NIST gives agencies tips to secure mobile devices

Wednesday - 7/18/2012, 6:29am EDT

Tom Karygiannis, computer scientist, NIST

Download mp3

By Keith BieryGolick
Special to Federal News Radio

The mobile revolution is putting agencies under a new kind of cyber pressure. With employees pressing to bring their own devices, or use smartphones or tablet computers more and more, the cyber risks from these devices continues to grow.

To combat potential problems, the National Institute of Standards and Technology (NIST) advised agencies to test any software prototypes before putting them in the hands of employees, and centralize device management in new draft Guidelines for Managing and Securing Mobile Devices in the Enterprise.

"To put things into perspective, think of what your agencies did when your users were using their laptops or taking their laptops home and telecommuting," said NIST Computer Scientist Tom Karygiannis in an interview on In Depth with Francis Rose. "If you compare the capabilities that you have with a cellphone, with a mobile phone or a smartphone today, they probably are, in computing power, a lot more powerful than the laptops of just a few years ago."

With equal ability to store confidential data, the biggest difference between mobile devices and laptops is that mobile devices have a greater chance of being lost or stolen, he said.

"On laptop you may have biometrics for example. This is a lot harder to do on a hand held or mobile device," Karygiannis said.

NIST recommended running a pilot test — something that is often overlooked — on security software to help lessen some of this risk.

"Right now there's a lot of hype about the productivity gains, the cost-savings and so on with these mobile devices, but some of these don't actually play out when you actually try to use the devices in your enterprise," Karygiannis said. "You don't just open the device out of the box and start using it."

In an era of overwhelming budget concerns, the allure of letting employees bring their own devices to work can be strong, but Karygiannis said agencies should proceed with caution.

"The two main arguments for bring your own device are the cost-savings and possibly the productivity gains," he said. "I would recommend people to do a really good analysis to see if that's the case. Sometimes they cite the cost-savings of having the employee buy the device, but there's a lot of work to do to support the services you want by adding security, help desk, training, incidence response. All these things would add up the cost."

As far as productivity gains go, Karygiannis said those are notoriously difficult to measure.

"There are some cases, where maybe you're doing data acquisition in the field, really nice examples of how there are huge productivity gains," he said. "And then in other cases you might want to ask yourself is the technology this device is replacing … am I really doing that much more and at what cost? Is it worth the extra risk, if there is extra risk?"

In the report, NIST provided six guidelines to help agencies secure its mobile devices:

  • Organizations should develop system threat models for mobile devices and the resources accessed through those devices.
  • Organizations deploying mobile devices should consider the merits of each provided security service, determine which services are needed for their environment and then design and acquire one or more solutions that collectively provide the necessary services.
  • Organizations should have a mobile device security policy.
  • Organizations should implement and test a prototype of their mobile device solution before putting the solution into production.
  • Organizations should fully secure each organization-issued mobile device before allowing a user to access it.
  • Organizations should regularly maintain mobile device security.

Keith BieryGolick is an intern at Federal News Radio

RELATED STORIES:

NIST adds mobile flavor to revised draft HSPD-12 guidance

Agencies struggle to grasp mobile cybersecurity