The surge of BYOD and mobile devices in general has unleashed havoc in mobile security in the enterprise. IT security managers have been attempting to deal with the fast influx of devices, but most are reeling from the overload of OSes, security issues, vulnerabilities and technologies aimed at securing such devices. In response to this, the National Institute of Standards and Technology (NIST) has provided an informative publication to assist IT organizations in securing mobile devices throughout their life cycles.
The Guidelines for Managing the Security of Mobile Devices in the Enterprise Download breaks down the issues surrounding mobile device security into manageable segments, including:
- Defining Mobile Device Characteristics
- Technologies for Mobile Device Management
- Security for the Enterprise Mobile Device Solution Life Cycle
Within each section are many subsets of information to guide IT security teams in developing their own mobile device security management plan. According to NIST, organizations may not need to use all of the services covered, but services to be considered should include:
- Creating and enforcing a general policy
- Encrypted data communications and storage
- User and device authentication
- Restricting app stores, apps and permissions for those apps
Further security considerations are also discussed at length. NIST warns that mobile devices must be secured against a wide variety of threats. Also, because such devices lack physical security controls, organizations should include plans to lessen the danger of data loss should a mobile device be acquired by a malicious third party. NIST explains:
The mitigation strategy for this is layered. One layer involves requiring authentication before gaining access to the mobile device or the organization’s resources accessible through the device… More robust forms of authentication, such as token-based authentication, network-based device authentication, and domain authentication, can be used instead of or in addition to the built-in device authentication capabilities. A second mitigation layer involves protecting sensitive data—either encrypting the mobile device’s storage so that sensitive data cannot be recovered from it by unauthorized parties, or not storing sensitive data on mobile devices.
NIST then details further strategy to help organizations mitigate data loss in such cases. It also lists a five-phase life cycle model to assist IT security teams in deciding when to recommend a certain mobile device solution to users. It identifies which tasks should be performed at each level, from initiation through disposal, for both BYOD and organization-provided mobile devices. This information should help any IT organization get a solid start on securing mobile devices in the enterprise.