Companies urged to ensure BlackBerry security

Companies are being warned to make sure they correctly configure their BlackBerry devices, or risk weakening their IT security.

Internet security consultancy NTA Monitor said recent testing showed that organisations are still failing to ensure the smartphone devices are locked down.

It said the BlackBerry architecture can be insecure if no firewalls are used to separate the BlackBerry Enterprise Server (BES) router component from the central BES server on the internal network. If the BES is compromised and there is no separation of the BES router, it can lead to the whole network becoming insecure, the company claimed.

Roy Hills, technical director at NTA, said in a statement: "A hacker could potentially use this back channel to move around inside an organisation undetected."

Hills said the ideal scenario for BlackBerry security is to create a "demilitarised zone" to separate the router component from the BES. He explained: "If the BES router gets compromised, the demilitarised zone will ensure that there is no direct access to the local area network."

But Scott Totzke, vice president of global security at RIM, said that, while this demilitarised zone may work for some BlackBerry customers, it is just one approach to securing the devices. He stressed that there is no "one-size-fits-all answer" to security.

Totzke told ZDNet.co.uk sister site silicon.com: "We actually have customers who look at information security in an even stricter sense, [who] say no component should exist without a firewall and actually distribute [BlackBerry devices] amongst multiple servers with multiple firewalls. The good news is the documentation support for that is readily available on our website.

"At the same time, we have other customers who look at the risks and say: 'If I just control access to third-party applications, I can have maybe a more simplified network infrastructure behind the firewall.' There's not going to be a one-size-fits-all answer here. But it's that flexibility that allows [BlackBerry devices] to exist within whatever the existing IT framework is for securing network systems and services that's built into the platform."

Totzke said the BlackBerry platform includes more than 400 configurable security policies, giving customers the ability to mitigate their own level of risk. He said: "Having something that is flexible and adaptable and can be modified to suit the needs of your customer is really important."

Totzke added: "One of the biggest things that we've learned over the years with our solution is that you have to balance security and usability: if you make a product that's way too secure, you're likely going to compromise usability, so we always look at how we can balance that."

NTA Monitor also recommends BlackBerry admins turn off Bluetooth altogether. But Totzke said this is again down to the discretion of individual customers, adding that the BlackBerry platform allows users to enable parts of Bluetooth and disable others, which may be the most appropriate response.

Totzke added: "If you look at probably our largest and most paranoid customer in North America, the US Department of Defense, they publish about a 125-page configuration guide for BlackBerry… That's the extreme, but that's not going to be for everybody."