Jokes aside, some IT managers say there’s no option other than BlackBerry for security

The plight of BlackBerry has gotten so bad that heavy satire has stepped in.

In one example, a website recommends “how to upgrade your BlackBerry Smartphone to Android 4.2.”

What follows at is a jailbreak that devolves into instructions to take the BlackBerry into the kitchen, fry it in a pan until crispy golden brown, then head out to buy an Android-based Samsung Galaxy S4.

Funny to some, but not so funny to IT workers, especially those who have staked their reputations on the security of BlackBerry as second to none, including the more popular Android and iOS operating systems.

“As for alternatives to BlackBerry, there aren’t any,” wrote Sandra Smith, an enterprise IT manager, in an email to Computerworld, although she didn’t identify her organization. “Due to the Snowden revelations, we now realize that if you are running Microsoft/Google/Apple, you need to protect yourself from your OS and not use your OS to protect you.”

IT managers and analysts note that the strength of BlackBerry’s security comes from the BlackBerry Enterprise Service (BES) server software that is still used by thousands of government and enterprise customers globally. The BES software runs through the BlackBerry Network Operations Center (NOC) and through 500 global carriers but is separated from popular OS ecosystems like the ones working with Android, iOS and other mobile operating systems.

“BES is smart because it’s not part of that ecosystem” of other operating systems, Smith said. “Sometimes exclusion is a plus. BlackBerry hardware and its OS will survive because of BES. We are all sitting here quietly paying as BES subscribers because we know and see the value.”

But BlackBerry faces serious problems. Poor sales of its smartphones led to a $1 billion writeoff in the third quarter and plans to lay off 4,500 workers.

The security protections afforded by BlackBerry have become paramount in some large businesses and government agencies — more important than an employee’s desire to use a gold-colored iPhone 5S at work, or a decision by the organization’s developers to stop building BlackBerry apps.

On Thursday, for instance, enterprise file sharing vendor Egnyte said it will no longer develop for the BlackBerry platform. “BlackBerry is severely challenged,” said Egnyte CEO Vineet Jain in an email to Computerworld. “The future of technology rests in mobile and apps and it is no coincidence that companies are not willing to spend time and money developing apps for the struggling BlackBerry platform.”

Even so, BlackBerry is still pitching itself as a premiere security solution.

Just this week, BlackBerry announced that global auditing firm KPMG in Italy bought 3,500 new BlackBerry 10 smartphones and is migrating to BES 10, which includes mobile management that can also control iOS and Android devices in addition to BlackBerry devices.

“With BlackBerry 10 we have found the best solution in terms of usability, security, connectivity and price,” said KPMG Milan IT Lead Partner Davide Grassano in a statement. KPMG users will have access to shared files and internal resources while BlackBerry software also works to prevent the accidental leakage of business documents and attachments, he added.

On Oct. 1, BlackBerry said NATO had approved the use of BlackBerry 10 smartphones and BES 10 for classified communications in 28 countries in North America and Europe.

Also Oct. 1, BlackBerry said the National Police of Colombia is upgrading to BlackBerry smartphones and BES 10. It is one of 25,000 BES 10 test or functioning upgrades installed globally.

On Aug. 8, BlackBerry announced the U.S. Defense Information System Agency had authorized support for up to 30,000 Z10 and Q10 smartphones by year’s end. It also authorized use of BES 10 to operate under the most stringent security requirements used in Department of Defense networks.

BlackBerry’s record is sufficient to keep many of the most security conscious organizations happy, but there’s debate as to whether other third party vendors, which support Android and iOS, can’t also be highly secure, at least for the security needs of 99% of organizations.

Many government agencies need assurance that smartphones and their supporting servers can pass a FIPS 140-2 certification, which refers to the Federal Information Processing Standards requirement used to accredit cryptographic modules used in both software and hardware.

Jack Gold, an analyst at J. Gold Associates, has consistently called BlackBerry the “gold standard” for security, but admits that some third party products come close, even if they aren’t exactly the same.

“If customers need the FIPS security that BlackBerry offers, there is no immediate need to replace them,” Gold said. “BlackBerry will not just disappear overnight despite what some doomsayers have predicted.”

BlackBerry’s special position at the top of the security heap comes from the fact that its network operations center (NOC ) is linked to BES servers and also to the handheld hardware, Gold said. And the NOC, even under a future owner, is not going to disappear.

“I don’t expect to see the NOC or BlackBerry infrastructure just shut down, whether BlackBerry goes private or someone buys them,” Gold added. “There’s no imminent threat to shutdown and no real need to migrate off BlackBerry.”

BlackBerry has entered into a preliminary agreement with Fairfax Financial Holdings where Fairfax would pay $4.7 billion for BlackBerry and make it private. Other investors are looking at buying all or part of BlackBerry, including its two founders, Mike Lazaridis and Doug Fregin, Cerberus Capital Management, a private equity firm, and PC maker Lenovo.

Bob Egan, an analyst at Sepharim Group, advised IT managers worried about the future of BlackBerry to begin weighing alternatives. “That is not to say that enterprises should run overnight away from BlackBerry, but it does suggest that they need to proceed with far more caution and a consistent review of the [competitive] environment than…in the past,” he said.

If they haven’t already, organizations should definitely negotiate with Blackberry for end-to-end service level agreements, which could be used if BlackBerry service or security gets disrupted, he said. Also, he said the terms of the agreement must represent the views of any BlackBerry customer’s business leaders and its IT, risk, procurement, compliance and auditing organizations.

For those IT managers who feel they “have no choice but to deploy and use BlackBerry,” Egan said they are probably more constrained by the procurement rules of the organization than by actual security needs. While FIPS 140-2 certifications are widely required before government and financial organizations can make smartphone or server acquisitions, it isn’t always clear what level of certification is required. There are four levels, with Level 4 the highest and most secure.

BlackBerry has posted listings on its website of security approvals its products have received, including a FIPS 140-2 validation certificate for BlackBerry OS version 10. But none of the site’s validations indicate what level of FIPS 140-2 BlackBerry has achieved. A BlackBerry spokeswoman said that BlackBerry has attained end-to-end FIPS 140-2 certifications for all BlackBerry 10 products.

Some organizations won’t need the highest level of FIPS 140-2 certification, Egan noted. What BlackBerry hasn’t made clear is whether its end-to-end FIPS 140-2 certification is up to Level 4 for all components of a system. Customers need to evaluate whether they need the highest level of security and also request that BlackBerry provide a certification that indicates the security level under FIPS 140-2, he said.

“There is no question that BlackBerry has a strong technical security method and history — probably the best in mobile,” Egan added. Other companies are meeting certain levels of FIPS 140-2, such as Apple with FIPS 140-2 Level 1 for its cryptographic module in iOS 6, with the same modules used in iOS 7. Samsung’s Knox approach also promises some FIPS 140-2 certification, while MobileIron, Mocanna and Appearian also have some FIPS 140-2 certified modules, he said.

“For any IT manager, it’s imperative to evaluate mobile security solutions against two factors: technical risk and business risk,” Egan added.