CSO — Amid all the hype that preceded Research in Motion’s (RIM) unveiling of its BlackBerry 10 on Tuesday, most analysts agree on this much: the new device is the best, and most secure, the company has ever made.
However, they are not convinced that will be enough to turn around RIM’s sagging fortunes or its miniscule market share — 1.1% of the smartphone OS market.
RIM Releases BlackBerry Enterprise Service 10, Offers Free Trial
Michael Davis, CEO of Chicago-based consultancy Savid Technologies, writing in Information Week, said the improvements to the device itself, along with the new BlackBerry Enterprise Service 10 (BES10), are “too little too late” to challenge the dominance of Apple and Android.
“We don’t think the new enterprise features — which are really the only enhancements to the device as all of the consumer enhancements are just copycat functions of iOS and Android — are going to be enough for the end user to stick with BB when facing the decision to change,” Davis wrote.
“BES10 is too little too late for most enterprises,” he wrote.
Jan Dawson, chief telecom analyst at Ovum, said in an interview with the Wall Street Journal that while he thought the launch of BlackBerry 10 would provide a short-term boost for RIM, its enterprise customer base has started to fall, “and I expect it to continue to go that way.”
“The new platform, as good as it is, is not good enough to win converts,” Dawson said.
He said while the new BlackBerry 10 means RIM is finally reaching parity with market leaders, “there’s nothing that makes it head and shoulders above iPhone or Android … It will appeal mainly to existing users.”
There is some advance praise for BES10 security features, after some well-publicized problems with flaws in previous versions, but it is tempered by the new reality of a market that RIM used to dominate.
Zach Lanier, senior research consultant at Accuvant Labs R&D team, said: “RIM has learned some lessons from the BlackBerry PlayBook (whose TabletOS effectively served as the predecessor to BB OS 10), given that it was a foray into a new operating system and platform paradigm for them.”
[See also: Android vs iOS vs BlackBerry: Which is most secure?]
But a new OS could also bring new problems, he said. “For any company, introducing a slew of new bits of code — especially code that isn’t necessarily developed or maintained by RIM directly — comes the possibility of introducing new bugs.”
Davis wrote that the upgraded service is now using an AES256 encrypted tunnel for all communications between BES and the device, which is also FIPS140-2 certified. The means the government can use these anywhere, he said.
“Think of this tunnel like a VPN (virtual private network) tunnel,” he said. “This enables the enterprise to allow the browser on the BB device to route and access internal enterprise Web apps through the tunnel without the pain of having to configure a VPN profile or even provision a VPN username and password.”
A second new feature is Balance, a managed container that divides the personal and working worlds of users. “Each partition is encrypted and secure with the Work Partition being controlled remotely by a policy,” Davis wrote. “You can have personal email from Gmail on your personal side and your corporate email on the work side and not have the pesky security restrictions enforced on your personal email as you do on the work email.”
However, Balance requires the new BES10, and access is not clear. “RIM could not confirm how many BES email hosting providers are planning to upgrade to BES10 or even support BES10, so if you are not an enterprise that wants to use BB Balance you may be out of luck until the major BES hosting providers catch up,” Davis wrote.
Michael Disabato, a research vice president at Gartner for Technical Professionals Research, said that besides managing Balance, BES10 ”will also be able to run the Fusion extensions, which can manage iOS and Android devices. If that is something you need, then the management is better.”
Lanier said RIM’s tradition of enterprise-friendly management features coupled with RIM’s history of things like device encryption, code signing enforcement, etc. are a good indicator that BlackBerry 10 will continue that tradition, and build upon it. “But, with new features, like running Android apps; WiFi file sharing; and even the stuff that makes Balance/Bridge work, there’s the possibility for degradation of security in some areas,” he wrote.
And despite being more secure than other devices on the market, Eric Maiwald, a research vice president at Gartner, notes that devices are purchased for business purposes. “If two devices are completely equal in user experience, apps and capabilities, then buying the more secure device is a better choice — that said from a security analyst.”
But he said that businesses look at the entire ecosystem around the device, including existing apps, development environments, developer familiarity, use cases, etc.
