Press Release Summary:
NIST is revising its telework publications, originally published in 2009, to cover use of BYOD as well as contractor and vendor devices for organizational resource access. Also, guidance explains 2 new technologies – Virtual mobile infrastructure (VMI) and mobile device management (MDM) – critical in securing telework devices. Comments are being sought on related Special Publication 800-46 Rev 2 and Special Publication 800-114 Rev 1 by April 15, 2016.
Original Press Release:
Attackers Honing In On Teleworkers? How Organizations Can Secure Their Data
As the number of employees who telework trends upward—and new kinds of devices are used in telework—the National Institute of Standards and Technology (NIST) is updating its guidance to include the latest technology available to strengthen an organization’s remote-access data security.
“Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework,” said Murugiah Souppaya, a NIST computer scientist. Those computers include bring-your-own-device (BYOD) smart phones and tablets, as well as laptops and mobile devices used by contractors and vendors.
Data breaches can also occur when sensitive organizational data is stored on unsecured laptops and mobile devices that can either be infected by malware or stolen.
“To prevent breaches when people are teleworking, organizations need to have stronger control over their sensitive data that can be accessed by, or stored on, telework devices,” Souppaya explained.
NIST is revising its telework publications, published in 2009, to now cover the booming use of BYOD and the use of contractor and vendor devices to access organizational resources. The guidance also explains two new technologies that are critical in securing telework devices.
Virtual mobile infrastructure (VMI) technologies deliver a secure virtual environment to a mobile device used for telework. The VMI establishes a temporary secure environment when the teleworker needs to access the organization's data and applications. When the session is done, the environment is securely destroyed, leaving no traces of the data and applications on the mobile device.
Another newer technology, mobile device management (MDM), can enforce security policies on mobile devices, including BYOD and vendor/contractor devices, on behalf of the organization. For example, MDM software could check each mobile device for signs that the user has deactivated the device's built-in security controls, before allowing the mobile device to use the organization's computing resources.
The NIST publications recommend that teleworkers should understand their organization’s policies and requirements and appropriate ways of protecting the organization’s information that they access. They also call for organizations to strongly consider establishing a separate, external, dedicated network for BYOD devices if they are allowed in the organization.
NIST is seeking comments on the two draft publications—Special Publication 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (Draft), and Special Publication 800-114 Rev. 1 User’s Guide to Telework and Bring Your Own Device (BYOD) Security (Draft). The deadline for comments is April 15, 2016.