1 BROCHURE THERE S GOOD SECURITY AND THEN THERE S NATIONAL SECURITY BlackBerry 10 and BES10 The perfect balance of protection and productivity
2 THE PERFECT BALANCE OF PROTECTION AND PRODUCTIVITY Contents BlackBerry 10 & BES10 3 Corporate Networks Under Attack 4 BlackBerry Security 5 Protecting Data in Motion 7 BES10 Security Philosophy 8 BES10 Certification & Encryption 9 BES10 Layers of Protection 9 Tech Talk 1 & 2 10 Protecting Work Data on Personal-Use-Enabled Devices 11 BlackBerry Balance 12 Tech Talk 3 13 Enforcing Strong Access Controls 14 BlackBerry 10 Device OS Security Features 15 BES10 s Gold level Controls and Settings 16 Manging Devices 18 BlackBerry Mobile Device Management in Action 19 End-to-end Security 21
3 3 BlackBerry 10 & BES10 End-to-end mobile data security without compromising business productivity or user satisfaction Keeping corporate data secure is a top priority for any organization. After all, a data breach can cause significant financial losses, expose executives to legal actions, damage your company's reputation and weaken or eliminate competitive business advantage. As more employees access your corporate network through mobile devices to communicate, collaborate and share data, your infrastructure becomes increasingly vulnerable to outside attacks and harder to secure and protect. The mixing of personal and work accounts, apps and data, as well as the proliferation of employeeowned devices, increases the chance of major data leaks. Rivaling the importance of information security, however, is business-user productivity and satisfaction. A mobilized workforce is only effective if the end-user experience is uncompromised and critical applications and productivity tools operate as efficiently from a mobile device as they do from a PC attached directly to the corporate network. An effective mobile security solution is one that imposes no limitations on end-user productivity. The BlackBerry end-to-end enterprise security solution secures data from would-be attacks and loss without requiring you to compromise productivity or user satisfaction. IT managers must now consider a highly complex corporate network infrastructure, accessible to a growing number and diversity of devices and applications, when devising a plan to protect corporate information and maintain worker productivity. The entryways for potential attacks, data loss and productivity compromises include: Employees maintaining a mix of corporate and third-party applications on the same device and exchanging information between the two domains The installation of threat-vulnerable containerization on mobile devices Employees visiting sites where they encounter malware or malicious threats The use of employee-owned devices to access enterprise resources and information IT managers need a solution that helps them: Deliver transparent security for an optimal user experience Provide integrated containerization that enables simple enterprise application development and deployment Reduce employee misuse of devices Keep personal and work information separate Ensure that network data, both in transit and at rest, are kept secure BlackBerry delivers a security solution that satisfies the needs of both enterprises and government agencies. The solution provides the confidentiality, integrity and authenticity to help protect your organization from data loss and theft while delivering a seamless, simple and uncompromised end-user experience.
4 4 Corporate Networks Under Attack * 71% 54% of breaches targeted user devices... of breaches compromised servers... 78% 66% of intrusions rated as low difficulty... of breaches go undetected for six months or longer... *Verizon 2013 Data Breach Investigations Report
5 5 BlackBerry Security A fully integrated end-to-end enterprise mobility security solution An unavoidable consequence of the explosive expansion of mobile devices within businesses and organization of all sizes is a proportional elevation in vulnerability to security breaches and data leakage. To protect your information from increased exposure to attacks or data loss through accidental or malicious means, IT administrators require a comprehensive security solution, but one that does not sacrifice business productivity or end-user satisfaction. BlackBerry end-to-end security is purpose built to deliver optimal protection for workrelated content, both on devices and in transit. BlackBerry security delivers fast, integrated device, application and content management and fully encrypted behind-the-firewall access to corporate data without the need for 3rd-party VPNs or add-on security. The BlackBerry network, combined with its infrastructure authentication, device management capabilities and hardened BlackBerry 10 operating system, is the ultimate end-to-end mobile security solution. BlackBerry security focuses on four critical areas: All G7 GOVERNMENTS and 16 of the G20 governments rely on BlackBerry security 1 Protecting data in motion Protecting work data on personal-use-enabled devices Enforcing strong access controls Managing devices These four functions protect your data from breaches, losses or alteration as it transits the end-to-end path from your enterprise, BES10 server, the BlackBerry network and, ultimately, your employees BlackBerry devices.
