NIST Updates Mobility GuidanceDraft Publication Focuses on Centralized Device Management
Deploying software that centralizes device management at the organization level is one of the better approaches to help secure mobile devices, new draft guidance from the National Institute of Standards and Technology recommends.
See Also: How to Defend Your Attack Surface
Centralized programs manage the configuration and security of mobile devices and provide secure access to an organization's computer network, according to the just-issued draft of NIST Special Publication 800-124 Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise, which provides recommendations for selecting, implementing and using centralized management technologies for securing mobile devices.
The features that make mobile devices attractive for employees to use in the workplace often are the same ones that present security challenges, says Karen Scarfone, co-author of the NIST guidance. Mobile devices can easily be lost or stolen, and users may be tempted to download non-secure apps that might conceal malware that could be used to steal confidential data.
Because security is minimal for mobile devices, a thief can retrieve sensitive data directly from the device, or use the phone or tablet to access an organization's computer network remotely. "Mobile devices need to support multiple security objectives: confidentiality, integrity and availability, so they need to be secured against a variety of threats," Scarfone says.
The draft guidelines recommend developing system threat models for mobile devices, instituting a mobile-device security policy, implementing and testing a prototype of the mobile-device solution before putting it into production, securing each organization-issued mobile device before allowing a user to access it and maintaining mobile-device security regularly.
Originally published in October 2008 as Guidelines on Cell Phone and PDA Security, the revision has been updated for today's technology. The guidelines do not cover laptops because the security controls available for laptops are quite different than those available for smart phones and tablets. Basic cell phones are not covered because of the limited security options available and threats they face.
NIST seeks public comments on the draft guidelines that could help the guidance authors to fine-tune their final report. Comments should be sent to firstname.lastname@example.org by Aug. 17 with the subject "SP 800-124 Comments."