NIST Cybersecurity Practice Guide SP 1800-4 Mobile Device Security: Cloud and Hybrid Builds, is now final.
If sensitive data is stored on a poorly secured mobile device that is lost or stolen, an attacker may be able to gain unauthorized access to that data.
Even worse, a mobile device with remote access to sensitive organizational data could be leveraged by an attacker to gain access to that data, and any other data that user is allowed to access from that mobile device.
The challenge lies in ensuring the confidentiality, integrity, and availability of the information that a mobile device accesses, stores, and processes.
Despite the security risks posed by today’s mobile devices, enterprises are under pressure to employ them for several business reasons, including anticipated cost savings and employees’ need to work in remote locations.
And the rapid pace at which mobile technologies evolve requires regular reevaluation of a mobility program to ensure it is accomplishing its security, privacy, and workplace functionality.
Built-in mobile protections may not be enough to fully mitigate the security challenges associated with mobile information systems.
Usability, privacy, and regulatory requirements each influence which mobile security technologies and security controls are going to be well-suited to meet the needs of an organization’s mobility program.
The goal of the Mobile Device Security for Enterprises (MDSE) project is to help organizations across business sectors develop a series of clear and repeatable reference mobile architectures that any organization can adapt and adopt to ease design, accelerate deployment, and build in security for their mobility program from the outset.
This project will result in two separate Practice Guides to demonstrate different management technologies, each detailing how commercially available technologies can be used to manage and secure mobile devices while supporting a variety of usage scenarios:
Scenario 1 in which an organization wants to grant secure access while preserving privacy for end users or other organizations that own data on the device
Scenario 2 in which strong data confidentiality is implemented using certified and validated technologies
What’s the guide about?
The National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) Cybersecurity Practice Guide “Mobile Device Security: Cloud & Hybrid Builds” demonstrates how commercially available technologies can meet your organization’s needs to help secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices.
In the lab at the NCCoE, part of NIST, security engineers built an environment based on typical mobile devices and an enterprise email, calendaring, and contact management solution.
Additionally, we demonstrated how security can be supported throughout the mobile device lifecycle, including:
Configure a device to be trusted by the organization
Maintain adequate separation between the organization’s data and the employee’s personal data stored on or accessed from the mobile device
Handle the de-provisioning of a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company).