BlackBerry's Storm in the enterprise

IT managers like that it can be centrally managed

Since the BlackBerry Storm's release in November, Scott Slater, technology architect at The Bank of New York Mellon, has been putting it through its paces. He's got some advice for you: Test, rinse, repeat.

The Storm, which is currently carried only by Verizon Wireless in the U.S., allows IT managers to offer their users an ultracool touch-screen alternative to the Apple iPhone and Google Android that can be centrally managed and locked down or erased if lost or stolen, Slater says. KACE has recently begun selling an appliance that centrally manages iPhones, but the Storm is the only one that is managed via already existing software -- the BlackBerry Enterprise Server (BES), in this case. However, that doesn't mean the Storm is an automatic win for the corporate world. The Storm's focus on consumer-like features such as Web browsing and social networking raises a red flag.

"In the past, messaging has been the primary use for the BlackBerry, so we've primarily focused on securing e-mail. The Storm's touch screen makes the browser, multimedia playback and enterprise social networking applications just as attractive because they are easy to use with tactile response," Slater says, and that means IT managers need to pay attention to mobile security in those areas as well.

Steven Ferguson, senior network engineer at the Technical College System of Georgia in Atlanta, is also evaluating the Storm for his users and agrees. "The traditional BlackBerry has always had somewhat limited browser function, but now media content of all types is readily available on the device. In fact, it features support for a removable card that will be able to store up to 32GB of data. While that makes it a great competitor to the iPhone, it also makes it a challenge for IT because we have to know what is being accessed and stored on the device," he says.

Although the BlackBerry devices have not been specifically targeted, Ferguson worries that the Storm's Web 2.0 capabilities and removable memory could be seen as entryways for hackers. "Recent worms have been spread through removable media, and other malware has been spread through media download locations. Therefore, we have to make sure the devices are secure and business applications remain stable," he says.

But neither Slater nor Ferguson says the Storm's consumer-ish enhancements are a deterrent. In fact, Slater has already begun to roll the devices out to some of the company's global users and sees great potential for it, such as enabling employees to receive corporate video communications on their mobile device. And Ferguson says he'll adopt the Storm when it is offered by his primary carrier, AT&T.

Rather than fighting the CrackBerry contingent, IT managers should thoroughly test-drive the Storm, map its capabilities to their acceptable use policies and compliance mandates, and then apply sophisticated network- and device-level controls.

Policy police

Before IT teams can begin to manage the Storm on a technical basis, however, they must first dust off their acceptable use policies and make sure they've addressed the organization's tolerance level for mobile access to social networking, Web sites, multimedia and corporate assets, according to Phil Hochmuth, an analyst at Yankee Group Research Inc.

"You might already have regulations that ban you from allowing users to access those types of applications on the desktop, but you have to make sure those policies are being extended to mobile devices," he says.

For instance, although Slater's first propensity as a technology pro in the highly regulated financial services field was to ban enterprise social networking tools, he admits that's not practical because they improve his users' productivity and collaboration. Instead, he's spent time updating the acceptable use policy and making sure all applications accessed on the Storm are as secure as BlackBerry e-mail, he says.

For his part, Ferguson reminds employees about the Technical College System's acceptable use policy and its relation to BlackBerry applications. For example, college employees can use IT-installed applications, but they are not allowed to download their own. "We caution them about their usage and explain that anything they do is logged, no different than their desktop," he says.

Purchase central

While the Storm might seem to be a consumer-driven device, Ferguson says he appreciates its ability to be centrally managed. Using the BES, he can wirelessly configure and deploy the Storm as well as synchronize it to multiple enterprise applications. He can also apply security policies to the device via the BES integration with Microsoft's Active Directory. However, to take full advantage of this benefit, organizations should purchase and provision the devices via the IT group, rather than allowing individuals to bring them in-house.

"Because the Technical College System is a government agency, we have to account for what's done on the device and make sure were following the state's IT policies. Therefore, we need to manage it from the start," he says. With that level of control, he can ensure that device configuration, deployment, licensing, updating, patching and security are all managed through the BES.

Companies can also develop standard configurations for the Storm to block users from ad hoc downloads through the Storm's "Application Center" feature as well as prevent other unsanctioned configuration changes.

Craig Mathias, principal at Farpoint Group, a wireless and mobile advisory firm in Ashland, Mass., says allowing users to buy and configure their own devices "quickly gets intolerable" because it's impossible to make sure that the device firmware, operating system, applications and security are compliant and up to date. Also, he says, most users won't feel comfortable allowing employers to monitor content on it and wipe it clean if it is lost or stolen.

Memory mayhem

Another game-changer on the Storm is its support for a large, removable data store. Slater says he'll only allow his employees to use the device's expandable memory if it's encrypted.

"This is something we addressed with previous BlackBerry models, but the size of the Storm's media card support makes it even more critical. We have to safeguard the confidentiality, integrity and authenticity of corporate data that's stored there," he says.

David Heit, director of enterprise software product management at Research In Motion Ltd., says the Storm features multiple ways to ensure the security of data on the microSD card, including encryption. "You can also map the card to the device and/or the user so that if it is removed, it can't be read," he says.

Companies that want to use the expandable memory to allow users to carry sensitive corporate assets, such as pricing books, on the device can not only encrypt the card, but also make it read-only. "If someone tried to write to the card, they would need the correct password," Heit says.

Heit recommends that users in legal, health care, financial and other heavily regulated industries take a careful look at their data protection requirements and apply the appropriate policies to the Storm.

An extra layer

In addition to the policy-enforcement tools already provided in the BES, some companies are choosing to add another layer of security, such as device-level antivirus or mobile Web gateway servers, to ensure that users aren't visiting sites loaded with malware or leaking data off their devices.

To keep his network from being exposed to threats, Ferguson has deployed Purewire's Web Security Service, a gateway that connects to the BES so that he can monitor, filter and log his users' mobile browsing.

"We have a very succinct requirement from the state to block all pornography and gambling on the Internet. This means on handhelds, too," he says.

Therefore, he routes all Web traffic from the BlackBerries through the Purewire proxy server to ensure they aren't looking at inappropriate content or accessing malware-laden sites. "We can show government agency leaders we're logging what's happening on these devices. We also use the Purewire SaaS to prove we're enforcing our acceptable use policies even through social networking and other Web 2.0 tools," he says.

In addition, he can use the logs to see what sites users are attempting to download applications from and add those to his URL blacklist. He adds that using a service is simpler than having to deploy and manage antivirus software on each device.

If companies address these key areas, Hochmuth says the Storm holds tremendous potential for the enterprise. "For IT organizations that have users who want the coolness factor of the iPhone but had trouble with enterprise integration, the Storm is a good alternative," he says.

Gittlen is a freelance technology writer in the greater Boston area and can be reached at

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon