Date Published: November 2015
Comments Due:
Email Questions to:
Author(s)
Joshua Franklin (NIST), Kevin Bowler (MITRE), Christopher Brown (MITRE), Neil McNab (MITRE), Matthew Steele (MITRE)
Announcement
Mobile devices allow employees to access information resources wherever they are, whenever they need. The constant Internet access available through a mobile device's cellular and Wi-Fi connections has the potential to make business practices more efficient and effective. As mobile technologies mature, employees increasingly want to use mobile devices to access corporate enterprise services, data, and other resources to perform work-related activities. Unfortunately, security controls have not kept pace with the security risks that mobile devices can pose.
If sensitive data is stored on a poorly secured mobile device that is lost or stolen, an attacker may be able to gain unauthorized access to that data. Even worse, a mobile device with remote access to sensitive organizational data could be leveraged by an attacker to gain access to not only that data, but also any other data that the user is allowed to access from that mobile device. The challenge lies in ensuring the confidentiality, integrity, and availability of the information that a mobile device accesses, stores, and processes. Despite the security risks posed by today's mobile devices, enterprises are under pressure to accept them due to several factors, such as anticipated cost savings and employees' demand for more convenience.
Solution
The NIST Cybersecurity Practice Guide, Mobile Device Security: Cloud and Hybrid Builds, demonstrates how commercially available technologies can meet your organization's needs to secure sensitive enterprise data accessed by and/or stored on employees' mobile devices.
In our lab at the National Cybersecurity Center of Excellence (NCCoE), we built an environment based on typical mobile devices and an enterprise email, calendaring, and contact management solution.
We demonstrate how security can be supported throughout the mobile device lifecycle. This includes how to:
- configure a device to be trusted by the organization
- maintain adequate separation between the organization's data and the employee's personal data stored on or accessed from the mobile device
- handle the de-provisioning of a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company.
This document proposes a reference design on how to architect enterprise-class protection for mobile devices accessing an organization’s resources. The example solutions presented here can be used by any organization implementing an enterprise mobility management solution. This project contains two distinct builds: cloud and hybrid. The cloud build uses cloud-based services and solutions, while the hybrid build achieves the same functionality, but hosts at least some of the data and services within an enterprise’s own infrastructure. The example solutions and architectures presented here are based on open standards and commercially available products.
This document proposes a reference design on how to architect enterprise-class protection for mobile devices accessing an organization’s resources. The example solutions presented here can be used by any organization implementing an enterprise mobility management solution. This project contains two...
See full abstract
This document proposes a reference design on how to architect enterprise-class protection for mobile devices accessing an organization’s resources. The example solutions presented here can be used by any organization implementing an enterprise mobility management solution. This project contains two distinct builds: cloud and hybrid. The cloud build uses cloud-based services and solutions, while the hybrid build achieves the same functionality, but hosts at least some of the data and services within an enterprise’s own infrastructure. The example solutions and architectures presented here are based on open standards and commercially available products.
Hide full abstract
Keywords
mobile; mobility management; mobile security; mobile device; mobile device management
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
