The NIST National Cybersecurity Center of Excellence drafted a framework for corporate-owned, personally enabled mobile devices aimed to address the risk the devices pose to organizations.
NIST’s National Cybersecurity Center of Excellence released draft guidance for corporate-owned personally enabled (COPE) mobile devices, designed to help organizations combat the increasing risk these devices pose to network security.
Mobile devices are crucial for information sharing across an organization’s network, which are either furnished by the employee or the employer. While often vital to providing resources and necessary data access, organizations must ensure the devices are secure and data is safely shared.
Organizations can’t handle mobile security in the same manner as traditional desktop platforms, the researchers explained. The devices are vulnerable to network-based attacks, given they typically have an always-on connection to the internet.
- 25% of Healthcare Providers Faced Mobile Device Breach in 2018
- Robust Health Data Security Needed for PHI-Laden Mobile Devices
- Phishing Attacks on the Rise, 25% Increase in Threats Evading Security
Further, mobile devices have the unique threat of malicious or risky apps that can compromise data the device is allowed to access, as well as attempted phishing attacks designed to obtain user credentials or trick the user into installing malicious software.
For healthcare, the proposed guidance should provide much needed assistance given the recent Verizon report that found 25 percent of providers faced a mobile device breach last year. What’s more, those organizations were more likely to learn about the breach from its vendor or a customer, rather than first detecting the breach on their own.
The proposed NIST guidance is designed to address these unique challenges, along with helping organizations reduce the risk to individuals through privacy protections. According to the researchers, the guidance demonstrates how organizations can use a standards-based approach and commercially available technology to meet the challenge of mobile device privacy and security.
The guidance includes an outline of potential approaches, architecture, and security characteristics, as well as how-to guides. NIST built an example solution in a lab environment to test the mobile management tools organizations can use for network security, designed to be configured to protect assets and end-user privacy.
Specifically, the guide provides users with recommended protections against both malicious applications and loss of personal and business data when a device is stolen or misplaced, as well as reduce the adverse effects on the organization if a device is compromised.
NIST also addressed how to reduce the capital investment through modern enterprise mobility models and provide system administrators with visibility into mobile device security events, through automated identification and notification of device compromise.
The guidance also sheds light on the modular architecture based on technology roles using an vendor-agnostic approach. Organizations can also gain insight into how to facilitate multiple mobile device usage scenarios using COPE devices, in addition to how to apply standards-based tech aligned with industry best practices.
Lastly, NIST shows how to secure mobile access to organizational resources, as well as how to apply the NIST Risk Management Framework to mobility scenarios.
The guidance was drafted in collaboration with several security stakeholders including Palo Alto Networks, Lookout, Kryptowire, and Qualcomm, among others. NIST is accepting industry comment until September 23, 2019 through its platform.
Date: August 07, 2019