CellCast Solution for BlackBerry Smartphones Security Overview Revised: June 2010 www.mlearning.com
Introduction The CellCast Solution for BlackBerry empowers sales, service and other remote teams to distribute proprietary static and rich media business content to mobile workers equipped with BlackBerry Wireless Handhelds devices, making on the go training, business intelligence, corporate and customer communication and more readily available to empower knowledge workers and increase organizational performance. The CellCast Solution mobilizes content in two different ways: Via an over the air ( OTA ) wireless connection using the same BlackBerry platform already used to distribute/manage/secure enterprise email and other mobile applications. Via a secure and branded web portal providing access to mobile learning content using a standard web browser interface. This document discusses the security aspects of the CellCast Solution for BlackBerry. CellCast Leverages BlackBerry Enterprise Solution Security The CellCast Solution mobilizes basic and rich digital media as well as associated assessments, surveys and other mobile friendly deliverables as BlackBerry has mobilized enterprise email, using the same highly secure, stable and scalable BlackBerry enterprise messaging platform. The BlackBerry enterprise messaging platform provides security for data both while in transit and also while at rest. It also provides security for all interactions between the mobile user/learner with the BlackBerry device and the use of the device to access enterprise applications. RIM s BlackBerry Platform includes native AES or 3DES encryption for data transmitted to and from the mobile user/learner s BlackBerry device and leverages AES to secure data stored at rest. Device Administrators can use centrally managed IT policies to restrict device usage and access third party applications. The CellCast Solution takes advantage of the strength of the BlackBerry enterprise messaging platform to enable Users to access rich digital media wherever and whenever they choose. 2
Wireless Approach Security The over the air or wireless approach to the CellCast Solution for BlackBerry pushes an enterprise s designated learning assignments (e.g., audio files, video files, courseware, interactive slide presentations, others) to an authenticated mobile user/learner s BlackBerry device via the MDS (Mobile Data System) component of the BlackBerry Enterprise Server (BES). Content is delivered securely through the BES and can also be automatically encrypted on the device using standard BlackBerry functionality enabling secure access upon access. Any encrypted content stored and accessed using the installed CellCast Widget for BlackBerry on a BlackBerry smartphone is automatically decrypted prior to presentation/playback by the mobile user/learner. 3
Web Portal Security Optionally, mobile users/learners (along with managers, content authors and administrators) have access to OnPoint s CellCast Web Manager ( OPWM ) application, a Web 2.0 web portal providing online access to the entire mobile content library using a standard Internet connected desktop or laptop workstation. The wired approach to the CellCast Solution for BlackBerry pushes an enterprise s designated audio and video files to an authenticated User s BlackBerry device when it is plugged in to a desktop or laptop through a USB cable. Mobile users/learners log into their organization s branded CellCast Web Manager interface using a standard SSL/TLS connection and can then gain online access to all their mobile assignments, view the master content library, create/manage playlists, their accounts and to sync content to their BlackBerry devices. All content or playlist updates defined by the mobile user/learner during their online web sessions are automatically synched to the user s mobile device upon next access/sync. 4
Three Security Layers for the CellCast Solution There are three layers of the security aspects of the CellCast Solution for BlackBerry: Data Transfer: How User data and content is transmitted and rendered. Application Layer: How the User interacts with the CellCast web application. Device Layer: How content is stored on the BlackBerry device & synced to the server. DATA TRANSFER LAYER Data such as authentication credentials, mobile user/learner data, mlearning content, assessment answers/responses/scores, and usage data are all transmitted using standard SSL/TLS protocols. This includes: Users securely authenticating into and accessing the CellCast web application. Users securely authenticating into the CellCast web application and syncing media content via the wired approach. Users creating/uploading content over a secured channel or creating informal content (e.g., using the voice CellCast Call In feature) and having that new content securely uploaded onto the CellCast Solution web application. The wireless (OTA) approach pushes content and receives usage data by interacting with the Customer s MDS component of the BlackBerry Enterprise Server instance. The approach leverages the inherent security capabilities of the BlackBerry platform to push to and receive content and data from the User s BlackBerry device. The application uses standard SSL/TLS protocols as web services to transmit content and data between CellCast s hosted application and the organization s MDS server. APPLICATION LAYER The User interacts with the application layer in various ways. Application security is implemented using system protocols or via eleven (11) unique system roles as assigned to each mobile user/learner, manager/supervisor, content author or administrator. The primary application interactions are: Mobile users/learners log into the CellCast web application using standard SSL/TLS methods to authenticate and transmit both user data and media content over encrypted channels. The mobile user/learner s overall access to organizational content is controlled or set by persons with administrative or managerial accounts as well as other system level security features as defined by integrated subsystems and platforms (e.g., Active Directory/LDAP/SAML as well as group, job code and location based assignments. 5
Mobile users/learners are assigned content either directly by a person with administrator or manager privileges or can proactively subscribe to view/download new content from the master content library they are authorized to view. Content created by mobile users/learners can be submitted to the CellCast Solution server but all user generated content must be approved by an Administrator before it is made available for distribution. DEVICE LAYER Given the potential file sizes found with even brief audio podcasts, video clips, narrated slide presentations and other interactive mobile friendly media, OnPoint recommends pushing all delivered directly to a secured microsd expansion memory card on each mobile learner s BlackBerry smartphone device. The wireless (OTA) solution leverages the inherent security capabilities of the BlackBerry platform including file encryption and role based authentication. Content that expires or is deleted from the mobile user/learner s account by an authorized administrator or the mobile user/learner is deleted on the next sync action or can be remotely wiped through actions initiated by a BES Administrator via the BES. Syncing is secured for both one way and two way operations wherein mobile users/learners can receive content assigned by their managers or Administrators plus they can also create/tag and forward new user generated content back to CellCast Administrators for subsequent review, approval and deployment to other mobile users/learners (coming Q1 2010). Usage data detailing the size, state and frequency of all static and rich media content pushed to or received from a mobile user/learner s BlackBerry device is stored on the device and later shared with the CellCast Solution server as part of the standard sync process. 6
