INDUSTRY INTERVIEW: Research In Motion (RIM)
Scott Totzke
Director, Global Security Group
Research In Motion (RIM)
Scott Totzke and his team manage RIM’s relationships with government agencies around the world and focus on independent security validations and product security. The Global Security Group is responsible for ensuring that RIM continues to provide products and services that meet the strict security requirements demanded by government and other security conscious organizations.
Q: BlackBerry is widely deployed among users at the Department of Defense and other government agencies. What has been the biggest reason for your success within this customer base?
A: BlackBerry has been generally successful because it provides a simple, easy to use, end-to-end solution with a strong security model. Security has always been one of the pillars of the BlackBerry Enterprise Solution, and it’s something that we decided from the very beginning would have to be an integral part of the architecture. A BlackBerry device, or any mobile device for that matter, operates on a bit of an island in what is potentially a very hostile environment. Since most of our customers consider wireless access to information as mission critical, including those in the DoD, we needed to make sure that we built mechanisms into the BlackBerry solution to protect the operating environment and ensure that communications between the device and the BlackBerry Enterprise Server are secure and authenticated connections; it’s a critical requirement, and something the administrator doesn’t have to worry about.
Q: When you talk about security, what are the areas that you focus on, and what do you see as the big concerns for government and DoD users?
A: There are four key areas that we focus on for BlackBerry security:
1. Data Confi dentiality: First and foremost, the BlackBerry solution is designed to ensure the confi dentiality of your data. Protecting e-mail or application data transmitted wirelessly between the enterprise and a BlackBerry device is different than protecting data transmitted over a wired connection between a laptop and the enterprise. The level of encryption must be very strong, so BlackBerry provides AES-256 encryption for data that is transmitted wirelessly. It is also becoming essential to protect any data stored on the handheld, so BlackBerry also provides AES-256 encryption for data stored on the handheld. The encryption is provided as an out-of-the-box feature. For an administrator, it means that they don’t have to search for a third-party encryption mechanism and have to worry about how that integrates with wireless devices.
2. IT Policy: Providing robust confi guration management tools to the IT group is another key requirement. Administrators need to manage everything from what applications are allowed to run on a device, to what permissions that application has, to password management, to local database encryption. Managing all the various policies on a granular level must be seamless, easy to implement and something that the end user can not circumvent. It is critical that our customers have the tools needed to address their corporate governance and meet compliance requirements. The BlackBerry Enterprise Server is very strong on managing and applying IT policies.
3. Standards-Based: Supporting Internet standards is another area that we feel is critical. We aren’t inventing new standards or asking customers to change the way they operate; we support industry standards such as S/MIME, AES, PGP, TLS, SSL and PKI. Some customers, including DoD, have compliance issues requiring the use of S/MIME and smart cards to address the confidentiality of the information that they send via e-mail; we need to have these solutions available to the BlackBerry user so that there is no trade-off made between mobility and security.
4. Independently Verifi ed: The last area is providing independent assurances to our customers. We really take a hard look at the “trust but verify” approach. As a result, we work with a number of security organizations around the world to obtain external validations of our products or particular components within the solution. For example, BlackBerry was the fi rst mobile device to obtain a FIPS-140 validation for its embedded encryption technology, and we remain an active participant in that program with multiple validations covering both our handheld and server encryption modules.
Q: The push is on to deploy PKI security technology on all of DoD’s desktops, servers, laptops and mobile devices. How has RIM responded to this need?
A: Efficiently mobilizing the PKI environment to meet the needs of users on the go is perhaps one of the greatest challenges for wireless vendors. You need to support standards developed for desktop environments such as the Common Access Card, S/MIME, OCSP, LDAP and CRLs in a user-friendly manner, while operating within a highly constrained environment. Ensuring that DoD customers can work with BlackBerry and still maintain the PKI paradigm that exists at the desktop is something that we have invested in heavily over the last six years.
To further illustrate this, we developed the BlackBerry Smart Card Reader, which builds on the security, flexibility and mobility already inherent in the trusted BlackBerry solution. The BlackBerry Smart Card Reader gives mobile personnel the ability meet operational requirements for two factor authentication and the signing and encrypting of e-mail messages, without compromising the form factor of the device or its ease of use. ♦
