The missing layer to NIST’s mobile security advice
Last June, the National Institute of Standards and Technology (NIST) issued an update to its advice on mobile device security. The recommendations in the updated NIST report are good, sound advice; but perhaps because of the report’s focus on device security, it tends to overlook the advantages of building in security to apps during development with an open enterprise mobile app platform.
Don’t misinterpret, the report, entitled Guidelines for Managing the Security of Mobile Devices in the Enterprise, offers good advice. Recommendations, such as having a security policy for your enterprise, assessing the top threats, going through a periodic review of how security policy is working and putting one or more solutions in place to mitigate threats, all make perfect sense.
The report is on the mark in summarizing the key types of security threats, such as physical threats, like having a device stolen; use of untrusted networks; use of untrusted devices, such as phones that have been rooted; as well as untrusted apps users might download within a bring-your-own-device environment.
The report’s discussion of how to mitigate risks also offers good insights. For example, it discusses the use of a corporate app store to exert control over how apps get distributed, and to minimize risks in BYOD scenarios; partitioning devices with a container or “sandbox” function to hold enterprise apps and data. But, the report does have one shortcoming: it doesn’t talk much about building security into apps, as they are being developed.
While it is true there are many potential security entry points during deployment, users will download untrusted apps, or use apps on untrusted WI-FI networks; so, it is important to remember that the optimal time to provide app security is when you build the app in the first place. Mobile device management and mobile application management solutions may have their place as part of security strategies, but the right enterprise mobility platform can “bake in” key security mechanisms at the app level, when the app is built.
For example, an enterprise mobility platform can integrate with a variety of identity management systems to ensure that the correct user authentication is applied for each app, while making it easy for mobile app developers to accommodate both online and offline log-in scenarios. Some platforms are also able to store credentials for multiple back-end systems, which makes it possible to create a single sign-on experience for app users.
A good mobility platform addresses various other important security mechanisms, such as the ability to encrypt data that is live or at rest; the ability to manage, by app, whether sensitive data can be downloaded to a device, and a hardened server that protects against malware and other threats. A good mobility platform also has capabilities for session management and logging that add the ability to manage aspects such as timeouts, and the investigation of threats.
There are valuable security functions from other solutions as well. For instance, MDM solutions can be used to create secure sandboxes on devices that can be remotely “wiped” clean of enterprise content if a device gets lost or stolen. Apps deployed under an enterprise mobility platform can be an icon in this sandbox, making it possible to protect against risk on a BYOD device more selectively.
An enterprise mobility platform with good security capabilities really complements MDM by offering a finer-grained way of controlling risks. For example, you can be more selective about allowing what can be downloaded.
There is some overlap between some MDM, MAM and enterprise mobility platforms, but when it comes to security, these solutions can be complementary. In fact, there are several enterprises that use Verivo’s enterprise mobility platform in concert with MDM.
As the NIST report correctly points out, security capabilities or “services” might involve “one or more” solutions that “collectively” provide the necessary functionality. The report also discusses the notion of layers of security, which is in keeping with the idea that optimal security typically involves more than one technology. Ultimately, it may be best to look for vendors who say that partnering or integrating can ensure more effective security, rather than looking for a vendor who says it offers the whole solution.
T.L. Neff is executive vice president of global client services for Verivo Software. He can be contacted by clicing here.
|Event Details||Dates of Event|
|SANS Counter Hack 2013||Nov 7 - 14|
|SANS Pen Test Hackfest 2013||Nov 7 - 14|
|SANS Korea 2013||Nov 11 - 16|
|Military Exports & Compliance Asia||Nov 12 - 14|
|NCT: Counter IED Asia, 12 - 15 November 2013, Bangkok||Nov 12 - 15|
|School Safety Symposium||Nov 13 - 13|
|Southwest Microwave Perimeter Defense Seminar||Nov 13 - 13|
|OWASP AppSec USA 2013||Nov 18 - 21|
|GovSec West Conference & Expo 2013||Nov 19 - 20|
|Southwest Microwave Perimeter Defense Seminar||Nov 19 - 19|
|Oracle 7th Annual Federal Forum||Nov 20 - 20|
|World BORDERPOL Congress||Dec 3 - 4|
|Critical Infrastructure Protection and Resilience Europe||Feb 12 - 13|