NIST SP 800-124 Rev. 2(Draft) Guidelines for Managing the Security of Mobile Devices in the Enterprise

こんにちは、丸山満彦です。

NISTがSP 800-124 Rev. 2(Draft) Guidelines for Managing the Security of Mobile Devices in the Enterprise についてのコメントを求めていますね。。。

● NIST ITL

・2020.03.24 SP 800-124 Rev. 2(Draft) Guidelines for Managing the Security of Mobile Devices in the Enterprise

・[PDF] SP 800-124 Rev. 2 (Draft)

 

【既存文書】

・2013.06 SP 800-124 Rev. 1 Guidelines for Managing the Security of Mobile Devices in the Enterprise

 

Announcement

Today mobile devices are ubiquitous, and they are often used to access enterprise networks and systems to process sensitive data. This draft guideline assists organizations in managing and securing mobile devices against the ever-evolving threats. To address these threats, this publication describes technologies and strategies that can be used as countermeasures and mitigations. Draft SP 800-124 Rev. 2 also provides recommendations for secure deployment, use, and disposal of mobile devices throughout the mobile device life-cycle. The scope of this publication includes mobile devices, centralized device management, and endpoint protection technologies, while including both organization-provided and personally-owned (bring your own device) deployment scenarios.

Abstract

Mobile devices were initially personal consumer communication devices but they are now permanent fixtures in enterprises and are used to access modern networks and systems to process sensitive data. This publication assists organizations in managing and securing these devices by describing available technologies and strategies. Security concerns inherent to the usage of mobile devices are explored alongside mitigations and countermeasures. Recommendations are provided for deployment, use and disposal of devices throughout the mobile-device lifecycle. The scope of this publication includes mobile devices, centralized device management and endpoint protection technologies, while including both organization-provided and personally owned deployment scenarios.

 

Executive Summary

Modern mobile devices, which are essentially general-purpose computing platforms capable of performing tasks far beyond the voice and text capabilities of legacy mobile devices, are widespread within modern enterprise networks. Mobility has transformed how enterprises deliver information technology (IT) services and ensure mission impact. Targeted toward consumers for on-demand personal access to communications, information, and services, these devices are not configured by default for business use. As mobile devices perform everyday enterprise tasks, they regularly process, modify, and store sensitive data. While organizations understand that using mobile devices and mobile applications for anytime, anywhere access can increase employee productivity, enhance decision making and situational awareness, they may also consider that these devices bring unique threats to the enterprise.

While consumers and enterprise organizations have increased their adoption and use of mobile technologies, the mobile threat landscape has also shifted. This includes an increase in mobile malware and vulnerabilities that span the device (e.g., operating system, firmware, the baseband processor used to access cellular networks), mobile apps, networks, and management infrastructure. The diversity and complexity of the mobile ecosystem and the rapid pace of change offers challenges to selection, integration, and management of mobile technologies into an enterprise IT environment. To reduce risk to sensitive data and systems, federal enterprises need to institute the appropriate policies and infrastructure to manage and secure mobile devices, applications, content, and access.

Mobile devices often need additional protections as a result of their portability, small size, and common use outside of an organization’s network, which generally places them at higher exposure to threats than other endpoint devices. Laptops are excluded from the scope of this publication. Although some laptop/desktop management technologies are converging with mobile device management technologies, the security capabilities currently available for laptops are different than those available for smartphones, tablets, and other mobile device types. Further, mobile devices contain features not generally available in laptops (e.g., multiple wireless network interfaces, Global Positioning System, numerous sensors, and built-in mobile apps). Devices with minimal computing capability, such as the most basic cell phones and general Internet of Things (IoT) devices are also out of scope because they typically do not have a full fledged operating system (OS), and limited functionality and limited security options are available.

Organizations should implement the following guidelines to improve the security of their mobile devices.

 

Organizations should conduct a threat analysis for mobile devices and any information systems accessed from mobile devices.

Before designing and deploying mobile device solutions, organizations should conduct a threat assessment for managing and using mobile devices and mobile apps to access and process sensitive data. Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, quantifying the likelihood of successful attacks and their impacts, and then synthesizing this information to determine where NIST security controls need to be improved or added to mitigate the threats. General security recommendations for any IT technology are provided in NIST Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations [1]. Specific controls for securing mobile devices are presented in an appendix of this publication.

Threat models such as NIST’s Mobile Threat Catalogue [5] and its associated NIST Interagency Report (NISTIR) 8144, Assessing Threats to Mobile Devices & Infrastructure [6] used in conjunction with a threat modeling process such as draft NIST SP 800-154, Guide to Data Centric System Threat Modeling [48] can help organizations identify security requirements and design mobile device solutions to incorporate the necessary controls to meet the security requirements. See also the Department of Homeland Security’s Congressional report, Study on Mobile Device Security [23], for additional threat information on mobile device security for federal agencies.

