Skip Links

Smartphone, tablet security and management guidelines on tap from NIST

NIST emphasizes employee-owned BYOD devices as riskier than organization-issued products

By , Network World
July 11, 2012 02:09 PM ET

Network World - The National Institute of Standards and Technology (NIST) has issued a draft policy on updated guidelines for managing and securing mobile devices, putting the emphasis on smartphones and tablets, whether these are supplied directly by an organization to employees or the employees own them themselves. The draft document views "Bring Your Own Device" (BYOD) as much riskier.

IN THE NEWS: Feds slash $2.7 million online loan fraud ring

Entitled "Guidelines for Managing and Securing Mobile Devices in the Enterprise",the document is out for comment until Aug. 14., after which it could be further modified. The draft guidelines specifically are not intended to apply to cellphones or laptops. The ideas being put forward by NIST, which might eventually become approved guidelines that federal agencies would need to follow, step into the debate over how to tackle the "Bring Your Own Device" (BYOD) question, and seem to lean toward viewing BYOD devices as a heightened security risk.

"Many mobile devices, particularly those that are personally owned (bring your own device [BYOD]), are not necessarily trustworthy. Current mobile devices lack the root of trust features (e.g., TPMs) that are increasingly built into laptops and other types of hosts. There is also frequent jailbreaking and rooting of mobile devices, which means that the built-in restrictions on security, operating system use, etc. have been bypassed," write the co-authors of the NIST document, Murugiah Souppaya, computer scientist at NIST and outside consultant Karen Scarfone, principle at Scarfone Cybersecurity. "Organizations should assume that all phones are untrusted unless the organization has properly secured them before user access and monitors them continuously while in use with enterprise applications or data. "

With that as a starting point, the document's authors make it clear that traditional security measures should apply to both organization-issued devices and BYOD devices owned by employees if used for work — though they add some organizations may want to pass on the BYOD option altogether as it could represent too much risk based on the sensitivity of any data involved. They encourage organizations to develop security policies for smartphones and tablets as close to those they have for other types of devices, such as computers, as possible.

In any event, the NIST draft document says managed authentication would be required in devices, plus preferably use of encryption of data, as well as adherence to NIST encryption FIPS-120 standards. The authors encourage IT managers, who may be setting up app stores for their organization's use, to find ways to restrict what applications may be installed on smartphones and tablets, perhaps using whitelisting or blacklisting technologies, along with establishing ways to wipe devices remotely.

The document goes to some lengths to highlight what could be regarded as preferred practices in differentiating between how organization-owned devices and BYOD employee-owned devices might be allowed to connect to the organization's network.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News