Victor/Adobe Stock

NIST Shares Mobile Device Privacy, Security Guide for BYOD Policies

Designed to support enterprise bring-your-own-device (BYOD) policies, the NIST guide sheds light on security challenges and privacy risks brought on by employees’ mobile devices.

NIST recently shared draft guidance for enterprise bring-your-own-device policies, designed to provide system administrators with a standards-based approach and need tools for the privacy and security of personally owned mobile devices accessing enterprise resources.

The guide aims to support entities with managing the increasing number of devices owned by employees that remotely perform work-based activities. While the BYOD practices allow for greater flexibility to remote work, the use poses unique challenges and threats to the enterprise environment.

The Mobile Device Security: Bring Your Own Device (BYOD) practice guide provides administrators with an example solution for creating a standards-based approach and insight into commercially available technologies to meet privacy and security needs of mobile devices.

The guidance details the vast challenges posed by BYOD mobile devices, as well as the solutions and benefits for securing this environment. NIST also provides insight into needed approaches, as well as risk assessments and a deep dive into the BYOD architecture threats.

NIST also included an example scenario to support leadership in putting these steps into practices, along with a detailed list of technologies that can support the enterprise’s privacy and security goals.

“For some organizations, the combination of traditional in-office processes with mobile device technologies enables portable communication approaches and adaptive workflows,” researchers wrote. “For others, it fosters a mobile first approach in which their employees communicate and collaborate primarily using their mobile devices.”

“Some of the features that make BYOD mobile devices increasingly flexible and functional also present unique security and privacy challenges to both work organizations and device owners,” they added. “The unique nature of these challenges is driven by the diverse range of devices available that vary in type, age, operating system, and the level of risk posed.”

In short, personally owned devices introduce new cybersecurity risks to organizations, which can’t be secured by the same solutions used to secure corporate devices and on-premise data. 

As such, it can be challenging for organizations to find an effective solution for these unique risks. For example, BYOD practices create privacy risks to employees, as it allows employees a degree of access and possible observation or control of personal devices.

To NIST, administrators can leverage the guide to protect the enterprise from many of the critical security and privacy challenges. There is also an example solution that includes a step-by-step implementation guide.

The key guiding principles provided by NIST include protecting data from unauthorized access when a device is stolen or misplaced, reducing risk or employees via enhanced privacy protections, and improving mobile device and application security through the deployment of mobile device tech.

Administrators can also find ways to reduce enterprise data risks by separating personal and work-related information from each other, in addition to increased visibility into mobile device health that can support identification of device or data compromises.

The insights include industry best-practices for enhancing device security and privacy. In addition, business decision makers can use the insights to better understand the cybersecurity challenges and potential benefits of employing better BYOD policies and tech.

NIST also provided a privacy and security analysis complete with analysis assumptions and limitations, build testing, threat events and findings, and work role mappings.

“The example solution uses standards-based, commercially available products that can be used by an organization interested in deploying a BYOD solution. The example solution provides recommendations for enhancing the security and privacy infrastructure by integrating on-premises and cloud-hosted mobile security technologies,” researchers explained.

“This practice guide provides an example solution that an organization may use in whole or in part as the basis for creating a custom solution that best supports their unique needs,” they added.

NIST asked industry stakeholders to provide feedback on the guidance by May 3, 2021, including whether the guide meets enterprise needs or can support entities with putting these steps into practice.

Next Steps

Dig Deeper on Health data threats