Take our FREE 30-Day Trial with no obligation required.

Experience for yourself why MaaS360 is a leader in MDM Solutions.


Fill out your information below to start.

Your email and personal information are confidential, and will not be sold or rented. See our Privacy Policy for more information.

Click here to hide

MaaS360 by Fiberlink

NIST releases enterprise mobile device management policy guidelines

One challenge for enterprise mobility is developing a robust mobile device security plan that is flexible and addresses all of the needs of the mobile enterprise.


NIST releases enterprise mobile device management policy guidelines

saas, sas 70 certification, security

One challenge for enterprise mobility is developing a robust mobile device security plan that is flexible and addresses all of the needs of the mobile enterprise. The National Institute of Standards and Technology (NIST) recently drafted a publication that outlines guidelines for managing and securing mobile devices in the enterprise.

The report identifies several categories of security for organizations to consider as they develop mobile device management (MDM) policies, including:

• General policy: Includes hardware and software access control and network monitoring solutions
• Data communication and storage: Includes encryption and remote wiping
• User and device authentication: Prevents unauthorized devices from accessing organizational resources and may include other security functions such as automatically locking out idle devices
• Applications: Includes mobile application management (MAM) solutions such as application whitelists and blacklists

Although not all organizations will need to implement solutions for every category, the draft noted it is important for organizations to consider each one. Businesses can benefit from a threat model that prioritizes business resources and identifies potential risks to those resources. Developing a threat model enables businesses to clearly define their security requirements so they can pick a solution that is best able to meet enterprise mobility demands.

Security objectives

The NIST draft highlighted the importance for mobile devices to fulfill multiple security objectives. The most common objectives include confidentiality, integrity and availability. In order to meet these objectives, organizations can benefit from threat modeling.

"Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added," the draft states.

Important elements of a security strategy

It is important to implement an initial policy to determine which platforms and devices will be supported by the enterprise network. However, an effective mobile device security policy extends beyond the scope of the initial deployment. According to NIST, it is important for businesses to develop a policy that enables ongoing and adaptable security.

"Helpful operational processes for maintenance include checking for upgrades and patches, and acquiring, testing, and deploying them; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure," NIST's report states.

Software-as-as-service MDM poses significant advantages for maintaining mobile security. Because the vendor handles security of the solution and updates to the software, it is a cost-effective answer to enterprise mobility needs. However, in addition to knowing what to look for in a solution, it is also important for organizations to know what to look for in a vendor.

Selecting a reliable SaaS MDM vendor

A TechTarget article identified several items businesses should consider as they compare SaaS providers. Businesses should first evaluate the security practices of the vendor. One of the key things to look for in any cloud provider is SAS 70 certification, which ensures the vendor follows well-documented security practices. Businesses that have developed threat models will be able to compare the security offerings of the MDM vendor to the demands that have been identified.

Another issue TechTarget highlights is the solution's flexibility. Scalability is just one of the components that contribute to a high level of business agility. Ease of integration is another important measuring stick. Businesses should ask whether the MDM solution easily integrates with existing enterprise software.

Recommended Articles for You

Post a Comment

Jack Marsal

09 Aug 2012 | 04:56 AM

Brian, what I really like about your post is that you open up by talking about planning for enterprise mobility as opposed to BYOD or MDM specific polices. At ForeScout (http://bit.ly/ON2PNw), we see the rise of MDM (fueled in great part by BYOD) as the latest evolution in enterprise mobility. We encourage our customers to place BYOD in the larger context of enterprise mobility. When you remove the urgency of needing to do something for BYOD right away and instead have a more thoughtful analysis of what has come before and what might be needed after, it is a much more valuable conversation.

RSS feed for comments on this page | RSS feed for all comments

Industry News
TRUSTe European Safe Harbor certification TruSaaS
© Fiberlink Communications Corp. All rights reserved. Privacy Policy
All brands and their products, featured or referred to within this site, are trademarks or registered trademarks of their respective holders and should be noted as such.