6 6 The ultimate standard for end-to-end mobile security Only MDM provider to obtain ATO on U.S. Defense networks PB Security certificates More than any other mobile vendor 3 per month on average. Moves more secure mobile data through its infrastructure than any other EMM vendor 3 AES 256 FIPS Dedicated Security Team
7 7 Protecting Data in Motion A key element of the BlackBerry solution for in-transit data security in BES10 Because many of your employees work outside the office, it s critical that you have strong security measures in place both on employees devices and across internal network infrastructure to protect data in transit. A key element of the BlackBerry solution for in-transit data security is the BlackBerry Enterprise Service 10, BlackBerry's device and application management platform. BES10 offers built-in data encryption to help both enterprises and government agencies protect sensitive information and minimize data loss or alteration. BES10 Overview BlackBerry has long-been the ultimate in mobile security. An integral component of the BlackBerry solution is BES10, which secures in-transit data using transport layer security over the BlackBerry infrastructure. BES10 encrypts data using AES 256-bit encryption prior to transmission, while message keys are encrypted by the device transport key. BES10 also protects and manages devices and applications within the end-to-end BlackBerry security solution. Secure Enterprise Connectivity BlackBerry Enterprise Service 10 Work Personal TLS over Enable Work Network For Personal Use (Enable/Disable) BlackBerry Mobile Data and Connection Service BlackBerry Dispatcher Firewall AES BlackBerry Infrastructure Wi Fi or 3G/4G BlackBerry 10 SSL (Optional) Wi Fi or 3G/4G SSL Enerprise Management Web Service Enable Work Network For Personal Use (Enable/Disable) SSL (Optional) Content servers Web servers Firewall with VPN Gateway VPN over Wi Fi or 3G/4G BlackBerry 10 VPN over Wi Fi or 3G/4G Firewall with VPN Gateway Private Network Wi Fi Microsoft ActiveSync VPN: IPSec or SSL TLS: BlackBerry infrastructure authenticated with self certification AES 256: Encrypted with device transport key generated during activation Wi Fi SSL (Optional): Authenticated with server specific certificate SSL: Authenicated with client/server certificates generated during activation Wi-Fi: IEE i with x (EAP-FAST, EAP-TLS. EAP-TTLS, PEAP and LEAP)
8 8 Protecting Data in Motion cont. BES10 Security Philosophy Confidentiality Integrity Authenticity The security features found in BES10 are built upon a foundation of confidentiality, integrity and authenticity. Confidentiality BES10's encryption capabilities ensures that only intended recipients can view corporate data. Integrity All sent over a secure network is strongly encrypted to keep third parties from decrypting or altering the message. Authenticity BES10 provides two-way authentication upon pairing with the device, helping reduce the possibility of counterfeit devices accessing your infrastructure.