Organizations should employ Enterprise Mobility Management, Mobile Threat Defense, and other applicable enterprise mobile security technologies.

The reliance on mobile devices to access and process enterprise information requires a comprehensive solution for mitigating threats to the organization’s information and systems from use of mobile devices. Enterprise Mobility Management (EMM) systems are a suite of products used to deploy, configure and actively manage mobile devices in an enterprise environment. They are central to an enterprise mobile security solution and can be used to control the use of both organization-issued and personally-owned mobile devices by enterprise users. In addition to managing the configuration of mobile devices, these technologies offer other features, such as controlling access to enterprise computing resources. By integrating EMM with enterprise backend services such as authentication, an organization can enable more granular management of mobile device access to mission-critical enterprise resources. System administrators can set policy-based configurations for mobile devices to constrain access to sensitive resources, depending on mobile device conditions (e.g., device connecting from a public WiFi network, jailbroken or rooted device, user-managed device running a corporate application). EMM systems should be integrated with Mobile Threat Defense (MTD) systems to protect the mobile endpoint. MTD systems can detect the presence of malicious apps or operating system (OS) software, known vulnerabilities in software or configurations, and connections to blacklisted websites/servers or networks. The integration of MTD with EMM enables administrators or defense systems to remediate detected vulnerabilities or quarantine applications or devices.

EMM systems can also be extended to provide Mobile Application Vetting (MAV) capabilities using tools that perform enterprise-level security analysis of managed apps and their libraries prior to deployment and throughout the lifecycle of the apps. Vulnerabilities or malicious code discovered prior to deployment can be referred to the developer, or the app may be disallowed for use on the organization’s devices or within the enterprise mobile appstore. If vulnerabilities or malicious code are discovered after an app has been deployed or updated, the administrator is informed and offered the option to deploy various EMM remediation actions.

Organizations should leverage the Enterprise Mobile Device Deployment Lifecycle where applicable.

Organizations may wish to consider a number of key steps in the deployment process of the Enterprise Mobile Device Deployment Lifecycle before putting mobile devices in the hands of users or allowing users to access enterprise resources via a mobile device. The lifecycle contains guidance on selecting a deployment model (e.g., enterprise use only, organization-managed with personal use allowed, or bring your own device), device and EMM selection, conducting a risk assessment, and device and EMM configurations. Each step of the lifecycle discusses numerous security considerations -such as ensuring an accurate inventory of devices, selecting devices supported by the vendor for OS and app updates and patches, securely configuring devices, selecting an EMM and applying security policies to the device, verifying configuration each time the user attempts to access the network, and integrating EMM into existing identification, authentication and remote access infrastructure.

Organizations should implement and test a pilot of their mobile device solution before putting the solution into production.

Any new mobile device solution should be tested before use. This includes in a laboratory or test environment and subsequently with a small group of users. Aspects of the solution that should be evaluated for each type of mobile device include connectivity, protection, authentication, application functionality, solution management, logging and performance. The enterprise should carefully consider whether the proposed solution meets the predetermined functional and technical requirements, alongside helping to meet stated policy and security objectives.

Organizations should fully secure each organization-issued mobile device before allowing a user to access the organization’s systems or information.

For newly deployed mobile devices, organizations should enroll and configure the device in an EMM solution. Baseline profiles are available in industry, but the precise profile to be deployed should be tailored based on an organization’s needs and risk assessment. Commercial programs are available to simplify device enrollment and enforce security and configuration policies prior to provisioning; in-house programs can be leveraged to accomplish this task as well. This ensures a basic level of trust in the device before first use. For already-deployed, organization issued mobile devices with an unknown security profile (e.g., unmanaged device), organizations should fully secure them to a known good state (for example, through deployment and use of EMM technologies using the latest mobile OS). Supplemental security controls, such as MTD, MAV, and Data Loss Prevention (DLP) technologies, should be deployed per results of mobile device risk assessment.

Organizations should keep mobile operating systems and apps updated.

As with any technology, vulnerabilities in mobile devices or OSs are discovered quite oftenparticularly with broadly deployed devices or OSs. Attackers seeking to gain access to sensitive personal or business information will exploit vulnerabilities in the mobile OS, device firmware, or app. OS and firmware vendors produce security updates to fix the vulnerabilities, and app developers often produce mobile app patches and updates to fix known vulnerabilities. Organizations can use EMM and mobile app management solutions to maintain an inventory of their mobile devices, OSs, and deployed apps, enabling them to identify vulnerable mobile devices. Organizations may have a vulnerability management system in place that allows them to continuously check for these patches and updates and immediately apply them to the mobile devices within their enterprise

Organizations should regularly maintain mobile device security.