“John McGreavy,” the pseudonym for Information Week‘s “secret CIO” advice column, wrote this week that he has “little confidence that even if its new BlackBerry device and server innovations are successful, RIM has the ability to innovate at the speed the market expects.”
“Regardless of how successful [BlackBerry 10], we have other devices in play and will have more going forward,” McGreavy wrote. “RIM says its Fusion MDM platform will manage it all, but I don’t see support of rival products making it to the top of the company’s development plan.”
In our dive into the theory behind offensive cybersecurity, Gadi Evron summarized the legal and ethical problems of fighting back against an attacker. There are also some purely tactical problems: How do you know you’re not blasting some grandmother in Akron whose PC is a zombie? Are you prepared to come under the glare of organized criminals?
I share Evron’s outlook that for most, if not all, nongovernmental entities it’s too soon to go down the path of all-out, offensive security counterattacks. Many other security professionals agree, and you can get a good summary of the academic and government research on cyber espionage, cyber deterrence and cyber offense by reading a recent post by Dave Dittrich, a member of the HoneyNet Project: “No, Executing Offensive Actions Against Our Adversaries Really Does Have High Risk (Deal With It).”
But you can do a lot more than read and hope. Here are some ways to take action now that will at least let your team start taking a more offensive security mindset.
Step 1: Do active risk analysis to know what attackers may strike at, and how.
Intelligence gathering is an arduous task for even well-funded government agencies, so it is highly unlikely that your company can achieve the level of detail required for true cyber intelligence about attackers. Further complicating intelligence gathering is that private-sector chief information security officers don’t share details of successful breaches, even though such collaboration would be critical to understanding and linking methods and attackers. But that’s another article.
For now, focus your effort on the intelligence gathering you do control: knowledge of your own systems, networks and business.
Michael A. Davis is president of External IT, a national managed IT services, cloud services, and IT security provider that focuses on unifying the business IT experience.
By Michael A. Davis 
InformationWeek
December 10, 2012 08:00 AM
You can’t talk about big IT trends without running into data protection worries. For the 728 business technology pros responding to our InformationWeek 2013 Outlook Survey, which explores spending and technology priorities for the coming year, “improve information security” ranked No. 1 among 19 projects. This makes perfect sense; whether your company is fixated on big data, public cloud, BYOD or mobile app development, security plays a key role.
Yet even as mobility and cloud take off, many companies still leave data in the clear, worried about operational and performance concerns. Never mind that major compliance and regulatory frameworks either require or strongly recommend data encryption. Yes, key management remains a problem. But there are ways to use encryption without breaking your infrastructure while we wait on the ultimate solution: identity-based encryption. Here are five rules that help.
Rule 1: Stop The Bleeding
IT’s natural inclination is to standardize on a single encryption vendor, since interoperability is notoriously spotty. But if you look at the top five types of encryption used by respondents to our InformationWeek 2012 Data Encryption Survey — VPN, email, backup, file and disk, in that order — no single provider can cover all of them. That lapse is no excuse for a free-for-all, though. We see too many IT organizations letting individual project leads make decisions about what types of encryption to use, what products to buy and even how to manage these systems once they’re in place. While we do encourage flexibility, complete decentralization rarely ends well. At minimum, require that a central team approve all new encryption software buys, rules and implementations. This same group must ensure that processes, such as certificate management, are updated to include the new software project that teams want to implement. This one simple change dramatically reduces the sprawl of encryption products and processes. And don’t forget the vendor management group during this process.Rule 2: Pick Your Battles
Don’t try to do everything within a narrow set of encryption best practices, and if you’re lacking in this area, certainly don’t try to put encryption everywhere at once. Instead, perform a risk assessment, prioritize requests and analyze the potential volume of keys and certificates to determine where to focus. The conventional approach is to pick an encryption system based on your data classification scheme and types of sensitive data, but you should also look at the ways encryption tool management can break down. Problems usually hit during key rotations and because of weak passwords or certificate expirations rather than the encryption algorithm itself being breached. Manage the weakest link.
Lambert said she couldn’t discuss future plans because the deal has not yet closed but offered that there’s “not as much [overlap] as you might think” between Zenprise’s offerings and the tools that are already in Citrix’s portfolio. “Zenprise talks a lot about MDM 2.0 and expanding into the app piece,” she said, “but they hadn’t brought that full vision to fruition yet.” She said the companies don’t share capabilities so much as a common vision — an idea that echoes what Zenprise CEO Amit Pandey wrote in a blog post that addressed the news.