9 9 Protecting Data in Motion cont. BlackBerry 10/BES10 FIPS Certification Businesses and government agencies alike need to feel confident that their highly sensitive data whether it s in storage or in transit stays secure from would-be attackers. The U.S. government created and implemented the FIPS computer security standard and uses it to accredit file encryption modules. Both the BlackBerry 10 OS and BES10 software are FIPS certified, which means that your organization s data is strongly encrypted and the corresponding encryption keys are rigorously protected. BlackBerry 10 devices, controlled by BES10, are the only mobile devices to be given Authority to Operate (ATO) on Department of Defense networks. S/MIME Messaging Encryption BES10 gives you the option of using digital certificates to sign and encrypt and file attachments using industry standard S/MIME encryption. When IT personnel activate a mobile device on BES10, the device can be configured to sign and encrypt messages using S/MIME whenever the employee sends s via his or her work account. S/MIME encryption keeps messages secure by using recipients public keys to encrypt the message and their private key to decrypt it. Often overlooked as a security agent, S/MIME is a cost-effective productivity tool for enabling highly secure communications with business partners and contractors outside of your organization. Encryption Options BES10 uses a technique called tunneling to protect data in transit over a secure network. Tunneling incorporates multiple layers of encryption between devices, BES10 and the wireless resource for additional data protection. For example, when employees access the corporate Wi-Fi network, data transmissions between their device and BES10 are secured first by AES encryption and then by Wi-Fi encryption. Wi-Fi Encryption (IEEE ) Encrypts data transmitted between mobile devices and wireless access points set up to use Wi-Fi encryption. VPN Encryption Encrypts data transmitted between mobile devices and VPN servers. AES Encryption Encrypts data transmitted between mobile devices, the BlackBerry infrastructure and BES10. SSL/TLS Encryption Encrypts data transmitted between mobile devices and content servers, Web servers or messaging servers that use Microsoft ActiveSync. BES10 Layers of Protection BES10 contains multiple layers of protection, so data stays secure both in transit and on devices In-transit Data Protection BES10 protects data transmissions using transport layer security. Work Data Device Protection Work file systems and applications are kept separate from personal data and encrypted. Personal Data Device Protection IT managers can create policy rules to encrypt data within the personal file system. Device Access Control Work Wi-Fi and VPN profiles may be delivered remotely via BES10 to enable corporate network access. Device Behavior Control IT managers can remotely lock mobile devices, enforce policies and wipe work/personal data from devices. Device User Information Protection Users can delete all their information and application data from device memory. BlackBerry 10 OS Protection BlackBerry 10 devices conduct integrity tests to detect kernel damage and restart processes that stop responding. Application Data Protection Via Sandboxing Sandboxing separates and restricts the capabilities and permissions of applications running on the device. Resource Protection Adaptive partitioning is used to allocate unused resources during typical operating conditions, to help ensure resources are available during peak conditions. Access Capabilities Permissions Management The BlackBerry 10 OS evaluates each device capability request made by an application, then grants access accordingly. Boot Rom Code Verification The device verifies that the boot ROM code is authentic, unmodified and has permission to run on the device.
10 10 Protecting Data in Motion cont. Tech Talk 1 FIPS Certification Details The FIPS certification was implemented by the National Institute of Standards and Technology to govern cryptography modules that involve both hardware and software components. The BlackBerry OS cryptographic kernel, which received FIPS certification for the BlackBerry 10 OS and BES10, generates the file encryption keys, the work domain key, the work master key and the system master key to provide a strong layer of security to protect data. The FIPS certificate for BlackBerry 10 and BES10 BlackBerry Enterprise Service 10 FIPS-1402 Certificate no Consolidated Certificate no nist.gov/groups/stm/cmvp/documents/140-1/140crt/ FIPS140ConsolidatedCertList0019.pdf BlackBerry 10 FIPS Certificate no Consolidated Certificate no groups/stm/cmvp/documents/140-1/140crt/ FIPS140ConsolidatedCertList0007.pdf Tech Talk 2 S/MIME Keys, Certificates and Encryption Algorithms BlackBerry devices support keys and certificates for the following file format and file name extensions: PEM (.pem,.cer) DER (.der,.cer) PFX (.pfx,.p12) A private key and certificate must be stored on the device for each recipient of an encrypted message. Keys and certificates can be stored simply by importing the files from a work message. To send encrypted messages, your employees must use their work accounts. The following encryption algorithms can be used by BlackBerry devices to encrypt S/MIME-protected messages: AES (256-bit) AES (192-bit) AES (128-bit) Triple DES RC2
11 11 Protecting Work Data on Personal-Use-Enabled Devices BlackBerry Balance and BES10 protect sensitive data Protecting work data accessible over the corporate Intranet or stored on employees devices is a critical part of any comprehensive mobile data security plan. The widespread use of employee-owned and personal-use-enabled devices in corporate environments Bring Your Own Device (BYOD) and Corporate Owned, Personally Enabled (COPE) movements creates major data security challenges. Without a heavy-duty security architecture in place, one designed for work and personal use, it is easy for employees to leak sensitive work data through personal use, such as: webmail and browsing, social networking and media, and untrusted personal applications. With BlackBerry Balance TM, a feature of BES10, you can create a dual-persona environment on employees mobile devices by establishing a separate, secure environment for workrelated applications and associated sensitive data. This work environment leverages integrated, cryptographically partitioned file systems to protect sensitive work data, while delivering a compelling work-life user experience. BlackBerry Balance identifies and tags data and processes that originate from your company s Wi-Fi, VPN access or Intranet, and routes it to the employee s work profile on the device. Other personal data and activities, including thirdparty applications, public Web browsing and personal , are contained within the personal profile. BlackBerry Balance Overview and Features BlackBerry Balance keeps employees work and personal information separate and secure on BlackBerry 10 devices using specifically designated areas called Spaces. Within each of these Spaces, data, applications and network connections can be safely stored. Individual Spaces can be governed by their own rules for data storage, application permissions and network routing. Using separate Spaces for work and personal activities helps keep sensitive data secure by preventing employees from copying work data into personal , or displaying information during video chats. BlackBerry Balance: Seamless Separation of Personal & Work Data
12 12 Protecting Work Data on Personal-Use-Enabled Devices cont. BlackBerry Balance lets you control how devices separate, secure and protect company data and resources Using BlackBerry Balance, you can: Control employee access to company data and applications on their devices Prevent company data from becoming compromised Provide employees a unified and consistent user experience with a core set of applications when accessing personal or work data Install and manage company applications on employees devices remotely Remove company data and applications from employee-owned devices when needed without impacting personal configuration and data Control network connections for work and personal applications remotely Built-in Password Protection BES10 allows you to establish and enforce password policies quickly and easily to better protect data stored in employees devices. IT policies can be set to require your employees to enter a password or use their corporate single sign-on using Active Directory services to gain access to Spaces containing workrelated data. This keeps data at rest on employee devices safe and protected. BlackBerry Balance in action After eight years of employment at your company, a salesperson is leaving to take a leadership role at a startup business that will share the same competitive space as your company. Looking to jumpstart the customer acquisition process, the departing salesperson, who has access to the corporate customer relationship management (CRM) system, attempts to send your company s customer list and deal status to his personal account before leaving the company. The soon-to-be former employee accesses the CRM application from his BlackBerry 10 device and tries to paste the list and deal information into his personal account. Because BlackBerry Balance prevents copy and paste functions between employees work profiles and personal profiles, the employee is unable to move data into his personal or copy files from his Work Space to his Personal Space. Your company s sales information stays safe. In addition, BES10 allows you to wipe all corporate information from an employee-owned device after the employee has left the company, without impacting personal data.
