1. the_sleuth's Avatar
    RIM’s PlayBook approved for use by U.S. government officials

    Matt Hartley Jul 21, 2011 – 2:56 PM ET | Last Updated: Jul 21, 2011 3:29 PM ET

    Barack Obama is already one of the world’s most famous BlackBerry users, but is the President of the United States on the verge of becoming the world’s most famous BlackBerry PlayBook user, too?

    On Thursday, Research In Motion Ltd. announced its BlackBerry PlayBook tablet has received “FIPS 140-2 certification” from the U.S. government, making it the first tablet approved for use by employees of U.S. federal government agencies.

    RIM received the Federal Information Processing Standard (FIPS) from the National Institute of Standards and Technology, which is required under the Federal Information Security Act of 2002.

    For RIM, the stamp of approval from the U.S. government represents a key victory for the BlackBerry maker and could pave the way for the PlayBook to become commonplace in the upper echelons of power in Washington, similar to how the Waterloo, Ont.-based company’s BlackBerry smartphones became standard issue on Capitol Hill.

    Since launching earlier this year, RIM’s first tablet has struggled in the consumer market to keep pace with Apple Inc.’s iPad, which currently commands 61.3% of the market, compared to about 3.3% for the PlayBook, according to data from market research firm Strategy Analytics.

    Of course, it was RIM’s commitment to security which helped the BlackBerry smartphone become the mobile device of choice for government agencies around the world, including the U.S. government and U.S. Federal Bureau of Investigation.

    Although RIM’s decision not to include a native email client on the BlackBerry PlayBook was seen by many critics as an oversight – users can access their email by wirelessly connecting their PlayBook to their BlackBerry smartphone — RIM officials have maintained that by ensuring no email data is stored on the PlayBook itself, the device is more secure for government IT departments.

    “RIM is pleased to announce that the BlackBerry PlayBook is the first tablet approved under FIPS for use within the U.S. federal government,” Scott Totzke, senior vice president of BlackBerry security at RIM, said in a statement.

    “This certification demonstrates our continued commitment to meeting the needs of security-conscious organizations and enables the U.S. federal government to buy with confidence knowing that the PlayBook meets their computing policy requirements for protecting sensitive information.

    RIM’s PlayBook approved for use by U.S. government officials | FP Tech Desk | Financial Post

    Obama probably has an Android App Player certified gold. Power has its privileges.
    MobileMadness002 and gord888 like this.
    07-21-11 08:56 PM
  2. Dapper37's Avatar
    cant be discussed enough
    07-21-11 09:33 PM
  3. MobileMadness002's Avatar
    This is awesome for RIM to say the least.
    07-21-11 10:20 PM
  4. qbnkelt's Avatar
    And so the reasoning to leave native mail out becomes evident.
    This IS HUGE for RIM.

    Posted from my CrackBerry at wapforums.crackberry.com
    07-21-11 10:24 PM
  5. ZMc1834's Avatar
    This should jolt some life back into RIM and the Playbook after the tough reviews as of late because since it is the only one that has been approved, they get to have a "monopoly like" presence in the government at least for now.
    07-22-11 06:21 AM
  6. DonnyVantage's Avatar
    Can't believe this did not even get a mention on seeking alpha. I hate wall st.
    07-22-11 06:52 AM
  7. eds817's Avatar
    This is very good and bad.

    It's been my belief that the reason RIM has lost market share is due to their not paying attention to the consumer market. They owned the enterprise market for so many years and lost site of the fact that individual consumers and small businesses without an enterprise server are using smartphones.

