| Security considerations remain the single biggest | | | | successful attacks against the Safari browser |
| limitation to the more aggressive roll-out of mobile | | | | compromising the device. Applications run in |
| devices in many organisations. It is crucial that | | | | administrator mode meaning that should the device be |
| companies consider device selection based on its | | | | compromised by an infection, it has almost unlimited |
| inherent platform security capabilities, in particular | | | | access to the whole OS. |
| around the security embedded within the device | | | | There have been recent examples of malware |
| Operating System (OS). | | | | emerging for Macs and as the iPhone OS has a similar |
| Deployment of mobile or wireless access within | | | | core code as the AppleMac OS X it is expected |
| organisations is growing at an accelerating rate, this | | | | attacks on the iPhone OS will increase. It is fair to say |
| has been achieved through a number of factors | | | | that this OS has some maturing to do to be classed |
| including attractive pricing, faster, less costly and a | | | | as robust and secure, organisations should also be |
| more reliable wireless network both in the UK and | | | | cautious as the popularity of the device will |
| globally, which are being continually deployed over | | | | undoubtedly increase its target! Windows Mobile has |
| wider areas. Add to this the now abundant range of | | | | always displayed hacking friendliness in the past as |
| business functions and applications and it's easy to | | | | many of its core functions are exposed, there are |
| understand the take-up. | | | | currently a number of third party applications for |
| However for the more alert organisation there is | | | | anti-virus and malware protection. With increased |
| uncertainty or an inherent fear of data loss and | | | | malware attacks in the PC world it is likely the volume |
| leakage, specifically those with regulatory compliance | | | | and frequency of attacks to Windows Mobile will also |
| or enhanced security requirements (e.g., financial, | | | | increase. |
| insurance, investment, legal, and public sector). Such | | | | Security vs. usability; pretty much all OS can be totally |
| organisations cannot afford to deploy anything that | | | | locked down preventing any interaction with the OS, |
| could compromise their data or records security or | | | | however whilst it is key to maintain security levels it |
| prevent them from meeting such regulatory | | | | must be done in an environment that enables |
| compliance. Mobile devices are easily misplaced or | | | | maximum usability. Companies considering highly |
| stolen, this represents a risk that while real, can be | | | | secure devices should test-drive the security in |
| managed with proper planning and foresight. The first | | | | conjunction with the usability of the system and |
| and most important decision a company can make in | | | | whether the end users find the OS easy to use, |
| ensuring a safer mobile working environment for both | | | | navigate and customise for personal preference. It's |
| end user and business is to select a device that | | | | fair to say that one size does not fit all and the level of |
| exhibits high levels of inherent security. As in life, not all | | | | security must be balanced against user needs, |
| devices were created equal, it is imperative that | | | | however the final choice should always be weighted |
| companies evaluate devices based on its intrinsic | | | | towards security than usability should a trade-off be |
| platform security capability, particularly around the | | | | required. |
| security embedded within the device Operating | | | | BlackBerry provides an extensive number of policies all |
| System (OS). | | | | from the control of the BES and these can be |
| There are a number of important components that | | | | deployed over the air (OTA). The BES is the central |
| make an OS secure and safe for business use, this | | | | control point for all features and policies and no user |
| article will explore the key components necessary in | | | | can override them ensuring full IT control. This mode of |
| selecting, deploying and managing a mobile operating | | | | security makes it transparent to the end user, as it is |
| (OS) so that enterprise use of the device will not | | | | fully integrated within the OS and requires no |
| compromise the integrity of the company's security | | | | knowledge or intervention on the part of the user and |
| efforts and put it at risk for costly legal or | | | | as with the authentication component it is all very |
| governmental action. The article will compare these | | | | granular meaning different levels can be applied |
| attributes on three operating systems, BlackBerry OS | | | | depending on employee and/or job function. Whilst the |
