Learning from BlackBerry Outages

Currently in the midst of another BlackBerry outage, I'm reminded of a conversation I had a few years ago.

Fresh into a new position serving in the role of CISO at a company that only allowed mobile email on Reseach in Motion (RIM) BlackBerry phones, I was wandering around the expo at RSA Conference 2008 and came across the RIM booth. Not knowing much about the RIM network but having my doubts, I stopped to get a little education from the folks at the booth. I walked away with more knowledge than I had and my doubts reinforced.

The BlackBerry network operates as a closed network, basically meaning that you need to have a pass to use it. That pass comes with the purchase of a BlackBerry device. Once you receive your pass, you may use your mobile phone provider's network to carry your access to the RIM network to support secure messaging.

It's the "secure" messaging that appeals most to companies and government agencies. It provides all of the infrastructure to create a heavily protected channel for all messaging traffic so organizations don't need to build it themselves. Since only RIM devices are allowed to connect to that infrastructure, then RIM can tightly control how the devices use the network and optimize the network for them.

But, that "security" comes at a cost. The RIM network represents what security practitioners call a "single point of failure." When it goes down, so too does all of the mobile messaging capabilities of its users. And, unlike other technology areas that allow organizations to build redundancy, when BlackBerry messaging goes down, there's no backup solution to reduce the impact on mobile users. Organizations and individuals are fully dependent on RIM's ability to remain operational. Essentially, when addressing the typical security Confidentiality-Integrity-Availability (CIA) triad, organizations gain C and I at the expense of A. It's an example of short-sighted decision-making.

Organizations can gain greater control over mobile messaging without subjecting themselves to this single point of failure condition. Tools already exist that provide secure electronic mail that organizations can manage for themselves. Also, cloud-based email solutions represent easy and protected mobile messaging solutions. For them to achieve balance between security and functional needs, organizations should carefully examine their options before getting stuck in a situation like that which many of them are in today with RIM and BlackBerry. If they don't have the knowledge to do it alone, then they should get help before they simply accept everything that the vendor has to say about its solution.

If you would like to comment on this or any of my other postings, you may look for it on Google+ or on LinkedIn and comment there. This helps counter SPAM and promotes intelligent discourse over anonymous rantings.