Sierraware Blog

NIST Updates BYOD Security Guidance

Learn how NIST SP 800-46 Could Impact You

Last week, the National Institute of Standards and Technology (NIST) updated its guidance for mobile security with two new publication drafts. The folks at NIST recognize that more and more employees are using mobile devices to access confidential data and that mobile devices have become a weak link in many organizations’ defenses.

BYOD Users for NIST SP 800-46

According to NIST computer scientist Murugiah Souppaya, “Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework.”[1]

The new NIST SP 800-46 draft, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, offers recommendations to improve BYOD security and reduce the risk of data breaches caused by mobile devices.

According to the NIST publication[2], organizations should:

  • Encrypt all sensitive data stored on client devices or not storing sensitive data on client devices.
  • Use strong authentication—preferably multi-factor—for enterprise access
  • Encrypt communications to maintain confidentiality and integrity and prevent eavesdropping and interception

The publication[3] also recommends that virtual mobile infrastructure can help secure BYOD access:

Although terminal server access and VDI technologies are primarily meant for telework PCs, there is an emerging technology that provides similar capabilities for mobile devices: virtual mobile infrastructure (VMI). Just as a VDI solution delivers a secure virtual desktop to a telework PC, so does VMI deliver a secure virtual mobile device environment to a telework mobile device. Organizations considering the use of mobile devices for telework, particularly BYOD or third-party-controlled mobile devices, should investigate VMI technologies to see if they may be helpful in improving security.

A lot has changed since NIST published its original guide for telework and remote access nine years ago. That guide focused on personal computers and laptops. Since that time, mobile device use has skyrocketed. Government agencies and enterprises alike must grapple with a host of different phones and tablets owned by employees.

Today, many government and defense agencies provide their employees with locked-down, secure mobile devices. However, some of these employees end up carrying around two mobile devices: one for work and another for personal use. This practice is not only cumbersome and costly, but it probably increases the risk of losing a device because it is harder for workers to keep track of two devices than just one.

While federal workers are not going to ditch their employer-provided phones anytime soon (especially if they need to access top secret data), government agencies should consider technologies like VMI for BYOD. VMI provides secure remote access to sensitive data while still allowing users to access their personal apps. VMI also extends secure access to contractors and partners that do not have locked-down and managed devices.

Mobility has revolutionized how users work, collaborate and communicate, but it has also introduced a wide array of new security risks. NIST SP 800-46 provides an excellent framework for securing mobile access from all users, including emplo


[2] Executive Summary (lines 236 – 244) of NIST SP 800-46 Rev. 2 (Draft)

[3] Section 2.2.2 of NIST SP 800-46 Rev. 2 (Draft)