Additional Security & Encryption Features included in CellCast Solution In addition to device level security features provided by smartphone OEMs, an array of extended (and optional) security features are also available to IT/Information Security teams to help ensure all content prepared and deployed to mobile learners equipped with CellCast Widgets is handled in the most secure and reasonable ways possible. These optional services include: Widget Setup Requirements: Support for various methods to streamline installation processes and restrict how new accounts are established on supported mobile devices. Content Encryption: End to end encryption of content stored on a centralized server, in transit and as stored on the mobile device. Account Parameters: Enable use of unique combinations of user credentials and authentication codes to ensure all content access is restricted to the owner of a named account. Device Verification: Enable use of device specific information to associate a particular mobile device with a particular user. Time based Access Restrictions: Leverages how the CellCast Solution platform can be integrated with existing timecard system (usually part of a customer s ERP or payroll system) to restrict content access to certain times of the day/week. WIDGET SETUP RESTRICTIONS Virtually all smartphone based mobile learners in the CellCast environment utilize an installed applet or Widget that manages their access to learning content as well as the delivery, security and tracking of that content. For most enterprise customers, CellCast Widgets are customized to reflect the proper 7
mlearning feature set as well as organizational specific parameters like server addressing and default communications methods. Once defined and produced by OnPoint, these organizational specific CellCast Widgets can be pushed out by IT/Mobile administrators to a target audience ensuring access to all content is restricted to those on the delivery/installation schedule. In the case of BlackBerry smartphones, all CellCast Widgets can be pushed out from the BlackBerry Enterprise Server ( BES ) using IT defined access restrictions/permissions and delivery policy statements. CONTENT ENCRYPTION The CellCast Solution platform provides completed end to end encryption of content as stored on a centralized server, while in transit from the server over the air to the device using HTTPS protocols through all transmission methods (e.g., 3G/4G, Wi Fi) and as stored in the file system of the mobile device itself. On device content encryption leverages device specific functionality as provided by the device OEM but optional CellCast specific encryption methods (standard 128 bit) are also available. Whenever an assignment is selected and launched by a mobile learner, the encrypted content is automatically decrypted and launched in the appropriate content player. [Note: the actual time needed to decrypt and launch the selected content assignment varies greatly based on the user s device, device processor, mobile OS and several other factors; in general, the newer the device, the faster the decryption process and launch. ] ACCOUNT PARAMETERS & COMBINATIONS All installed CellCast Widgets need to be updated with a unique set of user specific credentials in order to verify access to their CellCast account on the CellCast Server. Most organizations use a standard combination of a unique username and password for these credentials but other combinations can be utilized as needed and access to the screens displaying these unique credentials can also be hidden from view by the user ensuring no one can review or change their credentials if required. Additional available parameter include a server generated authentication key code as well as a user defined PIN code (similar to an ATM PIN code). DEVICE VERIFICATION Select (generally newer) mobile devices can also expose device specific information such as the user s own mobile telephone number ( MTN ) as defined by their SIM card or a device specific electronic serial number ( ESN ) and these parameters, once defined for a user, can be used to verify the user s device identity when attempting to sync with the CellCast Server. This functionality ensures users can t switch their CellCast account from device to device without re registering that device with the IT/InfoSec team. TIME BASED ACCOUNT RESTRICTIONS Administrators and managers also have the ability to ensure that content accessed on a mobile device can only be launched during specific hours or the day or days of the week based on a user specific time 8
schedule or timecard. When enabled, the time based account restrictions prevent a mobile learner from accessing content via the CellCast Widget although their widget remains active/online and can still be used to sync new content, provide access details, upload test scores, etc. This functionality is typically used by managers to restrict content access during off hours, weekends, vacations, etc. To enable timebased restrictions, the CellCast Solution platform must be integrated with an existing timecard system (usually part of a customer s ERP or payroll system) to determine all user specific restrictions based on defined business rules and sync each user s content access schedule down to their device on a weekly basis. Conclusions The CellCast Solution for BlackBerry enables enterprises to securely mobilize static and rich media content to engage the mobile learners and remote workforces. The CellCast Solution platform takes advantage of the inherent end to end security capabilities of the BlackBerry platform and focuses on the security triad of confidentiality of data, data integrity and high availability. CellCast has built security into all aspects of our on device and web applications from the top down ensuring organizations have complete peace of mind when delivering immediate access to proprietary information to empower their mobile workforce. Finally, the CellCast Solution provides a wide array of optional features and functionality to ensure all content delivery and access is properly and securely managed. More Information For more information on security features and options for the CellCast Solution platform, please content the OnPoint Support Team or your authorized CellCast Reseller/Partner. 9