Smartphone, tablet security and management guidelines on tap from NIST
- 11 July, 2012 18:32
The National Institute of Standards and Technology (NIST) has issued a draft policy on updated guidelines for managing and securing mobile devices, putting the emphasis on smartphones and tablets, whether these are supplied directly by an organization to employees or the employees own them themselves. The draft document views "Bring Your Own Device" (BYOD) as much riskier.
IN THE NEWS: Feds slash $2.7 million online loan fraud ring
Entitled "Guidelines for Managing and Securing Mobile Devices in the Enterprise",the document is out for comment until Aug. 14., after which it could be further modified. The draft guidelines specifically are not intended to apply to cellphones or laptops. The ideas being put forward by NIST, which might eventually become approved guidelines that federal agencies would need to follow, step into the debate over how to tackle the "Bring Your Own Device" (BYOD) question, and seem to lean toward viewing BYOD devices as a heightened security risk.
"Many mobile devices, particularly those that are personally owned (bring your own device [BYOD]), are not necessarily trustworthy. Current mobile devices lack the root of trust features (e.g., TPMs) that are increasingly built into laptops and other types of hosts. There is also frequent jailbreaking and rooting of mobile devices, which means that the built-in restrictions on security, operating system use, etc. have been bypassed," write the co-authors of the NIST document, Murugiah Souppaya, computer scientist at NIST and outside consultant Karen Scarfone, principle at Scarfone Cybersecurity. "Organizations should assume that all phones are untrusted unless the organization has properly secured them before user access and monitors them continuously while in use with enterprise applications or data. "
With that as a starting point, the document's authors make it clear that traditional security measures should apply to both organization-issued devices and BYOD devices owned by employees if used for work though they add some organizations may want to pass on the BYOD option altogether as it could represent too much risk based on the sensitivity of any data involved. They encourage organizations to develop security policies for smartphones and tablets as close to those they have for other types of devices, such as computers, as possible.
In any event, the NIST draft document says managed authentication would be required in devices, plus preferably use of encryption of data, as well as adherence to NIST encryption FIPS-120 standards. The authors encourage IT managers, who may be setting up app stores for their organization's use, to find ways to restrict what applications may be installed on smartphones and tablets, perhaps using whitelisting or blacklisting technologies, along with establishing ways to wipe devices remotely.
The document goes to some lengths to highlight what could be regarded as preferred practices in differentiating between how organization-owned devices and BYOD employee-owned devices might be allowed to connect to the organization's network.
"An organization's mobile device security policy often limits the types of mobile devices that may be used for enterprise access; this is done for a variety of reasons, including security concerns and technology limitations," the authors write in the drafted guidelines. "For example, an organization might permit only organization-owned mobile devices to be used. Some organizations have tiered levels of access, such as allowing organization-issued mobile devices to access many resources, BYOD mobile devices running the organization's mobile device management client software to access a limited set of resources, and all other BYOD mobile devices to access only a few web-based resources, such as email. This allows an organization to limit the risk it incurs by permitting the most-controlled devices to have the most access and the least-controlled devices to have only minimal access."
The document suggests decisions about going the BYOD route and access permission should be made based on sensitivity of information. "Some work involves access to sensitive information or resources, while other work does not. Organizations may have more restrictive requirements for work involving sensitive information, such as permitting only organization-issued devices to be used. Organizations should also be concerned about the legal issues involved in remotely scrubbing sensitive information from BYOD mobile devices."
The document's authors express concern that BYOD devices allowed to access network resources could be a source for malware into the organization's data resources.
In the complex and evolving world of mobile-device management and security choices for managing organization-issued and BYOD devices, the authors say there will be fundamental architecture choices to be considered.
"If the device is organization issued, the client application typically manages the configuration and security of the entire device. If the device is BYOD, the client application typically manages only the configuration and security of itself and its data, not the entire device. The client application and data are essentially sandboxed from the rest of the device's applications and data, both helping to protect the enterprise from a compromised device and helping to preserve the privacy of the device's owner," the NIST document states.
The document's authors also appear to favor restricting BYOD devices more fully. "Preventing an organization-issued mobile device from syncing with a personally-owned computer necessitates security controls on the mobile device that restrict what devices it can synchronize with. Preventing a personally-owned mobile device from syncing with an organization-issued computer necessitates security controls on the organization-issued computer, restricting the connection of mobile devices. Finally, preventing the use of remote backup services can possibly be achieved by blocking use of those services (e.g., not allowing the domain services to be contacted) or by configuring the mobile devices not to use such services."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Implementing A Security Analytics Architecture
According to the 2012 Verizon Data Breach Investigations report, 99% of breaches led to data compromise within “days” or less, whereas 85% of breaches took “weeks” or more to discover. This presents a significant challenge to security teams as it grants attackers extended periods of time within a victim’s environment. More “free time” leads to more stolen data and more digital damage. Principally, this is because today’s security measures aren’t designed to counter today’s more advanced threats. Read on.
Advanced Malware Exposed
This handbook shines a light on the dark corners of advanced malware, both to educate as well as to spark renewed efforts against these stealthy and persistent threats. By understanding the tools being used by criminals, we can better defend our nations, our critical infrastructures and our citizens. This ebook will provide readers with a new understanding of the rapidly developing cyber threat landscape and practical insights into how they can protect their data and computing infrastructures. Download now.
Unleashing the Power of Information
If business-relevant information is not well managed, secured and analysed, it can become an underutilized asset or—worst case—a legal and competitive liability. Nearly all of the IT and business executives who responded to a recent survey recognise this risk, and say they understand the importance of having an enterprise information management (EIM) strategy. Find out more on how to reduce costs, improve competitiveness and avoid risk by making information management an enterprisewide strategic priority.