    I hope they don't dedicate all resources for the PlayBook to making it an enterprise device. They know they'll never catch up to the iPad but please don't throw in the towel on us little people.
    07-22-11 06:53 AM
  8. brucep1's Avatar
    BGR is also reporting this..What happened to their bias?
    07-22-11 07:10 AM
  9. Branta's Avatar
    And so the reasoning to leave native mail out becomes evident.
    This IS HUGE for RIM.
    The picture is emerging slowly. It makes sense, an isolated device with uncontrolled native access to external data would be unlikely to comply with requirements. With a link to an existing smartphone the constraints on the phone are automatically inherited by the tablet. We could speculate that a cellular version will be able to interact directly with BES type controls and provide the necessary constraints for secure operation.
    _StephenBB81 likes this.
    07-23-11 07:39 AM
  10. qbnkelt's Avatar
    The picture is emerging slowly. It makes sense, an isolated device with uncontrolled native access to external data would be unlikely to comply with requirements. With a link to an existing smartphone the constraints on the phone are automatically inherited by the tablet. We could speculate that a cellular version will be able to interact directly with BES type controls and provide the necessary constraints for secure operation.
    YES!!!!!!!!!!!!!!!!

    Jesusmaryandjoseph, THANK YOU for that!!!!
    07-23-11 08:32 AM
  11. lnichols's Avatar
    The crypto module will also allow data to be stored locally on the Playbook, and use WiFi. It is not constrained to just the Bridge. A FIPS toolkit made by Certicom for building C apps for QNX Neutrino OS was FIPS approved just after the Playbook was. Just read the Security policy this morning. An app using this toolkit could encrypt sensitive data (like PIM and e-mails) for locally storing on the device and if the device is lost, you can't get it unless you get the device itself to decrypt it. I see passwords and 10 attempt or wipe functionality coming to the Playbook soon, as well as a native PIM and e-mail on WiFi model! I'm hoping for a big surprise in the next update!
    07-23-11 09:45 AM
  12. Branta's Avatar
    Expanding my last...

    Nobody has actually defined "native email" but there are two possible routes for current Playbooks.

    1. A totally standalone mail client with SMTP/POP3/IMAP functionality, directly accessing a remote mail server over a WiFi link, and using configuration held locally on the device. The computer equivalent could be something like Outlook, or (perish the thought) Outlook Express. This kind of uncontrolled access seems to be totally incompatible and unacceptable for 140-2 certification as a secure tablet.

    2. The kind of server driven push operation used by existing BlackBerry devices, either BIS or BES hosted - or a variation of these schemes.

    This would need some kind of unique identity similar to the existing device PIN for operation, and a hosting account at the server. BES should be able to handle it without problems and the costs would fall on the BES operator, but it would cause severe pain for networks hosting BIS servers to support a non-cellular device providing zero revenue stream. It follows that consumer grade (BIS) support for native email by this route will not be supported until cellular tablets are released. Equally, it follows that acceptance on a certified secure device under a BES scheme would be contingent on adequate control and safe storage of data - which might still mean zeroizing when the device is not connected to the BES by a secure channel.
    _StephenBB81 likes this.
    07-23-11 09:48 AM
  13. lnichols's Avatar
    Expanding my last...

    Nobody has actually defined "native email" but there are two possible routes for current Playbooks.

    1. A totally standalone mail client with SMTP/POP3/IMAP functionality, directly accessing a remote mail server over a WiFi link, and using configuration held locally on the device. The computer equivalent could be something like Outlook, or (perish the thought) Outlook Express. This kind of uncontrolled access seems to be totally incompatible and unacceptable for 140-2 certification as a secure tablet.

    2. The kind of server driven push operation used by existing BlackBerry devices, either BIS or BES hosted - or a variation of these schemes.

