leave the company, otherwise the restrictions will stay in place even if the device is wiped.
As to the security and encryption, yes, the BlackBerrys use encryption, but only between the BES server (or the BIS server for public accounts) and the device. If your employees are forwarding messages from their corporate account to their BlackBerry BIS accounts, that transfer is not encrypted and could potentially be open to hacking. Our corporate policy prohibits forwarding company email from being forwarded to 3rd party services outside our control.
BTW, not only does the transfer of email happen encrypted, you can also choose to encrypt the storage of the device as well, although there is a slight performance hit. To activate this, select Options\Security Options\General Settings and enable Content Protection.
05-26-2008 02:42 PM
The BES environment offers triple DES encryption:
Triple DES is simply another mode of DES operation. It takes three 64-bit keys, for an overall key length of 192 bits. In Private Encryptor, you simply type in the entire 192-bit (24 character) key rather than entering each of the three keys individually. The Triple DES DLL then breaks the user provided key into three subkeys, padding the keys if necessary so they are each 64 bits long. The procedure for encryption is exactly the same as regular DES, but it is repeated three times. Hence the name Triple DES. The data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the third key.
The BIS environment does NOT offer encryption for e-mail, internet, or PIN to PIN messaging. So be very careful with that.