Just trying to gather some info on Content Protection and the split between device speed/easy admin to data security.
My manger has asked me whether "anybody bothers with it" and so I am asking you lovely people!

Do you use content protection in your enterprise?

We bother with it here; and specifically recommend people don't enable it. Content Protection is great; IFF you NEED it. Generally I've seen if the data is that sensitive it isn't allowed to be on a BB.

Isn't content protection about keeping the content encrypted on the (flash) storage?

If you have the device's password, you see it decrypted anyway. If you don't have the password, the device will ultimately be wiped. So isn't content protection really about protecting against someone opening the device and physically probing the memeory chips to get at the data in them?

So we're into mitigating govt or industrial espionage level risks, right?

Negatives:
- When wiping the device, data decryption process can take up to 2 hours before the actual wipe process completes; this is compared to about 1-2 minutes without Content Protection enabled
- Slow device responsiveness for standard day-to-day tasks on the device, especially legacy (non-64MB) devices
- Caller ID (from Address Book) does not work for legacy OS's and devices (there is a non-default option (device-based or policy-based) you can change to not encrypt the Address Book

In all honesty, if you have legacy devices still deployed, don't implement it. If security wipes are part of standard troubleshooting, don't implement it. It really just boils down to those two issues versus 'peace of mind' for the Information Security personnel. I think the device usability experience should win that argument, although some will disagree.

Also, Content Protection disables a BES Admin's ability to remotely reset a forgotten password on a device from the server console, a real bummer for a forgetful remote user.

We enforce it on all devices. If you're in the banking/financial services industry it's a requirement to meet compliance regulations.

I'm assuming you also encrypt your laptop hard drives? Thumb drives? Optical media?

We use a product similar to PGP desktop to accomplish full disk encryption of laptops. All optical media is required to be encrypted and only a select few people have cd/dvd burners installed to restrict who has the ability to create a disk. all "thumb drive" type removable storage is not allowed and is enforced by using software that restricts what kind of devices are allowed to work when plugged into usb ports on the workstations. But to fully answer your question, ANY and ALL data that is put on any type of device that is going to be taken out of the organization is required to be encrypted regardless of what the device is and the rule is enforced with no exceptions at any time wether you are the CEO or the janitor you follow this rule.

Good to hear no exceptions; you can hold some of my money

We have talked about using it, but due to the drawbacks such as not being able to remotely reset the password and the long wipe times, I have been reluctant. I justify that with the fact that our users are not supposed to have confidential information in their mailbox.

We are starting to use hardware encrypted harddrives in laptops.

tduffy, that is awesome that your company is willing to enforce such high security standards - even for the CEO. That has been such a losing battle around here.

In the past they were hard battles for us also but they no longer are. When a higher up thinks they need to be an exception to our security standards I'll simply tell them that If I were to make an exception for them that the exception would be documented and that documentation like all documentation will be seen by the FDIC during the next audit and I will be sending the auditors their way for an explanation as to why they thought they didn't need to follow the same rules everyone else has to. That shuts them up really quick. Security isn't easy especially for the end users, but once they understand there there is a more secure way to accomplish what they are doing even though they might have to go a little out of their way to do it, the sun will still rise, the world will still turn and they will get what they need done.

Exactly the same situation here. We put a policy on all BlackBerries (nothing too strict) forcing passwords and time-locks, disabling 3rd party mail and apps etc. We still had to allow bluetooth thanks to Execs and their car kits. However, two people have demanded to be removed from the policy, and they are the CEO and Chairman!