Windows Phone 8 enterprise security versus Blackberry 10 Balance and Samsung Knox

How good is Windows Phone 8 security? Actually, pretty good. The key features are described here [pdf]:

  • Trusted Boot prevents booting to an alternative operating system, using the UEFI secure boot standard.
  • Only signed operating system components and apps can run.
  • App sandboxing:

    No communication channels exist between apps on the phone other than through the cloud. Apps are isolated from each other and cannot access memory used or data stored by other applications, including the keyboard cache.

  • Private internal app distribution by businesses who register with Microsoft
  • Password policies set through Exchange ActiveSync (EAS)
  • Built-in device management client
  • Bitlocker encryption when set by EAS RequireDeviceEncryption policy. AES 128 encryption linked to UEFI Trusted Boot.
  • SD card data is not encrypted, but the OS only allows media files to be stored on SD cards.
  • Information Rights Management can prevent documents being edited, printed, or text copied (other than tricks like photographing the screen).
  • Remote Wipe

The security features in Windows Phone 8 are largely based on those in full Windows, since the core operating system is the same. However, devices are more secure since they are not afflicted by the legacy which makes desktop Windows hard to lock down without damaging usability.

While the above sounds good, note that in most cases a simple PIN will get you access to everything. On the other hand, unless the PIN is seen it is not all that insecure, since you can set policies that lock or wipe the phone after a few wrong attempts.

Does Microsoft therefore have a good story versus Blackberry 10 Balance and Samsung Knox, both of which feature secure containers that isolate business apps and data from personal? The approach is different. In Windows Phone the focus is on the whole device, whereas the other two have the concept of segmentation, letting users do what they like (including installation of games and so on) in one segment, while the business gets to control the other.

Windows Phone does in fact have a somewhat similar feature aimed at children. Kids Corner lets you create a "fun" segment containing specified apps and games, sandboxed from the main operating system. While this is currently designed for children borrowing your phone, you can see how it could be adapted to create a personal/business split if Microsoft chose to do so.

For the time being though, you might worry about the potential for users to install a malicious app or game that manages to exploit a bug in Windows Phone and compromise security.

Even if the business can lock down the device so that users cannot install apps, this impairs the user experience to the extent that most users will want another phone for personal use. The attraction of the Blackberry and Samsung approach is the way it combines user freedom with business security.

Is Microsoft doing a good job of articulating the enterprise features of Windows Phone 8? That is a hard question to answer; but my observation is that Nokia, the main Windows Phone vendor, seems to focus more on consumer features like the camera and music, or general features like maps and turn by turn navigation. Enterprise features are hardly mentioned on the Nokia stand here at Mobile World Congress in Barcelona, while Microsoft does not have a stand at all. On the other hand, you would think that the company’s strong partner ecosystem would be effective in communicating the presence of these features to enterprises.