The National Institute of Standards and Technology has just released the draft of recommendations for addressing mobile device security. Among other points, the draft document recommends implementing centralized management technologies for both organization-issued and personally-owned mobile devices.
The update is considered timely and important due to the dramatic increase in the last two years of smartphone and tablet penetration, the variety of mobile devices and the pressure from employees to use their own devices.
The draft document, Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP800-124), focuses primarily on smartphones and tablets, excluding laptops and basic cellphones. It is open to comments until Friday, Aug. 17.
Mobile devices are inherently less secure than laptops or desktops. Among other weaknesses, they are easily and frequently lost or stolen, their built-in data protection schemes are weaker than computers, they constantly access unprotected networks external to the organization, and the easy downloading of apps from any number of sources makes them vulnerable to hidden malware.
Despite such weaknesses, SP800-124 states that mobile devices must typically support the multiple security objectives of confidentiality, integrity and availability.
To address these inherent vulnerabilities and ensure that mobile security objectives are met, SP800-124′s authors, Murugiah Souppaya, with NISTS’s Computer Security Division, and Karen Scarfone, a NIST guest researcher, recommend implementing centralized management technologies for both organization-issued and personally-owned mobile devices.
Two types of centralized security exist: using a messaging server’s management capabilities or using a product from a third party that is designed for multiple phone brands. In the first case, the technology may be provided by the phone manufacturer or vendor.
Both versions of the technology not only manage the configuration and security of the devices, but they also offer other features such as providing secure access to enterprise computing resources.
“One example [of centralized management] is that if a device is lost, you can do a remote wipe,” said Tom Karygiannis, a NIST senior researcher in mobile security. “These technologies can push down policies to phones, such as preventing them from going to certain websites. Centralized management can also turn off cameras or block audio recordings.”
According to Karygiannis, many government agencies have launched mobile security pilots in the past 12 months. “Each agency has a different need,” he said. “They are figuring out their business cases. Some just want video-conferencing, whereas others want network connectivity. The more network capabilities that are needed and the more sensitive the data, the more security is needed.”
SP800-124 recommends that agencies start pilots by developing threat models for mobile devices as well as for the network, data and other resources they use.
Once they’ve done this, they should “consider the merits of each provided security service, determine which services are needed for their environment, and then design and acquire one or more solutions that collectively provide the necessary services.”
Next comes the development of a mobile device security policy, followed by testing a prototype of the agency’s chosen security solution before it’s adopted. Every mobile device should be secured before users can operate them, and, of course, security must be constantly updated to address ever-evolving threats.
Karygiannis estimates that most agencies would take around three to six months to evaluate a mobile security solution, depending upon their specific needs. Then another three to six months might be needed for procurement, training, and phasing in the solution.
“Scale and complexity will affect that process,” he said.
The new recommendations represent updates to NIST’s general information system security recommendations published in 2009, in a document entitled Recommended Security Controls for Federal Information Systems and Organizations (SP800-53). Comments should be sent to firstname.lastname@example.org with the subject “SP 800-124 Comments.”