Call for smartphone vendors to simplify security

At a recent roundtable in Sydney, Scott Totzke, Security VP for Research In Motion (RIM), discussed the need for smartphone vendors to simplify security to improve usability for end users, the need to build security in from the start of the production cycle to maximise the efficiency of mobile devices and how trust is essential for the future development of mobility. The following are some of the highlights:

The call to simplify security

"The real struggle that … (the) security industry faces is how do you come up with a focus on security that is simpler than what we have today? … A lot of the research and focus that my team has right now is on how do we improve the usability of security so we can make it easier for the end user to make a very complicated decision in really a split second rather than getting kind of the more Pavlovian response that people are accustomed to today where they get a prompt that says, 'Do you want to do this?' and they say, 'Okay', and you just get conditioned to click okay all the time."

Building in security from the beginning

"We (RIM) look at security in a very holistic manner. When you're dealing with this, a (true) mobile eco system … you have to build security in from the forefront.

"(Think of) … the desktop space as a … lush tropical rainforest. It's full of resources, more power, more CPU, anything that you need to manage security … The mobile context is completely different. You've only got so many resources. You only have so much CPU, so much battery life, so much computing power, so much network capacity. It's really an exercise in managing scarcity.

"If you spend all the time managing security by adding on products, antivirus intrusion protection or any kind of software to manage your configuration, you end up with a device where security is the thirsty elephant around the watering hole. Your mobile solution is spending all of its time managing security and not giving the user the ability to be productive and leverage your investment in mobility. So we really think that the approach has to be built it in from every step of the process in order to be effective."

"I think that RIM takes the issue of … efficiency more seriously than anyone else in the wireless industry. Next … to security … the efficiency aspect has been one of the hallmarks of the company for its Blackberry SmartPhone.

"… because we … don't have to set up a network connection every time you want to send and receive a packet, it's really easy on a congested network to still get your email through on a Blackberry or still get a PIM or Blackberry message through."

The need for a foundation of trust

"(I believe that) we have to make sure our platforms meet certain security standards if we're going to be able to trust them … as the industry evolves. If I don't have a foundation of trust (in my platform), if I've built my castle in the sand then … I don't think you can build a (true mobile) ecosystem around that.

"The important question for the customer is this: Is your information protected when it's outside your control?

"We’ve gone through independent … testing and certification to prove to our customers that their data is protected every step of the way once it's outside their network. We aggregate 500 different carriers in 170 different countries through a single connection that's authenticated for our users. So as an IT administrator you have a connection mutually authenticated to the Blackberry service that says I am connecting to RIM to enable the delivery of email and data to mobile devices.

"If I'm an IT administrator and I've got 10,000 devices, I only have one outbound connection to manage, you know, 10,000 devices maybe with 100 different carriers in 50 different countries versus those all creating inbound connections into my network. So it kind of simplifies the security management at least from a connection standpoint from an IP perspective.

"We also look at transparency through validation. We spend a lot of time working with different independent bodies to certify the security of the product. As a customer you can go look at the FIPS (Fully Interactive Partition Splitter) program run by National Institute of Standards and Technology or the common criteria program or other independent body that certifies the product to say, yes, it does meet certain international security standards … We also have the outer box control which (means) when you buy a Blackberry you get the malware control, you get the management, you get the audit controls, (you get) everything you need to make sure you've got a compliant solution right out of the box."

BES - RIM’s secret weapon

"(I believe) that … the biggest differentiator for the RIM (solution) is the amount of manageability you get out of the box. (The BES platform offers) more than 500 IT policies, which gives our customers the ability to control every aspect of the platform. That flexibility is really important because there's no one size fits all when it comes to security. We have small business customers, we've got individual customers, we've got large government customers.

"The Blackberry approach has been around containment; give the administrator the controls to say what is allowed and not allowed. Create a white list of approved applications, a white list of approved APIs. The containment problem is actually somewhat easier than the detective problem because you're going from a base of what is allowed rather than trying to just allow everything and detect what's bad."