13 13 Protecting Work Data on Personal-Use-Enabled Devices cont. Tech Talk 3 Work Space/Personal Space in Detail BlackBerry Balance and BES10 provide a work environment that securely separates work and personal information on mobile devices. Devices classify data as work data or personal data based on the source of the data. For example, if data comes from a work-related source it is stored in the device s Work Space. Personal and Work Spaces can have different rules for data storage, application permissions, and network routing. The separate spaces help users to avoid activities such as accidentally copying work data into a personal application, or displaying confidential work data. IT administrators have the option of managing and securing data in a Personal Space. Work Personal Data Data App App App App Work Space Personal Space Encrypt Base file system Encrypt (optional)
14 14 Enforcing Strong Access Controls BlackBerry security gives you greater control over how and when mobile devices connect to your network infrastructure and access data BlackBerry security delivers multiple access control features, such as device authentication, anti-counterfeiting manufacturing controls and device OS protection, that verify and maintain device integrity. These features help ensure only authorized devices used by authorized employees gain entry into your network, use network services and access data. BlackBerry Hardware Root of Trust BlackBerry takes specific steps to help ensure the integrity of its devices and prevent counterfeit devices from connecting to the BlackBerry infrastructure. Security is built into each major BlackBerry device component, making it more difficult for unauthorized users to remove or circumvent security on a BlackBerry device than on other mobile operating systems. Plus, all parts of the BlackBerry supply chain, from its manufacturing partners to the BlackBerry infrastructure and devices, are securely connected, which means trusted BlackBerry devices can be built around the world. This secure manufacturing model helps prevent the impersonation of authentic BlackBerry devices and ensures that only authentic BlackBerry devices can connect to the BlackBerry infrastructure. Any device trying to connect to the BlackBerry infrastructure must complete the self-verification process before access is granted. BlackBerry 10 Operating System CPU Embedded Boot ROM Boot ROM digital signature Software Upgrades and Application Downloads from BlackBerry World. All downloads verified with ECC signed SHA-2 hashes. Application 1 Application 2 Application 3 Application 4 Boot ROM Public EC 521 Key of OS Signature Verified BlackBerry 10 OS SHA256 hash of Base File System (Signed with EC 521 Verified Base File System (Read only) XML Manifest of loaded applications (Cryptographically hashed) Verified Authentication Multiple forms of authentication take place within the BlackBerry system to minimize the possibility of data loss and outside attack. First, the BlackBerry infrastructure and BES10 authenticate with each other by sharing a Server Routing Protocol (SRP) authentication key before a connection takes place. The second level of authentication takes place between BES10 and the activated BlackBerry 10 device. When the device is activated, it generates a key pair and sends the public key to BES10. The BES10 server then creates a client certificate and sends an enterprise management root certificate and client certificate back to the device. It uses the enterprise management root certificate to authenticate the server certificate for the enterprise management Web service. BES10 and the BlackBerry 10 device use the client certificate to authenticate users, their Work Spaces and their devices.
15 15 Enforcing Strong Access Controls cont. BlackBerry 10 Device OS Security Features Protecting the device s OS is one of the most important functions of mobile device security. However, it s sometimes neglected by other manufacturers focused on consumer devices, since it can be challenging to verify the security vulnerabilities contained in millions of lines of source code, a common characteristic of many devices OSs. The BlackBerry 10 OS includes security features for OS protection, including: Microkernel Implementation The hardened QNX microkernel used in the BlackBerry 10 OS contains approximately 150,000 lines of code. With fewer lines of code, the BlackBerry OS is less susceptible to vulnerabilities than other platforms. As a result, rigorous security verification and testing are achieved, even with a fixed amount of IT resources. Resilient Design To reduce risks, the microkernel contains processes associated with personal use. Any unresponsive or misbehaving process is automatically restarted or killed, respectively, without impacting other processes. Root Process Minimization To reduce security risks, only the most essential BlackBerry processes are run in root mode. This mode is never available to third parties. Blackberry World Application Stores Once a BlackBerry 10 device is activated on BES10, it has access to two separate BlackBerry World application storefronts: BlackBerry World for personal use and BlackBerry World for Work for enterprise use. Within the Work Space, only applications approved by the BES 10 administrator are permitted to be installed. Work applications can either be pushed to users based on policy, or pulled by users for optional use. Within the Personal Space, users are free to download any application available through BlackBerry World.
