NIST's revised guidance sharpens the focus of the original publication, released in 2008, excluding laptops and low-end cell phones, and covering both enterprise-issued devices and BYOD.
The National Institute of Standards and Technology is revising its guidance for securely managing mobile devices, addressing developments in mobile technology since publication of the original guidelines in 2008.
The draft of Special Publication 800-124, Revision 1, "Guidelines for Managing and Securing Mobile Devices in the Enterprise" provides recommendations for selecting, implementing and using centralized management technologies for mobile devices, for both organization-provided and personally-owned (bring your own device, or BYOD) devices.
Changes in the mobile landscape in the last four years are reflected in the title of the publication. The original document is titled “Guidelines on Cell Phone and PDA Security.” Today, the scope of mobile computing has broadened and it has penetrated more deeply into the enterprise. The draft revision sharpens the focus of the guidance, excluding laptops and low-end cell phones.
“Laptops are out of the scope of this publication, because the security controls available for laptops today are quite different than those available for smart phones, tablets and other mobile device types,” the publication states. “Mobile devices with minimal computing capability, such as basic cell phones, are also out of scope because of the limited security options available and the limited threats they face.”
The first challenge addressed in the guidance is deciding just what a mobile device is. “Features are constantly changing, so it is difficult to define the term,” the publication says.
Features characterizing devices in the scope of the guidelines include a small form factor, at least one wireless network interface for Internet access, built-in data storage with the ability to synchronize local data with a remote source, an operating system that is not as full-featured as that for a PC and the availability of third-party applications.
Assuring the confidentiality, integrity and availability of data on a mobile device, as well as the security of the enterprise it connects to, requires the same level of security required for PCs, as well as additional protection for threats specific to wireless devices that often are not operating within the enterprise.
The revised SP 800-124 contains specific recommendations for securing mobile devices, which are intended to supplement security controls specified in NIST’s SP 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," which provides general security recommendations for any IT technology.
Centralized management of mobile devices, both organization-issued and BYOD, is an evolving area. In addition to managing the configuration and security of the devices, centralized management also offers features such as secure access to enterprise computing resources. This management can be done through the features of the messaging server for a particular type of device or through a third-party product designed to manage several brands of phones.
Basic guidelines for securely managing devices include:
- Develop system threat models for mobile devices and for the resources that are accessed through them. Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices. Threat modeling helps organizations to identify security requirements and to design the mobile device solution to incorporate the controls needed to meet the security requirements.
- Create a mobile device security policy, defining which types of devices are permitted, the degree of access different devices may have, and how provisioning should be handled.
- Implement and test a prototype of the mobile device solution before putting the solution into production.
- Fully secure each organization-issued mobile device before allowing a user to access it. This ensures a basic level of trust in the device before it is exposed to threats.
- Regularly maintain mobile device security. This includes checking for upgrades and patches; ensuring that each mobile infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure.
Because most organizations do not need all of the possible security services offered by security tools, they can pick from among the features that include policy enforcement, encryption, user and device authentication, and application white and blacklisting.
Comments on the draft publication should be sent by Aug. 17 to firstname.lastname@example.org, with "SP 800-124 Comments" in the subject line.