| from Research in Motion (RIM), the iPhone OS from | | | | iPhone does have some capability for device |
| Apple and the Windows Mobile OS from Microsoft. | | | | management and policy setting, the number and type |
| Authentication; users should not be able to work on | | | | are very limited. |
| any device without adequate levels of authentication | | | | The profiles have to be delivered to the iPhone either |
| to prove that he/she is the owner of the device. | | | | via users surfing to a secure webpage or installing the |
| Passwords and two factor authentication are being | | | | profile through delivery in an email message, this user |
| deployed currently, with biometrics being added in the | | | | intervention places a burden on the user and an |
| near future. Any device that can't force user | | | | obvious risk of non-compliance. Also the iPhone allows |
| authentication through enforced IT policies should not | | | | users to reconfigure any device through menu screens |
| be considered a security ready business class device. | | | | thus overriding IT settings, this is a very insecure way |
| BlackBerry OS allows the company IT department, | | | | of configuring a device. Windows Mobile devices can |
| through the use of the BlackBerry Enterprise Server | | | | be managed through the deployment of MSCMDM, |
| (BES), to set a robust policy making it mandatory that | | | | providing many management functions available within |
| the user logs into the device via a strong password, | | | | Exchange, for example, device encryption, device wipe |
| furthermore BlackBerry allows token-based two | | | | etc. As MSCMDM isn't integrated into standard system |
| factor authentication and secure peripheral devices to | | | | management tools and requires possibly several |
| be added (e.g., card reader). The user does not have | | | | standalone servers, there is an additional cost, support |
| the ability to change or bypass this policy once set by | | | | and impact to the solution. |
| the IT department. The policy is also extremely | | | | Meeting security validations; many industries require |
| granular (e.g. by user, group, entire company) this | | | | that a device be validated and approved by |
| ensures that different users can have unique policies | | | | governmental agencies to ensure they meet security |
| specifically addressing their need or indeed job role. | | | | testing and specification before deployment. Whilst |
| The iPhone provides a log-in password that allows | | | | many devices 'claim' to be compatible with certain |
| locking of the device and the characteristics of the | | | | security standards, it is absolutely crucial that they |
| password can be set by the IT department by | | | | have been approved and validated and not just be |
| deploying a policy to the device. However it is possible | | | | simply compatible, this applies not just to current |
| to override this IT policy if the user chooses - which | | | | standards but to the constantly evolving requirements |
| kind of defeats the object. Certain policies can be | | | | placed on security from industry and government |
| enforced if using ActiveSync for Exchange | | | | agencies. The key starting point is the OS, no device |
| connectivity. | | | | can meet these strict security guidelines unless the OS |
| All iPhones require connection to a PC running iTunes | | | | is capable of achieving the stringent approval process. |
| for initial activation on the network, the iPhone when | | | | The clear leader in this section is BlackBerry, having |
| connected with iTunes will create a complete backup | | | | applied for and attained a wealth of certificates and |
| of the device on that PC. Therefore the data on the | | | | validations for its devices and operating system, |
| device could be accessible from the PC, this posses a | | | | including FIPS 140-2, NATO restricted classification, UK |
| potential security threat. It's also worth noting that | | | | CAPS restricted classification, and common criteria |
| many of the enforced policies require that the | | | | EAL 2+ certification. In addition BlackBerry provides the |
| company is running Exchange 2003 or 2007 with | | | | functionality to select the most common encryption |
| ActiveSync. Windows Mobile via ActiveSync and | | | | algorithms (e.g. AES, 3DES) to protect data on the |
| Exchange can also enforce password locking in a | | | | device, and provides complete remote device wipe. |
| strong manner, and once set users are not able to | | | | Apple have not declared any intention to seek |
| bypass. However full policy setting requires the use of | | | | regulatory certification or validation of the iPhone, |
| Microsoft System Centre Mobile Device Manager | | | | furthermore key features such as remote device wipe |
