When NIST issued in 2008 its initial guidance on managing mobile device security, the Apple iPhone was just a year old and the introduction of the iPad was 15 months off. Even the guidance name, Special Publication 800-124: Guidelines on Cell Phone and PDA Security, sounds ancient to today's ears.
How times change. The National Institute of Standards and Technology on June 24 published its first revision of the SP 800-124, renaming it Guidelines for Managing the Security of Mobile Devices in the Enterprise.
In the original publication, PDAs - personal digital assistants - had their own 1½ page definition. The revision doesn't even mention them. Unlike the original guidance, basic cell phones aren't covered because of their minimal computing capability and limited security options. Besides, the guidance says, cell phones face limited threats today.
NIST says the revised guidance provides recommendations for selecting, implementing and using centralized management technologies, explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The guidance covers enterprise-issued devices as well as the bring-your-own device trend.
The revised publication offers six major steps enterprises need to take to manage mobile devices in a secure environment. According to the guidance, organizations should:
- Have a mobile device security policy that defines which types of the organization's resources may be accessed via mobile devices, which types of mobile devices - for example, organization-issued devices vs. BYOD - are permitted to access the organization's resources, the degree of access that various classes of mobile devices may have and how provisioning should be handled.
- Develop system threat models for mobile devices and the resources that are accessed through the devices. These devices often need additional protection because of their higher exposure to threats than other client devices, such as desktops and laptops.
- Consider the merits of each provided security service, determine which services are needed for their environment and then design and acquire one or more solutions that collectively provide the necessary services. Categories of services to be considered include general policy, data communication and storage, and user and device authentication and applications.
- Implement and test a mobile device solution before putting it into production. Aspects of the solution that should be evaluated for each type of mobile device include connectivity, protection, authentication, application functionality, solution management, logging and performance.
- Secure fully each organization-issued mobile device before allowing a user to access it. This ensures a basic level of trust in the device before it is exposed to threats.
- Regularly maintain mobile device security, including checking for upgrades and patches and acquiring, testing and deploying them; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices.
The revised guidance also recommends that organizations periodically perform assessments to confirm that their mobile device policies, processes and procedures are being properly followed. Assessment activities may be passive, such as reviewing logs, or active, such as performing vulnerability scans and penetration testing.