It’s a long way from understanding the need for a standards-based security control to implementing it. For example, some bright auditor tells you that you should “limit or prevent access to enterprise services based on whether the mobile device has been rooted or jailbroken.” That makes sense, but how do you do it?
How do you find the right product for the job? Moreover, how do you select a group of security products to address what may be a long list of controls that you should adopt? How do you know they will work together? Once you’ve selected the products, which might not come from the same vendors, how do you configure them? And in very concrete terms, how do you set them up?
The Mobile Device Security Practice Guide
Wouldn’t it be nice if there were a guide that told you how do it? Well, now it looks like there is. The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is developing a series of cybersecurity practice guides that “facilitate the adoption of standards-based approaches to cybersecurity.” They’ve just released one on mobile device security, called “Mobile Device Security: Cloud and Hybrid Builds.”
I’ve never seen anything quite like it. First, it categorizes the risks in using mobile devices and matches them to controls in major standards including ISO 27002, NIST’s Cybersecurity Framework, the canonical NIST SP 800-53 rev4, and the Council on Cyber Security’s Critical Security Controls for Effective Cyber Defense.
Next, it matches the controls to available security products: Microsoft Intune (Enterprise Mobility Management), Office 365 Mobile Device Management, Office 365 Enterprise E3, Active Directory Federation Services (ADFS), System Center 2012 R2 Configuration Manager (SCCM), and Lookout Mobile Threat Protection (MTP).
Managers in Microsoft shops should be happy about this. The NCCoE, however, says it picked the products because combining them could provide an effective example. Their use, however, is “not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products or materials are necessarily the best available for the purpose.” Nevertheless…
Which Feature for Which Control?
The Guide then maps the security characteristics to functions in the selected technologies, so that you know what each technology will do to control risks in an area, such as compliance checks, auditing and logging, asset management, root and jailbreak detection, device encryption, remote wipe, and many more.
Since the authors built and tested the security system, the guide includes a discussion of its effect on the user’s experience and the system administrator’s experience. It also evaluates how the system did in effecting specific standard controls.
Finally, the guide includes how-to guides that get down to showing screenshots of every box you must check and every policy you must address to create the system. It has three guides of this nature, one to build a cloud-based solution for mobile device security, one to build an on-prem solution, and one about mobile device configuration for iOS, Android, and Windows Phone 8.1. It also includes instructions on email setup.
By the end of the day, you’ve gone from standards to controls to actual, widely available technologies to implement those controls. The authors offer some qualifications and caveats, of course, and the work is ongoing to improve the system, but all in all, it’s a brilliant document. Check it out.
For more information about the NCCoE and its projects, go here. The mobile device and similar projects are in a project section called “Building Blocks.”