| (MSCMDM), a product that requires purchase and is | | | | require ActiveSync and Exchange 2003/2007 |
| not integrated into other Microsoft products. | | | | deployment at the company, Apple also recommends |
| Reliability; any enterprise class mobile OS should | | | | having the device plugged into a mains charger when |
| display the reliability end users expect from a robust | | | | wiping... No on board data encryption is available for the |
| business device, this means that the device should | | | | iPhone, therefore it is fair to say that with these |
| never simply decide not to work, or require | | | | handicaps the likeliness of the iPhone achieving any of |
| unexpected re-boots. In a business spec device any | | | | the security validation requirements in the near future is |
| irregularity with the OS (e.g. crashes, freezing) may | | | | extremely slim. Windows Mobile 6 devices provide |
| cause more than just inconvenience, they will cause | | | | encryption for common standards such as 3DES and |
| lost work, lower productivity, raised support costs not | | | | AES and also provide a remote device wipe through |
| to mention end user frustration something that is often | | | | ActiveSync when used with MSCMDM and Exchange. |
| overlooked. Any device or OS being considered within | | | | Whilst Microsoft is pursuing validation for its devices for |
| an organisation needs to be examined for its ability to | | | | FIPS it is yet to be broadly recognised by other |
| withstand the organisations working model. | | | | validation bodies. |
| BlackBerry consistently delivers a high level of stability | | | | In summary it is fair to say that wireless mobile |
| and an almost complete lack of freezing or crashing, | | | | devices pose a security challenge for organisations |
| as a result few users report problems with lost work | | | | with a highly mobile workforce, but this risk can be |
| and devices rarely require a re-boot, the upshot being | | | | carefully managed by selecting an enterprise class |
| a very limited support cost. Similarly iPhone's OS has | | | | platform with an OS that includes the key features to |
| had very few unexpected interruptions and works well | | | | secure the device and its data. Based on the |
| for most users. Windows Mobile, much like its PC OS | | | | comparison detailed above I summarise that the most |
| counterpart is well known for OS crashing, whilst | | | | secure platform for business use is the BlackBerry |
| newer versions are improving this tag users still report | | | | platform. Windows Mobile continues to improve and |
| annoying application crashing and frequent loss of data, | | | | has implemented some significant enhancements to its |
| with most crashes requiring a device re-boot. | | | | recent version, but still not of the calibre of BlackBerry, |
| Tamper resistance; it is critical to know immediately if a | | | | it may however be a viable option for companies able |
| devices OS has been hacked or whether attempts | | | | or willing to work with third party add-ons to avoid its |
| have been made to alter the base level OS. Although | | | | shortcomings. The iPhone has serious difficulties when |
| malware isn't prevalent on smartphones, it will be and | | | | it comes to business class security, and at this stage in |
| many hackers view this as an attractive and new | | | | its evolution I would not recommend the iPhone for any |
| sector to attack. The more resistant the OS, the less | | | | organisation concerned about protecting the security |
| likely malware can infect the platform, this reduces risk | | | | and integrity of its mobile data and especially for any |
| to the device and the spread of infection within the | | | | organisation that must adhere to strict industry |
| business. Operating Systems that allow applications | | | | regulation. |
| deeply into the core of the OS represent a higher risk | | | | Companies should remain alert and ensure they |
| than ones that run applications at a higher level. | | | | balance user wants and needs for a device with the |
| BlackBerry is extremely difficult to hack, the OS must | | | | necessary requirements to protect company |
| boot in a known state with a known signature before | | | | confidential information through the deployment of |
| the device will initiate, this means the OS itself is | | | | platforms designed for security and their corresponding |
| checked before each boot. All third party applications | | | | technologies behind the firewall, failure to do so may |
| run in a Java virtual machine meaning that hacking into | | | | produce serious problems resulting in fines, regulatory |
| the base OS of the device is extremely difficult if not | | | | non-compliance, legal challenges and ultimately a loss in |
| impossible. The iPhone is difficult to access on the | | | | revenue. |
| device, however there have been a number of | | | | |