Lambert couldn’t divulge how this vision might unfold. But she did say that Zenprise’s device management tools, though not headline features in the most recent MobileManager release, will be valuable. To illustrate, she said that Citrix can presently push mobile apps to devices through CloudGateway, but that the task of actually installing the app still falls to the user. Similarly, if an employee leaves the company, Citrix has the tools to shut off access to corporate content — but not to remove any business apps installed on the device. “We can revoke access but can’t actually remove them, so they just sit there until the user deletes them,” she stated. The acquisition of Zenprise’s portfolio changes all this because it allows Citrix to generate MDM user profiles that will allow apps to not only be pushed but also remotely installed or removed by IT. The deal “will bring all these little things to enhance the user experience,” she said, adding that Zenprise’s technology will contribute to a single “comprehensive product line.”
In an email, Savid Technologies CEO Mike Davis wrote that the news “further proves that MDM itself is not a worthwhile tool.” He stated it’s likely that “MDM as we know it will go away,” with the features either integrated into other products or offered for free. Indeed, many MDM products are provided by startups and boutiques — but with big companies such as Dell and IBM muscling into the BYOD space, the potential for additional acquisitions is clearly high.
Davis also wrote that enterprises want a complete package that includes not only MDM but also application management, remote network access and more. “Citrix is making that a reality for enterprises with one solution,” he asserted.
IDC analyst Stacy Crook stated in an email that she expects standalone players will continue to be part of the mobility scene — but like Davis, she said that market consolidation is likely to continue. Regarding the deal, she wrote, that IDC sees it “as a positive one for Citrix and one that will help establish them as a serious player in the enterprise mobility market.” She explained that “the device management piece was a missing link” for Citrix and that Zenprise “completes this puzzle.”
Crook also sees value in the flexibility Lambert mentioned. “The reality of the mobility market is that it is extremely fast-paced and buyers are very concerned about getting locked into the wrong position,” she wrote. “By offering a platform for enterprise mobility management that gives options, Citrix can help give customers the peace of mind that, if their needs change, the platform can adjust.”
A research note written by 451 Research analysts Chris Hazelton, Chris Morales and Karin Kelley also praised the acquisition’s potential while projecting that the deal could signal a shift toward integrated, rather than MDM-specific, products. The document asserts that “Zenprise was not the largest standalone MDM player, but it was one of the better positioned,” and that the deal “should provide Citrix with key tools to address the future needs of the enterprise.”
The 451 Research note acknowledged some of the ostensible app management overlaps between Citrix’s current offerings and those in MobileManager — but it countered that the companies’ respective portfolios are “very complimentary” because “where we find what looks to be overlap … the approach for each is different.”
“As MDM matures and becomes more widely available,” the research firm’s note concluded, “there will be a battle between expanding standalone MDM vendors that are evolving to meet the need of IT, and integrated players that are building and bundling to meet those same needs.”
By: YNN Staff
Some of the best IT security experts attended the 14th Annual Hackerfest Trade Show in Henrietta Tuesday.
More than 400 business leaders were there to find out about the latest in information security and technology.
The trade show at the Doubletree Hotel in Henrietta was focused on helping clients stay on top of things like computer fraud, computer security, and also storage.
For the past 14 years Dox Electronics, the company that designs and implements networks headquartered here in Rochester, assembles some of the best in IT security to help protect against hackers. Dox invites all of its clients here free of charge.
The show includes seminars and demonstrations for more than 20 industry-leading vendors like Cisco, IBM and Microsoft. It features internet network security, application delivery and information storage and programs.
The basic message is that hackers are outsmarting us. For anyone who uses a computer, every time a computer is turned on, there is a threat.
“Everywhere you turn there’s a different type of threat and different attackers have different wants,” said Savid Technologies CEO, Michael Davis. “Some want to steal your identity. Some want to steal money from your bank account. One of the biggest things right now is using your computer and renting it out to other people. So I’ll take control of your computer and I’ll sell it to someone for a dollar a day. And they’ll use that to take down Bank of America or another financial institution.”
