One challenge for enterprise mobility is developing a robust mobile device security plan that is flexible and addresses all of the needs of the mobile enterprise.
NIST releases enterprise mobile device management policy guidelines
One challenge for enterprise mobility is developing a robust mobile device security plan that is flexible and addresses all of the needs of the mobile enterprise. The National Institute of Standards and Technology (NIST) recently drafted a publication that outlines guidelines for managing and securing mobile devices in the enterprise.
The report identifies several categories of security for organizations to consider as they develop mobile device management (MDM) policies, including:
• General policy: Includes hardware and software access control and network monitoring solutions
Although not all organizations will need to implement solutions for every category, the draft noted it is important for organizations to consider each one. Businesses can benefit from a threat model that prioritizes business resources and identifies potential risks to those resources. Developing a threat model enables businesses to clearly define their security requirements so they can pick a solution that is best able to meet enterprise mobility demands.
The NIST draft highlighted the importance for mobile devices to fulfill multiple security objectives. The most common objectives include confidentiality, integrity and availability. In order to meet these objectives, organizations can benefit from threat modeling.
"Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added," the draft states.
Important elements of a security strategy
It is important to implement an initial policy to determine which platforms and devices will be supported by the enterprise network. However, an effective mobile device security policy extends beyond the scope of the initial deployment. According to NIST, it is important for businesses to develop a policy that enables ongoing and adaptable security.
"Helpful operational processes for maintenance include checking for upgrades and patches, and acquiring, testing, and deploying them; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure," NIST's report states.
Software-as-as-service MDM poses significant advantages for maintaining mobile security. Because the vendor handles security of the solution and updates to the software, it is a cost-effective answer to enterprise mobility needs. However, in addition to knowing what to look for in a solution, it is also important for organizations to know what to look for in a vendor.
Selecting a reliable SaaS MDM vendor
A TechTarget article identified several items businesses should consider as they compare SaaS providers. Businesses should first evaluate the security practices of the vendor. One of the key things to look for in any cloud provider is SAS 70 certification, which ensures the vendor follows well-documented security practices. Businesses that have developed threat models will be able to compare the security offerings of the MDM vendor to the demands that have been identified.
Another issue TechTarget highlights is the solution's flexibility. Scalability is just one of the components that contribute to a high level of business agility. Ease of integration is another important measuring stick. Businesses should ask whether the MDM solution easily integrates with existing enterprise software.
Recommended Articles for You
More from this Author
Fresh from the Desk
Industry News Archives