NIST Guidelines for Mobile DevicesNIST Guidelines for Mobile Devices

By

Jul 13th


This week, NIST (National Institute of Standards and Technology) has release the guidelines for managing and securing of mobile devices in the enterprise (Guidelines for Managing and Securing Mobile Devices in the Enterprise – SP 800-124 Revision 1). The purpose of this publication is to provide recommendation to help organizations centrally manage and secure their mobile devices against various threats.

This document is intended for technical staffs such as security engineers and those who are responsible in planning, implementing and maintaining the security of the mobile devices.

It covers the type of mobile devices that are applicable such as smart phone and tablets. Basic cell phones and laptops are out of scope as their threat level and security control options are different.

It also talks about the different high-level threats and vulnerabilities related to these devices, as they are generally higher risk exposure that other client devices such as desktop and laptop. These threats are,

• Lack of physical security controls

• Use of untrusted mobile devices

• Use of untrusted networks

• Use of applications created by unknown parties

• Interaction with other systems

• Use of untrusted content

• Use of location services

The next section of the document provides an overview of the current state of the MDM (Mobile Device Management) technologies, which mainly comprise of the components, the architectures and the capabilities. For components, it talks about the type of MDM solution between the solution from same vendor of the mobile device and using third party product that can manage one or more types of mobile devices.

The architectures deal with the different consideration and the use of other enterprise services based on business requirement. As for the capabilities of the MDM, it should provide the following security services,

General policy that can enforce enterprise security policies on the mobile device.

Data communication and storage that provide strong data encryption during communication and on storage. It should also have the ability to remotely wipr the device.

User and device authentication, which includes account and device lockout and remotely locking of the device.

Application. It should be able to restrict the installing and removal of applications. Prevent access to enterprise resources based on devices OS (Operating System) version and status (rooted or jailbroken).

Lastly, it talks about the security for the life cycle of the enterprise mobile device solution, which covers from policy down to operations. This life cycle consist of 5 main phases.

Phase 1: Initiation. This phase include identifying needs for mobile devices, creating a high-level strategy for implementing mobile device solutions, developing a mobile device security policy, and specifying business and functional requirements for the solution.

Phase 2: Development. In this phase, it covers technical characteristics of the mobile device solution and related components. These include the type of authentication methods, cryptographic mechanisms and the type of mobile device clients to be used.

Phase 3: Implementation. This phase involve equipment configuration to meet operational and security requirements. Ensuring the integration with other security controls such as security event logging and authentication servers.

Phase 4: Operations and Maintenance. This phase will cover security related tasks that should be performed on an on-going basis such as log review and attack detection.

Phase 5: Disposal. This phase will cover the tasks for retiring of components and the mobile device solutions, including preserving of information to meet legal requirements, sanitizing and disposing of equipment properly.

Leave a Reply

 
© 2006-2019 Security magazine.