Mobile devices typically need to support multiple security objectives: confidentiality, integrity, and availability.
To achieve these objectives, mobile devices should be secured against a variety of threats.
General security recommendations for any IT technology are provided in NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations [SP800-53]. Specific recommendations for securing mobile devices are presented in this publication and are intended to supplement the controls specified in SP 800-53.
This publication provides recommendations for securing particular types of mobile devices, such as smart phones and tablets. Laptops are specifically excluded from the scope of this publication because the security controls available for laptops today are quite different than those available for smart phones, tablets, and other mobile device types.
Mobile devices with minimal computing capability, such as basic cell phones, are also out of scope because of the limited security options available and the limited threats they face. Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and personally-owned mobile devices by enterprise users.
In addition to managing the configuration and security of mobile devices, these technologies offer other features, such as providing secure access to enterprise computing resources. There are two basic approaches to centralized mobile device management: use a messaging server’s management capabilities (sometimes from the same vendor that makes a particular brand of phone), or use a product from a third party, which is designed to manage one or more brands of phone.
It is outside the scope of this publication to provide any recommendations for one approach over the other; both approaches can provide the necessary centralized management functionality.
Organizations should implement the following guidelines to improve the security of their mobile devices:
Organizations should develop system threat models for mobile devices and the resources that are accessed through the mobile devices.
Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices (for example, desktop and laptop devices only used within the organization’s facilities and on the organization’s networks). Before designing and deploying mobile device solutions, organizations should develop system threat models.
Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added.
Threat modeling helps organizations to identify security requirements and to design the mobile device solution to incorporate the controls needed to meet the security requirements.
Organizations deploying mobile devices should consider the merits of each provided security service, determine which services are needed for their environment, and then design and acquire one or more solutions that collectively provide the necessary services.
Most organizations do not need all of the possible security services provided by mobile device solutions. Categories of services to be considered include the following:
- General policy: enforcing enterprise security policies on the mobile device, such as restricting access to hardware and software, managing wireless network interfaces, and automatically monitoring and reporting when policy violations occur.
- Data communication and storage: supporting strongly encrypted data communications and data storage, and remotely wiping the device if it is lost or stolen and is at risk of having its data recovered by an untrusted party.
- User and device authentication: requiring authentication before accessing organization resources, resetting forgotten passwords remotely, automatically locking idle devices, and remotely locking devices suspected of being left unlocked in an unsecured location.
- Applications: restricting which applications may be installed (through whitelisting or blacklisting), installing and updating applications, restricting the use of synchronization services, digitally signing applications, distributing the organization’s applications from a dedicated mobile application store, and limiting or preventing access to the enterprise based on the mobile device’s operating system version or mobile device management software client version.
Organizations should have a mobile device security policy.
A mobile device security policy should define which types of mobile devices are permitted to access the organization’s resources, the degree of access that various classes of mobile devices may have—for example, organization-issued devices versus personally-owned (bring your own device) devices—and how provisioning should be handled.
It should also cover how the organization's centralized mobile device management servers are administered and how policies in those servers are updated. The mobile device security policy should be documented in the system security plan. To the extent feasible and appropriate, the mobile device security policy should be consistent with and complement security policy for non-mobile systems.
Organizations should implement and test a prototype of their mobile device solution before putting the solution into production.
Aspects of the solution that should be evaluated for each type of mobile device include connectivity, protection, authentication, application functionality, solution management, logging, and performance. Another important consideration is the security of the mobile device implementation itself; at a minimum, all components should be updated with the latest patches and configured following sound security practices.
Also, use of jailbroken or rooted phones should be automatically detected when feasible. Finally, implementers should ensure that the mobile device solution does not unexpectedly “fall back” to default settings for interoperability or other reasons.
Organizations should fully secure each organization-issued mobile device before allowing a user to access it.
This ensures a basic level of trust in the device before it is exposed to threats. For any already-deployed organization-issued mobile device with an unknown security profile (e.g., unmanaged device), organizations should recover them, restore them to a known good state, and fully secure them before returning them to their users.
Organizations should regularly maintain mobile device security.
Helpful operational processes for maintenance include checking for upgrades and patches, and acquiring, testing, and deploying them; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure.
Also, organizations should periodically perform assessments to confirm that their mobile device policies, processes, and procedures are being followed properly. Assessment activities may be passive, such as reviewing logs, or active, such as performing vulnerability scans and penetration testing.
The full NIST Guidelines for Managing and Securing Mobile Devices in the Enterprise can be downloaded here: