In its “Guidelines for Managing and Securing Mobile Devices in the Enterprise,” the NIST presented its first enterprise mobile security and management best practices, covering smart phones, tablets and other devices, but excluding laptops. The report was authored by Murugiah Souppaya, of the NIST Computer Science Division, and Karen Scarfone, of Scarfone Cybersecurity, a federal information security consultancy.
Scarfone and Souppaya write that the “nature” of mobile devices “places them at higher exposure to threats than other client devices,” due to a lack of physical security controls, use of untrusted devices and networks, applications created by unknown third parties, interaction with many different systems, and the use of untrusted content, particularly location services like those used by social media or browsers. Because of these particular threats, the authors recommend the development of system threat models for the devices and resources they access. This modeling entails identification of enterprise interests and feasible threats, vulnerabilities and controls connected to resources, and then quantifying the likelihood and impact of attacks to determine the need for upgraded or added device controls.
Some of this may seem obvious, but NIST expressed the importance of the threat models to fill out the two approaches at the start of centralized mobile device management: those offered as part of the device’s messaging service and a third-party offering that may work across different device brands. NIST noted that both avenues “can” provide adequate mobile security and did not recommend one path over the other. However, they both have their limitations. The report concluded that security controls provided with a device “often lack the rigor” of those from a centralized enterprise mobile management application. On the other side, installation and upgrades of third-party mobile security applications can involve “significantly more effort,” as well as manual involvement. In addition, if the device is BYOD, then third-party applications generally only cover the configuration and security of itself and its data, not the device.
NIST drafts are generally revised prior to being promoted by the federal standards group. To access a PDF of the draft, click here.