Since RIM first announced BlackBerry Mobile Fusion a few months back administrators have been asking me how RIM secures work data and applications on the PlayBook. Now that Mobile Fusion has been released in its first stage we have a much better idea of what is going on along. RIM has even released a 68 page document on how the BlackBerry PlayBook is secured and segmented with OS 2.0 and Mobile Fusion. Certain media outlets have been saying that RIM is not leveraging their infrastructure but to simplify it all RIM is essentially tunneling all of your data transport using both TLS for the transport layer security while encrypting data packets with Message Keys to protect the integrity of the messages. It gets a little more complicated with Wi-Fi 802.1x on company networks and over VPN but the concepts are similar.
What is most often confused by people is what RIM means by BlackBerry Balance on the PlayBook. RIM has divided the PlayBook into three perimeters. There is the Work perimeter, Bridge perimeter, and personal perimeter. Both the Work and Bridge perimeters are fully encrypted. The Work perimeter encrypts files using XTS-AES-256 together with a security record that also includes 512-bit random salt and several attributes of the file. That security record is the encrypted using the domain key which is yet another 512-bit random key. The process is similar for BlackBerry Bridge data which is isolated into its own perimeter and encrypted with XTS-AES-256 encryption. Sadly the PlayBook does not encrypt the personal perimeter.
Where things start to get really confusing is the fact that certain apps live in multiple perimeters which is where BlackBerry Balance comes into play. For example, the new contacts, calendar, and messages apps can live both in the personal and the work perimeter if you have Mobile Fusion activated. That is where things get really sticky and you need a whole chart to explain to you how RIM combines the two while keeping them separate. For example, it provides administrators the option to remotely wipe your work contacts, calendar, and messages without touching your personal data (with a few exceptions like browser cache). They also limit what you can access from apps that are designated personal, work, or bridge.
All in all I highly recommend you check out the whole 68 page document RIM has published on the subject on how the domains are segregated. I will copy a bit of how complex it gets below but the full PDF can be found here.
PS: I know I am oversimplifying quite a bit of this but it you really were interested you would have read the 68 page document RIM put out.