July 11, 2012, 3:44 PM — The National Institute of Standards and Technology (NIST) has issued a draft policy on updated guidelines for managing and securing mobile devices, putting the emphasis on smartphones and tablets, whether these are supplied directly by an organization to employees or the employees own them themselves. The draft document views "Bring Your Own Device" (BYOD) as much riskier.
IN THE NEWS: Feds slash $2.7 million online loan fraud ring
Entitled "Guidelines for Managing and Securing Mobile Devices in the Enterprise",the document is out for comment until Aug. 14., after which it could be further modified. The draft guidelines specifically are not intended to apply to cellphones or laptops. The ideas being put forward by NIST, which might eventually become approved guidelines that federal agencies would need to follow, step into the debate over how to tackle the "Bring Your Own Device" (BYOD) question, and seem to lean toward viewing BYOD devices as a heightened security risk.
"Many mobile devices, particularly those that are personally owned (bring your own device [BYOD]), are not necessarily trustworthy. Current mobile devices lack the root of trust features (e.g., TPMs) that are increasingly built into laptops and other types of hosts. There is also frequent jailbreaking and rooting of mobile devices, which means that the built-in restrictions on security, operating system use, etc. have been bypassed," write the co-authors of the NIST document, Murugiah Souppaya, computer scientist at NIST and outside consultant Karen Scarfone, principle at Scarfone Cybersecurity. "Organizations should assume that all phones are untrusted unless the organization has properly secured them before user access and monitors them continuously while in use with enterprise applications or data. "
With that as a starting point, the document's authors make it clear that traditional security measures should apply to both organization-issued devices and BYOD devices owned by employees if used for work though they add some organizations may want to pass on the BYOD option altogether as it could represent too much risk based on the sensitivity of any data involved. They encourage organizations to develop security policies for smartphones and tablets as close to those they have for other types of devices, such as computers, as possible.