NIST revamps mobile device security guidelines for smartphone era

The Guidelines for Managing the Security of Mobile Devices in the Enterprise is meant to help federal agencies and other organizations struggling with the dilemma of mobile insecurity. Mobile devices, such as smartphones and tablets, typically need to support multiple security objectives: confidentiality, integrity and availability. To achieve these objectives, mobile devices should be secured against a variety of threats. That's tougher and tougher to do in a world where employees are looking to bring their own device (BYOD) to work and often download personal apps to work devices.

According to NIST, typical security holes include smartphones or tablets being stolen or lost, potentially allowing unauthorized individuals access to an agency's network and its sensitive information. Or, an employee could unknowingly infect its agency's network by downloading an application containing malware.

“Employees want to be connected to work through mobile devices for flexibility and efficiency, and managers can appreciate that,” NIST said in its statement releasing the guidelines. “However, the technology that delivers these advantages also provides challenges to an agency's security team because these devices can be more vulnerable.”

Originally issued in 2008 as Guidelines on Cell Phone and PDA Security, the best practices have been extensively updated and reflect comments received on a draft version issued a year ago. The revised guidelines recommend using centralized device management at the organization level to secure both agency-issued and individually owned devices used for government business.

“Centralized programs manage the configuration and security of mobile devices and provide secure access to an organization's computer networks,” explained NIST. “Many agencies currently use this type of system to manage the smartphones they issue to staff. The new NIST guidelines offer recommendations for selecting, implementing and using centralized management technologies for securing mobile devices.”

Other key recommendations include instituting a mobile device security policy, implementing and testing a prototype of the mobile device solution before putting it into production, securing each organization-issued mobile device before allowing a user to access it and maintaining mobile device security.

The government is continuing to make strides in the enablement of mobile devices despite the well-publicized growth in mobile malware. In May, the US Department of Defense approved the use of Samsung’s hardened, secure version of Android in smartphones used by the military, along with BlackBerry 10 devices.

BlackBerry phones were previously the only allowed devices for the armed services, thanks to BlackBerry’s server-based security, so the Android approval could vastly widen choice for service members.

What’s hot on Infosecurity Magazine?