BlackBerry Balance

What is BlackBerry Balance?

 

According to BlackBerry, BlackBerry Balance is "designed to separate and secure work and personal information on BlackBerry devices so users can stay connected to the important people and things in their life. Whether users are using their own device or one provided to them, BlackBerry Balance technology helps give them peace of mind that their privacy is respected while their sensitive work information is protected.”

How BlackBerry 10 devices protect work data

BlackBerry 10 devices encrypt data stored in the work file system using XTS-AES-256.

A device randomly generates an encryption key to encrypt the contents of a file. The file encryption keys are protected by a hierarchical system of encryption keys as follows:

• The device encrypts the file encryption key with the work domain key and stores the encrypted file encryption key as a metadata attribute of the file
• The work domain key is a randomly generated key that is stored in the file system metadata and is encrypted using  the work master key
• The work master key is also randomly generated. The work master key is stored in NVRAM on the device and is
• encrypted with the system master key
• The system master key is stored in the replay protected memory block on the device
• The replay protected memory block is encrypted with a key that is embedded in the processor when the processor is manufactured.

The file encryption keys, the work domain key, the work master key, and the system master key are generated using the BlackBerry OS Cryptographic Kernel, which received FIPS 140-2 certification for the BlackBerry 10 OS

How BlackBerry 10 devices protect personal data

BlackBerry 10 devices allow the encryption of personal files on devices.

You can use the Personal Space Data Encryption IT policy rule to turn on encryption for the personal space of devices. If the Personal Space Data Encryption rule is set to Yes, files stored in the personal space of the device are encrypted. If this rule is set to No, users can choose to encrypt files in the personal space using the Device Encryption option in the Security and Privacy settings on the device.

If encryption is turned on for the personal space of the device, the device encrypts files stored in the personal file system using XTS-AES-256. A device randomly generates an encryption key to encrypt the contents of a file. The file encryption keys are protected by a hierarchical system of encryption keys, as follows:

• The device encrypts the file encryption key with the personal domain key and stores the encrypted file encryption key as a metadata attribute of the file
• The personal domain key is a randomly generated key that is stored in the file system metadata and is encrypted using the personal master key
• The personal master key is also randomly generated. The personal master key is stored in NVRAM on the device and is encrypted with the system master key
• The system master key is stored in the replay protected memory block on the device
• The replay protected memory block is encrypted with a key that is embedded in the processor when the processor is manufactured

If you set the Personal Space Data Encryption IT policy rule to Yes, you should also set the Apply Work Space Password to Full Device IT policy rule to Yes so that the work space password applies to the entire device. If you set the Personal Space Data Encryption IT policy rule to No and the user chooses to turn on encryption for the personal space, the device prompts the user to type a new password if the device does not already have a password.

Devices can also encrypt all files stored on media cards that are inserted in devices (only personal data can be saved to media cards). You can set the Media Card Encryption IT policy rule to Yes, to require that a device automatically encrypt all files stored on media cards using a device key.

The file encryption keys, the personal domain key, the personal master key, and the system master key are generated using the BlackBerry OS Cryptographic Kernel, which received FIPS 140-2 certification for the BlackBerry 10 OS.

Source: http://crackberry.com/security-blackberry-balance

Berdasarkan pengalaman saat Trial BDS menggunakan Z10, berikut gambaran terkait Feature BlackBerry Balance tersebut :

1.       Dengan BlackBerry Balance dapat memisahkan work data dan personal data.

Work data meliputi :

-          Corporate Email, berikut document attachmentnya yang sudah di download ke device

Personal Data meliputi :

-          Personal Public Email

-          Contact, Calendar, Memo, dan Task

-          Media Galery

-          BBM dan Personal Message

2.       Dengan Feature BlackBerry Balance, untuk mengakses Work Data dapat dilindungi dengan Password yang dapat ditentukan oleh BDS Administrator atau oleh usernya sendiri.

3.       Dengan Feature BlackBerry Balance, untuk proses wipe nya terbagi menjadi 3 :

-          Corporate Account; akan menghapus email account corporate

-          Work Account, hanya menghapus data yang ada dalam work data

-          All Device Data, akan menghapus semua data yang ada pada device (Factory reset)