QNX in BlackBerry 10 will make BYOD a reality for IT
2nd Oct 2012 | 09:28
The QNX security advantage in BlackBerry 10
In an exclusive interview with TechRadar Business Centre, Sebastien Marineau-Mes, Senior Vice President of BlackBerry OS explains why RIM's next generation OS BlackBerry 10, will be the answer to an IT managers' prayers, and reduce the security risks of a bring your own device policy to zero.
When BlackBerry 10 arrives next year it will be based on QNX, the same system that runs the core Internet routers, medical devices and nuclear power stations; that promises to make for a mobile OS that's more secure than most.
The most obvious example is the BlackBerry Balance feature which creates two separate partitions, one for personal use and a second for work information, both encrypted separately. You switch between them with a gesture.
The personal partition will be on every BlackBerry; the work partitions will be created if you use a BlackBerry to sign in to a work email account that's managed by BlackBerry Enterprise Server (BES). An administrator can set policies to control the work partition using BES, controlling what apps you can install from the separate enterprise AppWorld store, dictating the password strength or wiping the device remotely if you lose it or leave the company. But they can't control your personal partition, or delete files or track how you use your BlackBerry.
QNX is controlled by the OS and configured by IT
And it's all done by the operating system, rather than the apps. "Applications don't know what partition they're running in," explained Sebastien Marineau-Mes Senior Vice President of BlackBerry OS, and previously Vice President of Engineering at QNX before their acquisition by RIM. "so as an IT department I can choose which partition the application will run in. When it runs in the corporate partition it's secure, the data is firewalled and so on but we don't need application developers to make any changes. It's something that is controlled by the OS and configured by IT instead of the model you see on Android and iOS where they have enterprise applications that are running in these containers."
That gives your IT team the control without being intrusive or fragmenting the user experience; instead of separate mailboxes for personal and work messages everything appears in one unified inbox, from BBM and text messages to social network updates to alarms to email from your company and personal accounts. "We've been able to combine them and yet under the covers completely firewall them," claims Marineau-Mes. "The key things that you use, as an end user you really want it all to show up."
Stop work messages disturbing your home life
You can lock the work partition when you don't want to see work messages (overnight and at the weekend, say). But just because you can see both sets of emails at once doesn't mean they're stored in the same place. "When you're viewing email we actually run a different viewer that is in a specific partition. So when you're viewing personal email you have one viewer, when you're viewing corporate email you have a different viewer that's a different, firewalled process. There is some info that goes into the unified inbox like the title of the email and who it's from - that's the part that the unified inbox pulls in from both partitions - but everything else is run in completely different processes."
That means work email can be managed and deleted without affecting your personal messages, and it offers an extra level of protection. "With HTML email you don't want to be vulnerable to certain types of attacks when you receive email because it's running in the same partition as your corporate data and they can somehow pull it out. You can only go so far in securing WebKit or any HTML engine. It's really a race with the vulnerabilities that are discovered and closed to so really the best solution is to just say it's completely firewalled. Even if you're able to find a flaw in the html engine and the viewer you can't compromise the other side of the firewall."
QNX allows two partitions and two networks
"With BlackBerry Balance we leveraged QNX's partitioned architecture to secure data, to secure applications and even secure the network connection," explains Marineau-Mes.
BlackBerry 10 lets you set rules for which network connections different apps use. "So you can say if it's a consumer application it goes on Wi-Fi, if it's a corporate application you force it over the VPN to the business network as opposed to going over consumer Wi-Fi and that's something the IT pro can set. You can set rules like the preferred connection when I'm at work is my work Wi-Fi, if I'm outside, I VPM in; if I'm not able to VPN in I can use the built in BlackBerry VPN through a relay."
This means you can make sure users are on a secure connection for business information without irritating them by slowing down everything else they do online; something even Windows is bad at Marineau-Mes points out. "With most laptops the way you're configured, when you VPN into the business network all your traffic goes through it. Suddenly your personal browsing gets really slow because it all has to go through the business network. What we've done is really split those two worlds so you can get personal, direct speed and corporate goes through the work network. They can do filtering and whatever other monitoring they need to do and you can be doing whatever you're doing online without the company knowing. The company doesn't need to know that - it doesn't want to know that – and it consumes resources."
Still BlackBerry mail
BlackBerry 10 uses Microsoft's Exchange ActiveSync (EAS) to receive and send email and if you use services like Gmail and Hotmail it connects to them directly rather than going through the BlackBerry Internet Service the way a BlackBerry does today. But for getting your work email, it runs EAS over the same secure, encrypted push email connection to BES for getting your work email as current BlackBerrys. "We made a conscious decision to use BlackBerry protocols as a tunnel into the enterprise as effectively an-always on VPN and then have EAS on top of it instead of reusing the proprietary BES protocol," he explains, because there are three big advantages
Replaces the need for VPN and improves battery life
It's more secure: "you have a secure connection to our Network Operations Centre and then to the device." It's easier to configure: "Setting up VPNs is actually complex and they're hard to deploy." And it uses much less battery power to get that security. "Traditional VPNs are designed for laptops and they're very chatty. They may send "keep alive" every minute or two which will really kill battery on a phone." On competing handsets he says that a VPN connection significantly reduces battery life; "or you take the VPN up and down and you go from push to basically a pull mode every 15 minutes to check email so you lose the always connected push."
BlackBerry 10 uses the same protocols that have been giving BlackBerry handsets multi-day battery life for many years by compressing data, turning off the radio as quickly as possible and leaving the BlackBerry server to handle more of the background communications. Like the two partitions, it should mean that BlackBerry 10 will have the security a business wants without irritating users by being slow, being frustrating to use or running out of battery too quickly.
For more on RIM's latest OS read our BB10 Hands On review