NIST Cybersecurity Practice Guide SP 1800-4 Mobile Device Security: Cloud and Hybrid Builds, is now final.
If sensitive data is stored on a poorly secured mobile device that is lost or stolen, an attacker may be able to gain unauthorized access to that data.
Even worse, a mobile device with remote access to sensitive organizational data could be leveraged by an attacker to gain access to that data, and any other data that user is allowed to access from that mobile device.
The challenge lies in ensuring the confidentiality, integrity, and availability of the information that a mobile device accesses, stores, and processes.
Despite the security risks posed by today’s mobile devices, enterprises are under pressure to employ them for several business reasons, including anticipated cost savings and employees’ need to work in remote locations.
And the rapid pace at which mobile technologies evolve requires regular reevaluation of a mobility program to ensure it is accomplishing its security, privacy, and workplace functionality.
Built-in mobile protections may not be enough to fully mitigate the security challenges associated with mobile information systems.
Usability, privacy, and regulatory requirements each influence which mobile security technologies and security controls are going to be well-suited to meet the needs of an organization’s mobility program.
The goal of the Mobile Device Security for Enterprises (MDSE) project is to help organizations across business sectors develop a series of clear and repeatable reference mobile architectures that any organization can adapt and adopt to ease design, accelerate deployment, and build in security for their mobility program from the outset.
This project will result in two separate Practice Guides to demonstrate different management technologies, each detailing how commercially available technologies can be used to manage and secure mobile devices while supporting a variety of usage scenarios:
-
Scenario 1 in which an organization wants to grant secure access while preserving privacy for end users or other organizations that own data on the device
-
Scenario 2 in which strong data confidentiality is implemented using certified and validated technologies
What’s the guide about?
The National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) Cybersecurity Practice Guide “Mobile Device Security: Cloud & Hybrid Builds” demonstrates how commercially available technologies can meet your organization’s needs to help secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices.
In the lab at the NCCoE, part of NIST, security engineers built an environment based on typical mobile devices and an enterprise email, calendaring, and contact management solution.
Additionally, we demonstrated how security can be supported throughout the mobile device lifecycle, including:
-
Configure a device to be trusted by the organization
-
Maintain adequate separation between the organization’s data and the employee’s personal data stored on or accessed from the mobile device
-
Handle the de-provisioning of a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company).
These technologies enable users to work inside and outside the corporate network with a security enhanced architecture while minimizing the impact on the user experience.
Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators).
The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution: Intel, Lookout, Microsoft and Symantec
Current Status
NIST incorporated public comments into this practice guide that was originally published in 2015.
Recognizing the interest in mobile device security, this final practice guide that is based upon an example solution using products that were architected and installed in 2015 is being released in its final version.
NIST SP 1800-4 was updated using input received from the public and has now been released as a final version.
To provide updated guidance, the NCCoE is developing two new mobile device security practice guides. Information on the upcoming practice guides can be found here.
NCCoE NIST Cybersecurity Practice Guide, Mobile Device Security: Cloud and Hybrid Builds was released on February 21, 2019.
For ease of use, the draft guide is available to download or read in volumes:
-
SP 1800-4a: Executive Summary (PDF) (web page)
-
SP 1800-4b: Approach, Architecture, and Security Characteristics (PDF) (web page)
-
SP 1800-4c: How-To Guides (PDF) (web page)