The National Institute of Standards and Technology (NIST) has issued a draft policy on updated guidelines for managing and securing mobile devices, putting the emphasis on smartphones and tablets, whether these are supplied directly by an organisation to employees or the employees own them themselves. The draft document views "Bring Your Own Device" (BYOD) as much riskier.
Entitled "Guidelines for Managing and Securing Mobile Devices in the Enterprise",the document is out for comment until Aug. 14., after which it could be further modified. The draft guidelines specifically are not intended to apply to cellphones or laptops. The ideas being put forward by NIST, which might eventually become approved guidelines that federal agencies would need to follow, step into the debate over how to tackle the "Bring Your Own Device" (BYOD) question, and seem to lean toward viewing BYOD devices as a heightened security risk.
"Many mobile devices, particularly those that are personally owned (bring your own device [BYOD]), are not necessarily trustworthy. Current mobile devices lack the root of trust features (e.g., TPMs) that are increasingly built into laptops and other types of hosts. There is also frequent jailbreaking and rooting of mobile devices, which means that the built-in restrictions on security, operating system use, etc. have been bypassed," write the co-authors of the NIST document, Murugiah Souppaya, computer scientist at NIST and outside consultant Karen Scarfone, principle at Scarfone Cybersecurity. "Organisations should assume that all phones are untrusted unless the organisation has properly secured them before user access and monitors them continuously while in use with enterprise applications or data. "
With that as a starting point, the document's authors make it clear that traditional security measures should apply to both organisation-issued devices and BYOD devices owned by employees if used for work though they add some organisations may want to pass on the BYOD option altogether as it could represent too much risk based on the sensitivity of any data involved. They encourage organisations to develop security policies for smartphones and tablets as close to those they have for other types of devices, such as computers, as possible.
In any event, the NIST draft document says managed authentication would be required in devices, plus preferably use of encryption of data, as well as adherence to NIST encryption FIPS-120 standards. The authors encourage IT managers, who may be setting up app stores for their organization's use, to find ways to restrict what applications may be installed on smartphones and tablets, perhaps using whitelisting or blacklisting technologies, along with establishing ways to wipe devices remotely.
The document goes to some lengths to highlight what could be regarded as preferred practices in differentiating between how organisation-owned devices and BYOD employee-owned devices might be allowed to connect to the organisation's network.
"An organisation's mobile device security policy often limits the types of mobile devices that may be used for enterprise access; this is done for a variety of reasons, including security concerns and technology limitations," the authors write in the drafted guidelines.
"For example, an organisation might permit only organisation-owned mobile devices to be used. Some organisations have tiered levels of access, such as allowing organisation-issued mobile devices to access many resources, BYOD mobile devices running the organisation's mobile device management client software to access a limited set of resources, and all other BYOD mobile devices to access only a few web-based resources, such as email. This allows an organisation to limit the risk it incurs by permitting the most-controlled devices to have the most access and the least-controlled devices to have only minimal access."
The document suggests decisions about going the BYOD route and access permission should be made based on sensitivity of information. "Some work involves access to sensitive information or resources, while other work does not. Organizations may have more restrictive requirements for work involving sensitive information, such as permitting only organization-issued devices to be used. Organizations should also be concerned about the legal issues involved in remotely scrubbing sensitive information from BYOD mobile devices."
The document's authors express concern that BYOD devices allowed to access network resources could be a source for malware into the organization's data resources.
In the complex and evolving world of mobile-device management and security choices for managing organization-issued and BYOD devices, the authors say there will be fundamental architecture choices to be considered.
"If the device is organization issued, the client application typically manages the configuration and security of the entire device. If the device is BYOD, the client application typically manages only the configuration and security of itself and its data, not the entire device. The client application and data are essentially sandboxed from the rest of the device's applications and data, both helping to protect the enterprise from a compromised device and helping to preserve the privacy of the device's owner," the NIST document states.
The document's authors also appear to favor restricting BYOD devices more fully. "Preventing an organisation-issued mobile device from syncing with a personally-owned computer necessitates security controls on the mobile device that restrict what devices it can synchronize with. Preventing a personally-owned mobile device from syncing with an organisation-issued computer necessitates security controls on the organisation-issued computer, restricting the connection of mobile devices. Finally, preventing the use of remote backup services can possibly be achieved by blocking use of those services (e.g., not allowing the domain services to be contacted) or by configuring the mobile devices not to use such services."