Smartphone, tablet security and management guidelines on tap from NIST

The National Institute of Standards and Technology (NIST) has issued a draft policy on updated guidelines for managing and securing mobile devices, putting the emphasis on smartphones and tablets, whether these are supplied directly by an organization to employees or the employees own them themselves. The draft document views "Bring Your Own Device" (BYOD) as much riskier.

IN THE NEWS: Feds slash $2.7 million online loan fraud ring

Entitled "Guidelines for Managing and Securing Mobile Devices in the Enterprise",the document is out for comment until Aug. 14., after which it could be further modified. The draft guidelines specifically are not intended to apply to cellphones or laptops. The ideas being put forward by NIST, which might eventually become approved guidelines that federal agencies would need to follow, step into the debate over how to tackle the "Bring Your Own Device" (BYOD) question, and seem to lean toward viewing BYOD devices as a heightened security risk.

"Many mobile devices, particularly those that are personally owned (bring your own device [BYOD]), are not necessarily trustworthy. Current mobile devices lack the root of trust features (e.g., TPMs) that are increasingly built into laptops and other types of hosts. There is also frequent jailbreaking and rooting of mobile devices, which means that the built-in restrictions on security, operating system use, etc. have been bypassed," write the co-authors of the NIST document, Murugiah Souppaya, computer scientist at NIST and outside consultant Karen Scarfone, principle at Scarfone Cybersecurity. "Organizations should assume that all phones are untrusted unless the organization has properly secured them before user access and monitors them continuously while in use with enterprise applications or data. "

With that as a starting point, the document's authors make it clear that traditional security measures should apply to both organization-issued devices and BYOD devices owned by employees if used for work though they add some organizations may want to pass on the BYOD option altogether as it could represent too much risk based on the sensitivity of any data involved. They encourage organizations to develop security policies for smartphones and tablets as close to those they have for other types of devices, such as computers, as possible.

In any event, the NIST draft document says managed authentication would be required in devices, plus preferably use of encryption of data, as well as adherence to NIST encryption FIPS-120 standards. The authors encourage IT managers, who may be setting up app stores for their organization's use, to find ways to restrict what applications may be installed on smartphones and tablets, perhaps using whitelisting or blacklisting technologies, along with establishing ways to wipe devices remotely.

The document goes to some lengths to highlight what could be regarded as preferred practices in differentiating between how organization-owned devices and BYOD employee-owned devices might be allowed to connect to the organization's network.

"An organization's mobile device security policy often limits the types of mobile devices that may be used for enterprise access; this is done for a variety of reasons, including security concerns and technology limitations," the authors write in the drafted guidelines. "For example, an organization might permit only organization-owned mobile devices to be used. Some organizations have tiered levels of access, such as allowing organization-issued mobile devices to access many resources, BYOD mobile devices running the organization's mobile device management client software to access a limited set of resources, and all other BYOD mobile devices to access only a few web-based resources, such as email. This allows an organization to limit the risk it incurs by permitting the most-controlled devices to have the most access and the least-controlled devices to have only minimal access."

The document suggests decisions about going the BYOD route and access permission should be made based on sensitivity of information. "Some work involves access to sensitive information or resources, while other work does not. Organizations may have more restrictive requirements for work involving sensitive information, such as permitting only organization-issued devices to be used. Organizations should also be concerned about the legal issues involved in remotely scrubbing sensitive information from BYOD mobile devices."

The document's authors express concern that BYOD devices allowed to access network resources could be a source for malware into the organization's data resources.

In the complex and evolving world of mobile-device management and security choices for managing organization-issued and BYOD devices, the authors say there will be fundamental architecture choices to be considered.

"If the device is organization issued, the client application typically manages the configuration and security of the entire device. If the device is BYOD, the client application typically manages only the configuration and security of itself and its data, not the entire device. The client application and data are essentially sandboxed from the rest of the device's applications and data, both helping to protect the enterprise from a compromised device and helping to preserve the privacy of the device's owner," the NIST document states.

The document's authors also appear to favor restricting BYOD devices more fully. "Preventing an organization-issued mobile device from syncing with a personally-owned computer necessitates security controls on the mobile device that restrict what devices it can synchronize with. Preventing a personally-owned mobile device from syncing with an organization-issued computer necessitates security controls on the organization-issued computer, restricting the connection of mobile devices. Finally, preventing the use of remote backup services can possibly be achieved by blocking use of those services (e.g., not allowing the domain services to be contacted) or by configuring the mobile devices not to use such services."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place