    This would need some kind of unique identity similar to the existing device PIN for operation, and a hosting account at the server. BES should be able to handle it without problems and the costs would fall on the BES operator, but it would cause severe pain for networks hosting BIS servers to support a non-cellular device providing zero revenue stream. It follows that consumer grade (BIS) support for native email by this route will not be supported until cellular tablets are released. Equally, it follows that acceptance on a certified secure device under a BES scheme would be contingent on adequate control and safe storage of data - which might still mean zeroizing when the device is not connected to the BES by a secure channel.
    I think they'll push for the BES solution since they make a decent revenue from it. To truly say that a solution is FIPS compliant, the device on both sides of the public network (handheld and gateway) needs to be FIPS approved. RIM has this now with the Playbook and the BES. They have the option going to a FIPS approved IPSEC gateway from Cisco, Juniper, Avaya, etc, with their VPN options in the Playbook (even though I have yet to get them to work playing with them, starting to wonder if they are disabled because I never see the requests come into my VPN gateway), but I'm sure they will try to push the BES solution and provide some value add (enforce security policies, remote wipe, etc.) Also nothing says that native e-mail client on device that supports IMAP/POP/EAS can't use the BES simply as a VPN gateway into the corporate and communicate directly with the mail server on the corporate network. This would also get around the one PIN per account issue for PIM and e-mail, but not for BBM.
    07-23-11 10:28 AM
  14. southlander's Avatar
    The picture is emerging slowly. It makes sense, an isolated device with uncontrolled native access to external data would be unlikely to comply with requirements. With a link to an existing smartphone the constraints on the phone are automatically inherited by the tablet. We could speculate that a cellular version will be able to interact directly with BES type controls and provide the necessary constraints for secure operation.
    Right. RIM takes the "Deny All" approach. That is usually the most secure approach.

    Posted from my CrackBerry at wapforums.crackberry.com
    07-23-11 10:54 AM
  15. Branta's Avatar
    Right. RIM takes the "Deny All" approach. That is usually the most secure approach.
    Security is not about "Denial". The primary concepts are Control, Traceability, Accountability, Data integrity, Data authentication and non-repudiation.
    07-23-11 06:10 PM
  16. Branta's Avatar
    I think they'll push for the BES solution since they make a decent revenue from it. To truly say that a solution is FIPS compliant, the device on both sides of the public network (handheld and gateway) needs to be FIPS approved. RIM has this now with the Playbook and the BES. They have the option going to a FIPS approved IPSEC gateway from Cisco, Juniper, Avaya, etc, with their VPN options in the Playbook (even though I have yet to get them to work playing with them, starting to wonder if they are disabled because I never see the requests come into my VPN gateway), but I'm sure they will try to push the BES solution and provide some value add (enforce security policies, remote wipe, etc.) Also nothing says that native e-mail client on device that supports IMAP/POP/EAS can't use the BES simply as a VPN gateway into the corporate and communicate directly with the mail server on the corporate network. This would also get around the one PIN per account issue for PIM and e-mail, but not for BBM.
    Until a robust system exists to control and enforce it can't be considered to be a viable secure system, VPN as such is only one potential part of the equation. The common RFC mail protocols don't support device identification and traceability could be considered "lost" when the option to work with multiple unidentified devices is added. Retaining the PIN schema maintains that identification of recipient device(s) even if support for multiple PIN is added.
    07-23-11 06:44 PM
  17. Laura Knotek's Avatar
    Right. RIM takes the "Deny All" approach. That is usually the most secure approach.

    Posted from my CrackBerry at wapforums.crackberry.com
    Security is not about "Denial". The primary concepts are Control, Traceability, Accountability, Data integrity, Data authentication and non-repudiation.
    Implicit (or Explicit) Deny falls under Access Control, but it is not the only thing involved in access control.
    Last edited by lak611; 07-23-11 at 06:53 PM.
    07-23-11 06:49 PM
  18. lnichols's Avatar
    Until a robust system exists to control and enforce it can't be considered to be a viable secure system, VPN as such is only one potential part of the equation. The common RFC mail protocols don't support device identification and traceability could be considered "lost" when the option to work with multiple unidentified devices is added. Retaining the PIN schema maintains that identification of recipient device(s) even if support for multiple PIN is added.
    Username and password is all that is required after approval, trust me!
    07-23-11 08:40 PM
  19. qbnkelt's Avatar
    Adding Cisco authentication and following the same hardening and imaging guidelines as our government issued laptops.
    07-24-11 06:03 AM
  20. i7guy's Avatar
    Maybe this will shut up but my tablet has a googleplex number of apps. j/k. Good news for RIM, let's hope they can parlay this certification into better software, better integration, etc.
    07-24-11 08:47 AM
LINK TO POST COPIED TO CLIPBOARD