NIST’s 6 Steps Approach To Secure Enterprise Mobile Devices

NIST’s 6 Steps Approach To Secure Enterprise Mobile Devices

The National Institute of Standards and Technology has recently created security guidelines for managing mobile devices titled, “Guidelines for Managing the Security of Mobile Devices in the Enterprise”. This newly released guide is the revised version of its initial publication on managing mobile device security, which was published back in 2008. In a news statement, NIST pointed out that the revised guidance has been designed to address the needs of fast evolving mobile device landscape.

NIST’s initial guidance was published at a time when the mobile device landscape was less complex with Apple and the iPhone (NewsAlert) was just making its appearance, with no sign of Apple iPad. No wonder, the name of guidance– Special Publication 800-124: Guidelines on Cell Phone (NewsAlert)and PDA Security— was outdated.

Here is how the NIST’s current guidance evolved to address the today’s complex mobile device security management needs.

While, the original version dedicated some 1½ pages to define PDAs – personal digital assistants, the revised version des not even mention them. Basic cell phones weren’t covered in the guidance because of their minimal computing capability and limited security options. The guidance also pointed out that cell phones face limited threats, which today is no longer true.

The new guidance ventures to explain the security concerns inherent in mobile device use and the ways they can be kept protected throughout their life cycles. The uses will come to learn about various technology options for managing security on their mobile devices.

The guidance covers enterprise-issued devices as well as the bring-your-own device trend.

NIST’s new guidance ventures to offer the enterprises a step-by-step tutorial on managing mobile devices in a secure environment

According to the guidance, the first step for an organization should be to work out a sound mobile device security policy, clearly defining:

  1. Which types of the organization’s resources may be accessed via mobile devices
  2. Which types of mobile devices – for example, organization-issued devices vs. BYOD – are permitted to access the organization’s resources
  3. The degree of access that various classes of mobile devices may have
  4. how provisioning should be handled

The second step, according to the guidance, involves developing system threat models for mobile devices and the resources that are accessed through the devices. Since these devices are typically exposed to higher risks than the other types of devices like laptops and desktops, they would need additional layers of protection.

In the third step, the organizations need to consider the merits of each provided security service, determine which services are needed for their environment and then design and acquire one or more solutions that collectively provide the necessary services. The companies should acquire security services in the areas of general policy, data communication and storage, and user and device authentication and applications.

The fourth step requires the organizations to implement and test a mobile device solution before putting it into production. Before implementing just any solution, the organizations should evaluate certain aspects of the solution including connectivity, protection, authentication, application functionality, solution management, logging and performance.

The fifth and one of the most vital steps involves securing each organization-issued mobile device before allowing a user to access it. This ensures a basic level of trust in the device before it is exposed to threats. The users need to regularly maintain mobile device security ad removals ,by checking for upgrades and patches and acquiring, testing and deploying them; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices.

The sixth and final step requires the organizations to perform periodical assessments to confirm that their mobile device policies, processes and procedures are being properly followed. Passive assessment activities include reviewing logs, while active assessments may include vulnerability scans and penetration testing.