NIST SP 1800-4: Mobile Device Security

The National Institute of Standards and Technology (NIST) has released its Security Publication (SP) 1800-4, that includes security guidelines for mobile device security in cloud and hybrid environments.

The latest SP 1800-4 document titled “Mobile Device Security: Cloud and Hybrid Builds,” provides security recommendations for better securing mobile computing.

An abstract of the Mobile Device Security standard document from the NIST website:

“This document proposes a reference design on how to architect enterprise-class protection for mobile devices accessing corporate resources. The example solutions presented here can be used by any organization implementing an enterprise mobility management solution. This project contains two distinct builds: cloud and hybrid. The cloud build makes use of cloud-based services and solutions, while the hybrid build achieves the same functionality, but hosts at least some of the data and services within an enterprise’s own infrastructure. The example solutions and architectures presented here are based upon open standards and commercially available products.”

Mobile devices have enabled employees to do their jobs more productively and effectively, but comes with inherent risks such as personally owned or bring your own device (BYOD). Mobile devices must properly secure data stored on mobile devices, such as sensitive email, contacts, and calendar information.

“This gap in protection mechanisms means that data stored on or accessed from mobile devices is at increased risk of being breached,” NIST stated.

The latest NIST standard SP 1800-4 provides guidelines and commercially available solutions that your organization could consider in better protecting your mobile devices from cyber threats.

To help readers better navigate the document, NIST SP 1800-4 has also been broken out the document into sections:

  • NIST SP 1800-4A: Executive Summary
  • NIST SP 1800-4B: Approach, Architecture, and Security Characteristics
  • NIST SP 1800-4C: How-To Guides — instructions for building the example solution.

SP 1800-4B includes some good guidance on mapping to controls such as:

  • Data protection (e.g., encryption, secure containers, remote wipe, selective wipe, protected communications and protected execution environments).
  • Data isolation (e.g., virtualization, sandboxing, memory isolation, device resource management, and tagging).
  • Data integrity (e.g., boot validation, app whitelisting/blacklisting, and policy integrity verification).
  • Monitoring (e.g., inventory of mobile device hardware/software/firmware, compliance checks, root/jailbreak detection, auditing/logging and geofencing).
  • Identity and Authorization (e.g., local and remote user authentication, roles for device/user authorization, device provisioning, credential/token storage).
  • Privacy (e.g., informed consent of user, minimize data monitoring, and custom privacy statement).

Each of the controls are mapped to security standards to include the Cybersecurity Framework, NIST SP 800-53 r4, IEC/ISO 27002 and CAG 20.