Large enterprise organizations, federal contractors, and SMBs alike wrestle with security and compliance on a daily basis. Often, the demands of responsive business operations run up against the demands of risk management, governance, and compliance in regulated industries like government, healthcare, and finance. This is no more true than when it comes to mobile devices and mobile endpoint security.
Here, we’ll discuss the importance of mobile endpoint security, including why mobile devices can be such a vulnerable space, how compliance frameworks address mobile devices, and how you can employ best practices to go above and beyond compliance to make mobile endpoint security a larger part of your business strategy.
What is Mobile Endpoint Security?
Employees use mobile devices to do more and more of their work, whether that involves sensitive communications, document handling, emailing, or file sharing. Accordingly, mobile devices are a critical part of an organization’s security profile. Because of their inherent nature, however, they are also difficult to secure.
Primarily, this difficulty comes from several aspects of mobile computing:
- Always-on connectivity. Mobile devices, especially smartphones or tablets with cellular connectivity, are typically “always-on” and connected to mobile networks or Wi-Fi hotspots. This immediately places them in a vulnerable position, unless they are strictly used for internal purposes over private and secure networks.
- Additional attack vectors. Most companies will deal with phishing and malware attacks on a regular basis. Mobile phones don’t make resisting these attacks any easier, as many of them will, by default, make it harder to detect fraud by shortening URLs, shrinking links and graphics, or sending SMS messages.
- End-users make mistakes. The truth is that even the best-trained staff will make mistakes. If one of your team uses a business phone in a personal capacity, they run the risk of opening up the device, and your data, to potential hackers.
- Updates and apps aren’t always compliant. Many users will download phone applications through advertisements… that is, not through verified app stores like the Apple Store or Google Play. Likewise, they may ignore regular updates meant to patch security problems in the device’s OS or in individual apps. In either case, a failure to manage software and updates can open up a business device to hacking attacks.
Compliance Frameworks That Require Some Mobile Endpoint Security
Endpoint security isn’t just a good business decision: in many cases, industry-specific security compliance frameworks require some level of mobile security in place. For example, most cloud platforms will have some sort of mobile app or remote access tool for ease of use across a distributed team of users–this is the strength of using the cloud, after all. Compliance frameworks involved with cloud storage and computing will therefore likely have some sort of requirements on endpoint security.
Some common frameworks with endpoint security requirements include:
- FedRAMP: FedRAMP Authorization to Operate (ATO) requires cloud providers to follow the latest revisions of NIST Special Publication 800-53 and assessment guidelines outlined in NIST SP 800-53A. These include criteria for encryption and security for mobile devices used for federal applications.
- FISMA: Like FedRAMP, FISMA stipulates that government agencies and contractors must abide by security and risk assessment requirements outlined by NIST SP 800-53.
- GDPR: GDPR compliance is rather restricted, and as such endpoint security for organizations in GDPR jurisdiction is typically higher-end. GDPR requirements usually call for built-in AES-256 encryption that is FIPS 140-2 compliant. There are several apps for Android and iOS that fit these requirements. One of the interesting paradoxes of GDPR is that it also requires several layers of data containment and endpoint management, which can conflict with other GDPR guidelines about data privacy for mobile users. GDPR-rated mobile solutions will maintain both the privacy of the user and the security and compliance of the device.
- PCI DSS: Mobile devices are increasingly being used to process payments, either through enterprise mobile devices or simple swipe add-ons to consumer phones. In either case, these devices must utilize PCI DSS compliant software and communications.
What is NIST Special Publication 800-53 and What Does it Mean for Mobile Endpoint Security?
While different frameworks have different security requirements for mobile devices, we wanted to home in on federal requirements for these devices. Both FedRAMP and FISMA frameworks are becoming increasingly necessary for MSPs and other cloud providers who may want to work in the government space. This is true for both agencies that work with federal entities or those who want to work with the increasingly-secure state-level agencies that are leveraging StateRAMP requirements.
NIST SP 800-53 (currently in it’s 5th Revision) specifies minimum security controls across three system levels, defined across three security objectives: confidentiality, integrity, and availability. However, we’ll highlight the 4th revision, released in 2012, which introduced several security requirements and guidelines for modern mobile devices that still exist in some form today.
NIST launched Revision 4 of SP 800-53 to emphasize more modern data security threats. These include areas of interest such as:
- Application security
- Mobile devices
- Cloud computing
- Persistent cybersecurity threats
- Cross-domain solutions
Of interest to this discussion is the fact that this document defines, for the sake of governance, what a mobile device is, how it may be used as part of government work, and required security measures for such devices. This includes rules such as:
- Prohibiting unclassified devices for the use of managing classified information.
- Limits the designation of classified devices to those that meet NIST security requirements.
- Guidance for the use of container-based encryption for data security on mobile devices.
- Additional resources for mobile security outside the scope of NIST encompassing mobile technologies like wireless, always-on access, infrared canners, etc.
Best Practices for Mobile Security
Inside and outside of governmental use, there are several levels of best practices that your IT team can put into place that will either put you in compliance with various frameworks, or add additional security to your mobile endpoints:
- Enforce least privilege access for all users on mobile endpoints. Typical mobile users in your organization most likely do not need administrator access, and should not have any ability to give themselves such access. Allowing users to log in as administrators makes it that much easier for hackers to infiltrate these systems and make changes that could impact your entire security system. If end-users need elevated privileges for activities like installing apps, then require Multi-Factor Authentication.
- Control applications. Even better, if you have no reason for employees to install apps on a mobile device, then simply restrict control completely. Control application installation through your IT department or the device provider, if they have a secure app management service.
- Encrypt mobile storage. Most compliance frameworks call for encryption, so it makes sense to include it on all endpoint devices. There are several apps for encrypting data on mobile devices, including enterprise-level applications providing compliant encryption for specific industries.
- Deploy SIEM Solutions. Many compliance standards require file access and user logging for reporting. However, SIEM solutions for useful data logging beyond compliance can provide critical intelligence and insight into access and data usage to build predictive and responsive actions that mitigate security risks.
- Work with a compliance expert or Third-Party Assessment Organization (3PAO). Frameworks like FedRAMP require working with a certified 3PAOs, but having a third-party organization helps you strategize, plan, audit, and implement security for your mobile devices.
Mobile endpoint security will continue to be a topic of discussion for enterprises and managed service providers. Meeting security needs and managing risk and compliance while maintaining flexibility for your business operation will most likely be one of the key strategic aspects of many businesses. With the right security partner, you can turn mobile endpoint compliance into an effective and critical part of your overall security profile.
Learn more about how you can pursue the best security, reporting, logging, and risk management practices suited to your business. Call us at 1-888-896-7580 or through the form below. And tap into your CyberVisor Services to work with some of the top security experts in the industry.