16 16 Enforcing Strong Access Controls cont. BES10 s Gold level EMM controls and settings deliver the ultimate security solution for government and other high-security environments For the large majority of organizations, BlackBerry Balance, available via the BES10 Silver EMM 4 configuration, optimizes the balance between security and employee expectations for a compelling work and life end-user experience. Some highly sensitive, regulated environments, however, may not permit personal use on employee devices due to established risk management policies. For these organizations, often operating in government, financial services or healthcare sectors, for example, BlackBerry offers the BES10 Gold EMM 5 configuration, which gives administrators the ability to disable personal use, as well as impose device, application and content controls that exceeded the granularity of the BES10 Silver EMM configuration. No other mobile platform offers this unique capability. The BES10 regulated-level device management control features enable large enterprises and government and regulated industries to manage fully locked-down devices with a set of controls unmatched in their level of granularity. Gold level device management capabilities include: BlackBerry 10 Mobile Device Management (MDM) capabilities designed for secure, government and regulated environments Enforcement of corporate-only use and granular controls to manage use of camera, storage, WiFi, Bluetooth and other device features Option to enable a controlled Personal Space through BlackBerry Balance while ensuring all work content is fully protected within the Work Space User friendly and intuitive management console to manage your devices, users, groups, apps and services, including reporting and dashboard capabilities Sampling of Regulated-level BlackBerry 10 Device Management Controls Mobile Hotspot Mode and Tethering Specify whether to allow Mobile Hotspot mode, tethering using Bluetooth technology, and tethering using a USB cable on a BlackBerry 10 device. Wireless Service Provider Billing Specify whether a BlackBerry 10 device user can purchase applications from the BlackBerry World app storefront using the purchasing plan for your organization s wireless service provider. Maximum Password Age Specify the maximum number of days that can elapse before a BlackBerry 10 device password expires and a BlackBerry 10 device user must set a new password. Wipe the Work Space without Network Connectivity Specify the time in hours that must elapse without a BlackBerry 10 device connecting to your organization s network before wiping the entire device. Non- Accounts Specify whether a BlackBerry 10 device user can add thirdparty accounts for services, such as Facebook, Twitter, LinkedIn and Evernote to the device. Network Access Control for Work Applications Specify whether work applications on a BlackBerry 10 device must connect to your organization s network through BES10. Log Submission Specify whether a BlackBerry 10 device can generate and send log files to the BlackBerry Technical Solution Center. Bluetooth Specify whether a BlackBerry 10 device can use Bluetooth technology. SMS/MMS Specify whether a BlackBerry 10 device can send SMS text messages and MMS messages. Camera Specify whether a BlackBerry 10 device can use the camera.
17 17 Leaders in innovation Largest Research & Development staff of any EMM vendor 3 Expansion of security model to ios and Android 44K Scalability. Devices per server BES10 servers globally 100K 30K+ PATENTS 1 1
18 18 Managing Devices With BES10 you can also easily manage ios and Android devices from a central location A typical enterprise may contain hundreds of devices, each one a potential unauthorized entry point into your corporate servers. To help IT departments get a handle on the large number and diversity of devices attached to your network, BlackBerry has extended its security model to ios and Android smartphones and tablets through BES10. With the ability to use BES10 to manage multiple types of devices from a single platform and management console, IT administrators are able to strike the perfect balance between corporate and end user needs. Secure Work Space for ios and Android BlackBerry has also extended its ability to protect corporate data through the creation of secure computing and communications environments to ios and Android devices. Secure Work Space is a containerization, applicationwrapping and secure connectivity option for ios and Android smartphones and tablets that is managed through the BES10 administration console. Managed applications are secured and separated from personal apps and data, providing an integrated , calendar and contacts app, an enterprise-level secure browser and secure document viewing and editing. User authentication is required to access secure apps and work data cannot be shared outside the Secure Work Space. The trusted BlackBerry security model provides built-in secure connectivity for all enterprise apps deployed to the Secure Work Space no VPN needed.
