NIST SPECIAL PUBLICATION 1800-21B Mobile Device Security
NIST SPECIAL PUBLICATION 1800-21B
Mobile Device Security
Corporate-Owned Personally-Enabled (COPE)
Volume B: Approach, Architecture, and Security Characteristics
Joshua M. Franklin* Gema Howell Kaitlin Boeckl Naomi Lefkovitz Ellen Nadeau Applied Cybersecurity Division Information Technology Laboratory
Dr. Behnam Shariati University of Maryland, Baltimore County Department of Computer Science and Electrical Engineering Baltimore, Maryland
Jason G. Ajmo Christopher J. Brown Spike E. Dog Frank Javar Michael Peck Kenneth F. Sandlin The MITRE Corporation McLean, Virginia
*Former employee; all work for this publication was done while at employer.
July 2019
DRAFT
This publication is available free of charge from
DRAFT
DISCLAIMER
Certain commercial entities, equipment, products, or materials may be identified by name or company logo or other insignia in order to acknowledge their participation in this collaboration or to describe an experimental procedure or concept adequately. Such identification is not intended to imply special status or relationship with NIST or recommendation or endorsement by NIST or NCCoE; neither is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.
National Institute of Standards and Technology Special Publication 1800-21B Natl. Inst. Stand. Technol. Spec. Publ. 1800-21B, 148 pages, (July 2019), CODEN: NSPUE2
FEEDBACK
You can improve this guide by contributing feedback. As you review and adopt this solution for your own organization, we ask you and your colleagues to share your experience and advice with us. Comments on this publication may be submitted to: mobile-nccoe@. Public comment period: July 22, 2019 through September 23, 2019 All comments are subject to release under the Freedom of Information Act.
National Cybersecurity Center of Excellence National Institute of Standards and Technology
100 Bureau Drive Mailstop 2002
Gaithersburg, MD 20899 Email: nccoe@
NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled
i
DRAFT
1 NATIONAL CYBERSECURITY CENTER OF EXCELLENCE
2 The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards 3 and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and 4 academic institutions work together to address businesses' most pressing cybersecurity issues. This 5 public-private partnership enables the creation of practical cybersecurity solutions for specific 6 industries, as well as for broad, cross-sector technology challenges. Through consortia under 7 Cooperative Research and Development Agreements (CRADAs), including technology partners--from 8 Fortune 50 market leaders to smaller companies specializing in information technology security--the 9 NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity 10 solutions using commercially available technology. The NCCoE documents these example solutions in 11 the NIST Special Publication 1800 series, which maps capabilities to the NIST Cybersecurity Framework 12 and details the steps needed for another entity to re-create the example solution. The NCCoE was 13 established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, 14 Maryland.
15 To learn more about the NCCoE, visit . To learn more about NIST, visit 16 .
17 NIST CYBERSECURITY PRACTICE GUIDES
18 NIST Cybersecurity Practice Guides (Special Publication 1800 series) target specific cybersecurity 19 challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the 20 adoption of standards-based approaches to cybersecurity. They show members of the information 21 security community how to implement example solutions that help them align more easily with relevant 22 standards and best practices, and provide users with the materials lists, configuration files, and other 23 information they need to implement a similar approach.
24 The documents in this series describe example implementations of cybersecurity practices that 25 businesses and other organizations may voluntarily adopt. These documents do not describe regulations 26 or mandatory practices, nor do they carry statutory authority.
27 ABSTRACT
28 Mobile devices provide access to workplace data and resources that are vital for organizations to 29 accomplish their mission while providing employees the flexibility to perform their daily activities. 30 Securing these devices is essential to the continuity of business operations.
31 While mobile devices can increase organizations' efficiency and employee productivity, they can also 32 leave sensitive data vulnerable. Addressing such vulnerabilities requires mobile device management 33 tools to help secure access to the network and resources. These tools are different from those required 34 to secure the typical computer workstation.
NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled
ii
DRAFT
35 To address the challenge of securing mobile devices while managing risks, the NCCoE at NIST built a 36 reference architecture to show how various mobile security technologies can be integrated within an 37 enterprise's network.
38 This NIST Cybersecurity Practice Guide demonstrates how organizations can use standards-based, 39 commercially available products to help meet their mobile device security and privacy needs.
40 KEYWORDS
41 Bring your own device; BYOD; corporate-owned personally-enabled; COPE; mobile device management; 42 mobile device security, on-premise.
