Research In Motion, the makers of the popular BlackBerry platform and devices recently released a whitepaper titled “Choosing an Enterprise-Class Wireless Operating System: A Comparison of BlackBerry, iPhone and Windows Mobile” that lays out the various factors that an enterprise should consider before selecting a wireless operating system. While obviously this paper is aimed at making BlackBerry look good among its competitors, I think that the factors to be considered (as mentioned on the whitepaper) are both relevant and appropriate. Given below is a comparison of how the BlackBerry rates among its peers (iPhone and WinMo). Also included is a brief explanation of the factors that the operating systems have been rated on.
- Authentication: Capabilities on the device to ensure that only the approved user of the device is allowed to access the functions and data on that device. Examples of such security features include: passwords, two factor authentication (e.g., tokens, smart cards), and biometrics.
- Data Vaulting: The ability of the device to safely store data, including securing data stored on any external storage, (e.g., SD cards). A best-of-class device should have the ability to granularly select files and functions that need encryption (e.g. company files) and those that do not (e.g. MP3s, photos).
- Application Verification: Mechanisms on the device for verifying that an application is indeed “who and what” it claims to be. Enterprise-class mobile platforms include a method for assessing signatures of various applications that, when checked by the device, can distinguish between an authentic, non-tampered with application, from one that has been modified and/or contains suspect code.
- Reliability: Pretty self-explanatory. Any enterprise-class mobile OS should exhibit the reliability end users expect from a robust mission-critical device. This means that the device should never simply decide not to work (e.g., “Blue Screen”), or require unexpected re-boots.
- Manageability and Policy Enforcement: Capabilities on the device and device platform for remote management, including individual and group settings for all aspects of the platform like set up, monitoring, uploading, display of device characteristics, asset management, lock down and kill, re-imaging to a new device, OS software upgrades, etc.
- Tamper Resistance: This refers to the capabilities built into the device platform to allow the enterprise to discover whether any device has been “hacked” to alter the base level OS. As smartphone malware becomes more prevalent, these capabilities will become mission-critical.
- Security vs. Usability: While it is important to maintain the highest level of security possible, this must be done while maintaining the usability of the apps and end user interface. Creating an environment that enables maximum usability while maintaining the integrity of the system requires a delicate balance.
- Meeting Security Validations: Many industries require that devices be validated and approved by governmental agencies to ensure that they meet stringent security testing and specifications before they can be deployed to mobile workers. While a number of devices claim to be “compatible” with security standards like FIPS-140-2 encryption, it is imperative that they have been tested and approved by a validated testing agency and not just offer claims of compatibility.
- Allowing Security Extensions: No one vendor can provide everything necessary for all circumstances now and in the future. Therefore, an ability to extend the security model should be provided by the vendor through an API.