Many businesses are investing heavily in increasingly-commoditised mobile device management (MDM) tools that are failing to address the real issues facing organisations trying to securely utilise mobile devices, the head of BlackBerry’s security software efforts has warned as the company signed on a raft of new ANZ clients.
Based on its roots as a mobile device manufacturer, it was little surprise that establishing an MDM platform was one of the first stages in BlackBerry’s ongoing transition into becoming a security software provider. Yet ongoing conversations with businesses showed that “in at least 80 percent of situations, the use cases are similar or identical,” Sinisha Patkovic, director of the BlackBerry Security Group, told CSO Australia.
With bring your own device (BYOD) and ‘shadow IT’ practices creating new problems as users shuttle sensitive business data to and from unmanaged cloud-based file services, those use cases generally revolved around businesses desperate to rein in the unchecked sharing of confidential and potentially problematic data, such as customers’ legally-protected personally identifiable information (PII).
“People bring their own devices but don’t want to lock them down,” Patkovic explained. “Businesses may say ‘that’s great’ but when they want to, say, manage a criminal investigation they need to collaborate between a police officer and a social worker. How do you share a criminal record without losing control of it?”
The desire to address this issue had driven BlackBerry’s reform-driven management to look well above the basic MDM functionality – which is focused on individual devices – to focus more on protection of the data itself. WatchDox, which BlackBerry acquired as part of a flurry of strategic acquisitions in recent years, has proven to be a popular answer with customers that are increasingly turning to BlackBerry for additional value-add generated by its expanding security capabilities.
“We are trying to broaden our portfolio and become a strategic partner for our customers,” Patkovic explained. “Our whole skill set and competencies have been pivoting from a traditional handset and MDM vendor to a broad portfolio company that is giving companies that address what they need. And because people tend to go with the path of least resistance, we’ve had to make the security less intrusive and super easy to use.”
Consistency had been a significant strategic focus during the transformation of BlackBerry – which has introduced operational controls including defined, modular standards for its authentication and encryption components to suit customers’ local laws; heavy gating of software releases to ensure extensive testing across the entire portfolio; and the staffing of a team that sits outside the software portfolio to both monitor the security platform’s development and veto any changes that may compromise the overall functioning or experience of BlackBerry’s security tools.
WatchDox, which allows documents to be securely exchanged between users and their usage tracked even across mobile devices, has proven appealing with a growing number of customers – including newly announced wins such as the New Zealand Parliamentary Service, Australian disability services non-profit Mai-Wel Group, and 10 regional UK police forces.
They and other organisations are working to embrace a broader, more secure mobile environment in line with the findings of the recent Telsyte Australian Enterprise Mobility Market Study 2017, which surveyed 257 CIOs and other IT decision-makers and noted that around 34 percent of businesses have staff that regularly work offsite.
Many of those admit they can’t control bring your own app (BYOA) activities that are seeing the likes of cloud-based email, file storage and group calendaring tools commonly used within business environments. Security practitioners, in turn, are desperately working to eliminate the security gaps between cloud storage environments that are causing angst amongst executives and technical managers alike: Telsyte found that 86 percent of enterprise respondents are still concerned about the security of enterprise mobility – but that less than 20 percent are “mature” around their mobility strategies.
“I’ve talked with over 100 CxOs in the last 12 months about their key business challenges,” said Asia-Pacific senior vice president Paul Crighton. “Almost without exception, in every meeting they have talked about securing their critical IP – their documents, and their content.”
Fully 62 percent of Telsyte respondents were concerned about employees storing sensitive information on cloud storage services, Crighton noted: “They say it’s OK when employees are internal, but once those documents leave the company they really don’t know where it goes. There literally hasn’t been an executive that I’ve met that had an answer to that problem.”
Lifecycle tracking of electronic documents was proving appealing not only for tracking sensitive intellectual property, but – for the likes of one organisation which sends confidential updates to 3000 employees every day and needs to be able to track who has read them from a health and safety perspective – is fundamental to many core business processes.
Positioning BlackBerry’s integrated offerings as a secure platform, combining device and content management, “is a true collaboration piece that also ticks the boxes with regard to the security requirements,” Crighton said. “It’s protecting what keeps the organisation in business, and reducing the workflow while having all the measures in place to make their security officers very happy.”
The diversity of mobile devices had proven tricky as each platform has its own security idiosyncrasies. BlackBerry had worked hard to abstract its security software from its devices, recognising that labyrinthine certification processes often mean that mobile devices are submitted for approval for government use – as per the Australian Signals Directorate’s Evaluated Products List – but may not receive that certification until after that particular device and operating system version have already been superseded.
“The lifecycle of any one device is so short,” Patkovic said, “that you can be caught in flux with two forces that go in different directions. Customers want to make sure their whole stack is properly secured so that the device can sustain itself and be resilient towards other attacks. We’ve focused on providing that hardware independence and still offering the end-to-end security.”