43 ACKNOWLEDGMENTS
44 We are grateful to the following individuals for their generous contributions of expertise and time.
Name
Organization
Donna Dodson
NIST
Vincent Sritapan
Department of Homeland Security, Science and Technology Directorate
Jason Frazell
Appthority (acquired by Symantec)
Joe Midtlyng
Appthority (acquired by Symantec)
Chris Gogoel
Kryptowire
Tom Karygiannis
Kryptowire
Tim LeMaster
Lookout
Victoria Mosby
Lookout
Michael Carr
MobileIron
Walter Holda
MobileIron
Farhan Saifudin
MobileIron
NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled
iii
DRAFT
Name Jeff Lamoureaux Sean Morgan Kabir Kasargod Viji Raveendran Lura Danley Eileen Durkin Sallie Edwards Marisa Harriston Nick Merlino Doug Northrip Titilayo Ogunyale Oksana Slivina Tracy Teter Paul Ward
Organization Palo Alto Networks Palo Alto Networks Qualcomm Qualcomm The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation The MITRE Corporation
NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled
iv
DRAFT
45 The Technology Partners/Collaborators who participated in this build submitted their capabilities in 46 response to a notice in the Federal Register. Respondents with relevant capabilities or product 47 components were invited to sign a Cooperative Research and Development Agreement (CRADA) with 48 NIST, allowing them to participate in a consortium to build this example solution. We worked with:
Technology Partner/Collaborator Appthority
Build Involvement Appthority Cloud Service, Mobile Threat Intelligence
Kryptowire
Kryptowire Cloud Service, Application Vetting
Lookout MobileIron Palo Alto Networks
Lookout Cloud Service/Lookout Agent Version 5.10.0.142 (iOS), 5.9.0.420 (Android), Mobile Threat Defense
MobileIron Core Version 9.7.0.1, MobileIron Agent Version 11.0.1A (iOS), 10.2.1.1.3R (Android), Enterprise Mobility Management
Palo Alto Networks PA-220
Qualcomm
Qualcomm Trusted Execution Environment (version is device dependent)
NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled
v
DRAFT
49 Contents
50
51
52
53
1.2.1 Standards and Guidance ...............................................................................................3
54
55
56
57
58
59
60
3.2.1 Orvilia Development .....................................................................................................9
61
62
3.3.1 Systems Engineering ...................................................................................................11
63
64
3.4.1 Risk Assessment of the Fictional Organization Orvilia Development .........................13
65
3.4.2 Development of Threat Event Descriptions................................................................14
66
3.4.3 Identification of Vulnerabilities and Predisposing Conditions....................................22
67
3.4.4 Summary of Risk Assessment Findings .......................................................................22
68
3.4.5 Privacy Risk Assessment .............................................................................................24
69
70
3.5.1 Current Architecture ...................................................................................................26
71
3.5.2 Preliminary Security Goals ..........................................................................................28
72
73
3.6.1 Architecture Components...........................................................................................29
74
75
76
4.1.1 Enterprise Integration.................................................................................................36
NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled
vi
DRAFT
77
4.1.2 Mobile Component Integration ..................................................................................37
78
79
80
81
82
83
5.2.1 Threat Event 1 --Unauthorized Access to Sensitive Information via a Malicious or
84
Privacy-Intrusive Application ......................................................................................44
85
5.2.2 Threat Event 2 --Theft of Credentials Through an SMS or Email Phishing Campaign44
86
5.2.3 Threat Event 3--Malicious Applications Installed via URLs in SMS or Email Messages
87
45
88
5.2.4 Threat Event 4 --Confidentiality and Integrity Loss due to Exploitation of Known
89
Vulnerability in the OS or Firmware ...........................................................................46
90
5.2.5 Threat Event 5 --Violation of Privacy via Misuse of Device Sensors..........................46
91
5.2.6 Threat Event 6--Compromise of the Integrity of the Device or Its Network
92
Communications via Installation of Malicious EMM/MDM, Network, VPN Profiles, or
93
Certificates ..................................................................................................................47
94
5.2.7 Threat Event 7--Loss of Confidentiality of Sensitive Information via Eavesdropping on
95
Unencrypted Device Communications .......................................................................48
96
5.2.8 Threat Event 8--Compromise of Device Integrity via Observed, Inferred, or Brute-
97
Forced device Unlock Code.........................................................................................49
98
5.2.9 Threat Event 9--Unauthorized Access to Backend Services via authentication or
99
credential Storage Vulnerabilities in Internally Developed Applications ...................50
100
5.2.10 Threat Event 10 --Unauthorized Access of Enterprise Resources from an Unmanaged
101
and Potentially Compromised Device.........................................................................50
102
5.2.11 Threat Event 11--Loss of Organizational Data due to a Lost or Stolen Device ..........50
103
5.2.12 Threat Event 12--Loss of Confidentiality of Organizational Data due to Its
104
Unauthorized Storage in Non-Organizationally Managed Services............................51
105
106
5.3.1 Cybersecurity Framework and NICE Framework Work Roles Mappings....................53
107
5.3.2 Threat Event Scenarios and Findings ..........................................................................53
108
5.3.3 Data Action Scenarios and Findings ............................................................................55
109
NIST SP 1800-21B: Mobile Device Security: Corporate-Owned Personally-Enabled
vii
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- volume i guide for mapping types of information nist
- volume ii appendices to guide for mapping types of nist
- nist 800 171 explained
- guideline for mapping types of information and nist
- data classification methodology
- nist special publication 1800 21b mobile device security
- draft sp 800 160 vol 2 systems security nist
Related searches
- good technology mobile device management
- mobile device management software
- mobile device management software free
- mobile device management software vendors
- what is mobile device management
- mobile device management definition
- why use mobile device management
- verizon mobile device management
- mdm mobile device management
- mobile device management system
- mobile device management companies
- mobile device management tools