NIST makes ‘major’ changes to mobile device security guidelines
That the National Institute of Standards and Technology released its revised mobile device security guidelines during a time of increased telework is purely coincidental — but also fortuitous.
The guidelines hadn’t been updated since 2013, and much has changed across the enterprise mobile device landscape in those seven years, Gema Howell, IT security engineer at NIST, told FedScoop.
Howell and her fellow authors began the revision process at the end of 2018, keeping the draft document’s structure largely the same: mobile device characteristics, threats, security tools, and deployment lifecycle.
“This is really focused on device-side threats, considerations and things you can do on the device,” Howell said. “What we want folks to be aware of are the many changes in the industry and the solutions available to them to help secure their mobile devices that are being used during this telework time to access their enterprise resources.”
The authors made “major” changes to the threat landscape section, mapping high-level threats to NIST’s Mobile Threat Catalogue while also addressing privacy implications, Howell said.
Mobile applications are increasingly problematic because they can allow adversaries attack vectors to sensitive information, especially the more apps there are on a device, she added.
Authors also addressed how mobile authentication is no longer simply a four-digit personal identification number but can involve biometrics that users might not even be aware exist.
More nuances to device deployment
The guidelines also include a more detailed outline of the mobile device deployment lifecycle:
• Identifying mobile requirements, which now involves choosing a use case.
• Reviewing inventory.
• Picking a deployment model — enterprise use only or bring-your-own-device.
• Selecting Android, iOS or both.
• Determining the needed security tools.
“The previous document focused a lot on one particular technology that was available back then, which was a mobile device management solution (MDMS),” Howell said. “Today we have a lot more options.”
MDMS may be referred to as “enterprise mobility management solutions” now. And there is also the mobile application vetting service, which monitors apps for risky behavior, and mobile threat defense, which informs the user of device-, app- or network-based threats.
NIST also added a second step to the mobile device deployment lifecycle: performing a risk assessment.
The draft document is open to public comment through June 26, 2020, after which NIST will review feedback and update the guidelines before releasing either a second or final version.
Initial feedback has largely been positive with requests for minor edits and the inclusion of related topics like how mobile devices connect to zero-trust networks, Howell said.
“So far, with the feedback that we’ve received, it seems it will go final,” she said. “But it’s hard to tell because we’re still in the beginning stages of the public comment period.”