Securing mobile devices - whether employee or enterprise owned - has become vital for many organizations and government agencies as the devices increasingly take the place of PCs and laptops. The National Institute of Standards and Technology has issued a draft of guidance that defines the fundamental security components and capabilities needed to help mitigate risks involved in using the latest generation of mobile devices.
Andrew Regenschied, one of the co-authors of Special Publication 800-164 (Draft): Guidelines on Hardware-Rooted Security in Mobile Devices, says many mobile devices lack a firm foundation from which to build security and trust. "These guidelines are intended to help designers of next-generation mobile phones and tablets improve security through the use of highly trustworthy components, called roots of trust, that perform vital security functions," he says.
On laptop and desktop systems, Regenschied explains, roots of trust are implemented in a tamper-proof separate security computer chip. But the power and space constraints in mobile devices have led manufacturers to pursue other approaches, such as leveraging security features built into the processors these products use.
NIST says the guidelines focus on three security capabilities to address known mobile device security challenges: device integrity, isolation and protected storage.
According to NIST, a tablet or phone supporting device integrity can provide information about its configuration and operating status that can be verified by the organization whose information is being accessed. Isolation capabilities can keep personal and organization data components and processes separate. That way, NIST says, personal applications should not be able to interfere with the organization's secure operations on the device. Protected storage keeps data safe using cryptography and restricting access to information.
To achieve the security capabilities, the guidelines recommend that each mobile device implement three security components that can be employed by the device's operating system and applications:
- Roots of trust, which combine hardware, firmware and software components to provide critical security functions with a very high degree of assurance that they will behave correctly;
- An application programming interface that allows operating systems and applications to use the security functions provided by the roots of trust; and
- A policy enforcement engine to enable the processing, maintenance and policy management of the mobile device.
NIST is seeking comments on the draft guidance. Those with suggestions should submit them to firstname.lastname@example.org by Dec. 14.