19 19 Managing Devices cont. BlackBerry Mobile Device Management in Action Your company has hired several new employees each due to receive a BlackBerry 10 smartphone. The IT department quickly and easily adds a user account for each employee into BES10, using information from your company s Microsoft Active Directory. An activation password for each account is created, along with the Server Routing Protocol (SRP) ID of the BES10, and delivered to the respective employee. over the network to BES10. Encryption keys, based on IT department policies, are generated, Work Spaces are created and profiles and software configurations are sent to each smartphone. In just a few short steps, the incoming employees are empowered with fully functional and secure mobile devices. The new employees type their user IDs, passwords and SRP IDs into their BlackBerry 10 devices to activate them. The smartphone s enterprise management agent establishes a secure connection through the BlackBerry infrastructure
20 20 Managing Devices cont. Managing Devices Using Device Wipe With BES10 and BlackBerry Balance, you can keep company data safe while leaving employee personal data intact. Using BES10, you can remotely wipe an employee s Work Space and all its content, leaving all personal data on the device in place. You can also use BES10 to create policies that delete the Work Space from the device if certain events occur or specific conditions are met. For example, you can create a policy to delete the Work Space if the number of failed password attempts exceeds the maximum number allowed. You can also wipe the device if employees exceed their allotment of permitted hours or days since the last network connection. Application Sandboxing The application sandboxing and malware controls found in BlackBerry 10 help keep company data safe and secure from potentially malicious applications. BlackBerry 10 also protects employees personal data by allowing them to configure their devices application controls and limit application access to their personal information. Sandboxing separates and restricts an application s capabilities and permissions. The sandbox is a virtual container that uses device memory and part of the file system and grants access to the application at a specific time. Applications can have sandboxes in both an employee s Work Space and Personal Space, yet each remains isolated from the other. The BlackBerry 10 OS monitors Device Wipe in Action application process requests for memory outside its sandbox. If An employee has just received a job offer from a competitor. This the application attempts to access memory outside its sandbox, employee works in your company s procurement department and the BlackBerry 10 OS will stop the process and reclaim the has access to the company enterprise resource planning (ERP) memory it uses, then restart the process without impacting other system via her BlackBerry 10 device. Using the ERP system processes operating at the same time. In addition, each application application, the employee can see the company s suppliers, is assigned its own specific group identification, which cannot be vendors, parts inventory, backlogs, sales projections and more. shared or reused by another application. Each application stores data in its own sandbox and the BlackBerry 10 OS prevents other The employee accepts the job offer and gives a two-week applications from accessing this specific data. notice. Her manager alerts HR and IT departments about her upcoming departure. On her last day, IT wipes the employee s Malware Controls work profile from her BlackBerry 10 device, which prevents her The BlackBerry 10 OS includes tight controls to reduce the from accessing the ERP and systems. However, all of her possibility of malware attacks, including a contain-and-constrain personal information remains intact on her device as she moves strategy that minimizes risks. Application process requests are on to her next job. constrained within employees Personal Space on the device, and the BlackBerry OS microkernel monitors inter-process Distribution and Application Security communications for potential issues. The microkernel also Using Blackberry World for Work monitors memory access by the Personal Space and authorizes A benefit of BlackBerry Balance is that it allows IT to create and deploy a customized business application store, called BlackBerry its use as needed. Any application process that attempts an unauthorized memory access request is automatically restarted World for Work. With BlackBerry World for Work, you can push, install and manage business and productivity applications over the or shut down, protecting your company data. In the employee s Personal Space, application permissions are used to protect network to BlackBerry 10 device Work Spaces via BES10. personal data from potential malware attacks. Malware Protection in Action Instead of downloading an application to the device from the prescribed channel, an employee downloads an application from the Internet to her personal computer, then moves the application, which contains malware, to the device's Personal Space. The malware scans the employee s device for names, phone numbers, credit card numbers or any other bits of identity information that can be stolen and misused. Work-related information is not impacted, as all company information remains isolated and locked down on the device s Work Space, fully protected and secure.