Mobile Device Security: Bring Your Own Device

Many organizations now support their employees’ use of personal mobile devices to perform work-related activities. This increasingly common practice, known as BYOD, provides employees with the flexibility to access organizational resources remotely or when teleworking. Helping ensure that an organization’s data is protected when it is accessed from personal devices poses unique challenges and threats.

Clear and repeatable reference mobile architecture in which strong data confidentiality is implemented using certified technologies.

The goal of the Mobile Device Security: Bring Your Own Device project is to provide an example solution that helps organizations use both a standards-based approach and commercially available technologies to help meet their security and privacy needs when permitting personally-owned mobile devices to access enterprise resources.
Status: Reviewing Comments

The public comment period has closed for NIST Special Publication 1800-22, Mobile Device Security: Bring Your Own Device (BYOD) . Thank you to everyone who shared their feedback with us. We are currently reviewing the comments received as work continues on the implementation of the demonstration and development of other sections of the publication.

Project Abstract

Bring Your Own Device (BYOD) refers to the practice of performing work-related activities on personally owned devices. This practice guide provides an example solution demonstrating how to enhance security and privacy in Android and Apple mobile device BYOD deployments. 

Incorporating BYOD capabilities into an organization can provide greater flexibility in how employees work and increase the opportunities and methods available to access organizational resources. For some organizations, the combination of traditional in-office processes with mobile device technologies enables portable communication approaches and adaptive workflows. For others, it fosters a mobile first approach in which their employees communicate and collaborate primarily using their mobile devices.

However, some of the features that make BYOD mobile devices increasingly flexible and functional also present unique security and privacy challenges to both work organizations and device owners. The unique nature of these challenges is driven by the diverse range of devices available that vary in type, age, operating system (OS), and the level of risk posed. 

Enabling BYOD capabilities in the enterprise introduces new cybersecurity risks to organizations. Solutions that are designed to secure corporate devices and on-premises data do not provide an effective cybersecurity solution for BYOD. Finding an effective solution can be challenging due to the unique risks that BYOD deployments impose. Additionally, enabling BYOD capabilities introduces new privacy risks to employees by providing their employer a degree of access to their personal devices, opening up the possibility of observation and control that would not otherwise exist.

To help organizations benefit from BYOD’s flexibility while protecting themselves from many of its critical security and privacy challenges, this Practice Guide provides an example solution using standards-based, commercially available products and step-by-step implementation guidance.

Incorporating BYOD capabilities into an organization can provide greater flexibility in how employees work and increase the opportunities and methods available to access organizational resources.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

 

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Members typically meet monthly by teleconference. Share your expertise and consider becoming a member of this project's COI.

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home