Last week I was asked to review the Samsung Safe offering, which is being rolled out to make Samsung's Android phones more acceptable to the enterprise. Safe reminds me a lot of what vendors from Netscape to Sony did to address what they thought were enterprise needs and often showcased without actually speaking to their own IT organisations.
The issue comes down to the general tendency for technology companies to be run by engineers with no IT experience and therefore no real clue about what a business IT organisation - including their own - actually does.
IT, when done right, is largely transparent. As a result, it's often taken for granted. This makes it hard to build products for IT without engaging IT and hiring people with significant IT experience to work on the effort.
BlackBerry - Keeping IT in mind from the beginning
BlackBerry started with businesses as its primary customers. Then known as Research in Motion, the company initially brought the two-way pager into the mainstream-and, unlike today's typical smartphones and tablets, these actually entered the market as executive tools, not consumer products. From the very start, the company had to learn what IT needed and how to protect top executives. These were lessons hard learned.
Look at BlackBerry security efforts, then, and you see that they start and end with targeted IT needs. BlackBerry ties its systems into IT policy, assuring that IT can easily get the devices to conform. This is critical; IT doesn't have the time to manage everything that's currently on the table, and BlackBerry is designed to assure compliance without significantly increasing IT overhead.
One of the most talked-about problems since the introduction of the smartphone is separating personal and corporate information. This is because IT doesn't want to deal with personal apps and files, and users don't want IT seeing their personal stuff.
BlackBerry separates the environments on its devices, giving the user his own space and letting IT manage and secure the business information under its control. This is unique in the market - and it was driven by IT demands for this feature.
When developing its unique tablet, the BlackBerry PlayBook, the company tied it to its overall security framework and sandboxed the apps so they can't do hostile things. Looking at the overall nature of email and application attacks, BlackBerry created permissions and monitoring components that directly address the damage these attacks can cause, even though BlackBerry platform is generally less likely to be attacked than one of the consumer platforms.
Samsung - Start with an insecure platform, then bolt on security
Samsung, in contrast, created Safe. The company started with Android, the only platform actively being blocked by IT organisations due to security concerns. I was at an event last year where McAfee showcased that an Android phone can be remotely attacked, put into a loop, overheat and catastrophically fail.
Meanwhile, Kaspersky recently discovered spy software that turns on the microphone of the Android devices, recording what's being said in the room. Finally, SophosLabs documented five classes of hostile Android apps. Some, once installed, automatically install additional apps, send identity information to the attacker, or hijack social networking accounts.
So Samsung started with a platform that, by any reasonable measure, provides inadequate security for personal use, let alone business use. Ideally, to fix the problem, the company should have done what Amazon did with the Kindle and forked the code, creating a unique and more secure version of Android that wouldn't be as vulnerable.
Instead, Samsung went with mobile device management (MDM) - which, in the case of a vulnerable platform, only makes IT more responsible for adverse results but doesn't address the core security problems. The company implemented encryption, which can protect the files unless a user's identity is stolen, which unfortunately is the purpose of much Android malware. Samsung also installed a VPN, which actually makes a compromised device more dangerous, because VPNs tunnel through the perimeter security of a business, potentially granting even greater access to the attacker. Finally, the company made email connectivity improvements, which also giving an attacker greater access via a compromised phone.
All in all, this showcases that Samsung, a broad-based manufacturing company, doesn't understand IT needs nor the actual vulnerabilities that IT needs to address. For a period last year, Samsung phones were less secure than other Android phones.
One of these things is not like the other
Generally, when a company is new to IT, it takes an existing product and patches it to look IT-like. Then, upon learning that that approach sucks, it goes back and creates a product from scratch that's designed specifically to meet its compliance and security needs.
Android, as it is, is too insecure to patch this way. Samsung may eventually realise that Blackberry and even Apple are closer to the mark; both companies control their own platform in order to provide an acceptable business solution. In the end, when you compare BlackBerry to Samsung, you can see that BlackBerry is an enterprise vendor. Samsung, not so much.