Organizations should perform periodic assessments to confirm that their mobile device policies, processes and procedures are being followed. Assessment activities may be passive, such as reviewing device and management infrastructure (e.g., EMM) logs, or active, such as performing vulnerability scans or penetration testing of the mobile management infrastructure. Operational processes to maintain device security include checking for upgrades and patches and acquiring, testing and deploying them; ensuring each mobile device infrastructure component has its clock synced to a common time source; verifying that device and infrastructure audit logs are collected and sent to the enterprise’s security logging system; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration or policy changes to mobile devices. Additional maintenance processes include keeping an active inventory of each mobile device, its user and its apps; revoking access to or deleting installed apps that have subsequently been assessed as too risky to use; and scrubbing sensitive data from mobile devices before reissuing them to new users.

 

Table of Contents

Executive Summary

1. Introduction
1.1 Purpose
1.2 Scope
1.3 Audience
1.4 Document Structure
1.5 Document Conventions

2. Overview of Mobile Devices
2.1 Mobile Device Definition
2.2 Mobile Device Characteristics
2.3 Mobile Device Components
2.4 Mobile Communication Mechanisms

3. Threats to the Mobile Enterprise
3.1 Threats to Enterprise Use of Mobile Devices
 3.1.1 Exploitation of Underlying Vulnerabilities in Devices
 3.1.2 Device Loss and Theft
 3.1.3 Accessing Enterprise Resources via a Misconfigured Device
 3.1.4 Credential Theft via Phishing
 3.1.5 Installation of Unauthorized Certificates
 3.1.6 Use of Untrusted Mobile Devices
 3.1.7 Wireless Eavesdropping
 3.1.8 Mobile Malware
 3.1.9 Information Loss Due to Insecure Lockscreen Configuration
 3.1.10 User Privacy Violations
 3.1.11 Data Loss via Synchronization
 3.1.12 Shadow IT Usage
3.2 Threats to Device Management Systems
 3.2.1 Exploitation of Vulnerabilities within the Underlying EMM Platform
 3.2.2 EMM Administrator Credential Theft
 3.2.3 Insider Threat
 3.2.4 Installation of Malicious Developer & EMM Profiles

4. Overview of Mobile Security Technologies
4.1 Device-Side Management & Security Technologies
 4.1.1 Hardware-Backed Processing & Storage
 4.1.2 Data Isolation Mechanisms
 4.1.3 Platform Management APIs
 4.1.4 VPN Support
 4.1.5 Authentication Mechanisms
4.2 Enterprise Mobile Security Technologies
 4.2.1 Enterprise Mobility Management
 4.2.2 Mobile Application Management
 4.2.3 Mobile Threat Defense
 4.2.4 Mobile App Vetting
 4.2.5 Virtual Mobile Infrastructure
 4.2.6 Application Wrapping
 4.2.7 Secure Containers
4.3 Recommended Mitigations and Countermeasures
 4.3.1 EMM Technologies
 4.3.2 Cybersecurity Recommended Practices
 4.3.3 Remote/Secure Wipe
 4.3.4 Security-Focused Device Selection
 4.3.5 Use of a VPN
 4.3.6 Rapid Adoption of Software Updates
 4.3.7 OS & Application Isolation
 4.3.8 Application Vetting
 4.3.9 Mobile Threat Defense
 4.3.10 User Education
 4.3.11 Mobile Device Security Policies
 4.3.12 Notification and Revocation of Enterprise Access
 4.3.13 Additional Authentication for System Administrators

5. Enterprise Mobile Device Deployment Lifecycle
5.1 Identify Mobile Requirements
 5.1.1 Explore Mobile Use Cases
 5.1.2 Survey Current Inventory
 5.1.3 Choose Deployment Model
 5.1.4 Select Devices
 5.1.5 Determine EMM Capabilities
5.2 Perform Risk Assessment
5.3 Implement Enterprise Mobility Strategy
 5.3.1 Select & Install Mobile Technology
 5.3.2 Integration of EMM into the Enterprise Service Infrastructure
 5.3.3 Set Policy, Device Configuration and Provision
 5.3.4 Verification Testing
 5.3.5 Deployment Testing
5.4 Operate & Maintain
 5.4.1 Auditing
 5.4.2 Device Usage
5.5 Dispose of and/or Reuse Device

References
Appendix A. Acronyms and Abbreviations
Appendix B. Supporting NIST SP 800-53 Security Controls