NIST SPECIAL PUBLICATION 1800-22
Mobile Device Security:
Mobile Device Security:¶
Bring Your Own Device (BYOD)
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Kaitlin Boeckl
Nakia Grayson
Gema Howell
Naomi Lefkovitz
Jason Ajmo
R. Eugene Craft
Milissa McGinnis*
Kenneth Sandlin
Oksana Slivina
Julie Snyder
Paul Ward
*Former employee; all work for this publication done while at employer
FINAL
This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-22
NIST SPECIAL PUBLICATION 1800-22
Mobile Device Security: Bring Your Own Device (BYOD)
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Kaitlin Boeckl
Nakia Grayson
Gema Howell
Naomi Lefkovitz
Applied Cybersecurity Division
Information Technology Laboratory
Jason Ajmo
R. Eugene Craft
Milissa McGinnis*
Kenneth Sandlin
Oksana Slivina
Julie Snyder
Paul Ward
The MITRE Corporation
McLean, VA
**Former employee; all work for this publication done while at employer.
FINAL
September 2023
U.S. Department of Commerce
Gina M. Raimondo, Secretary
National Institute of Standards and Technology
Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 4.1 Common BYOD Risks and Potential Objectives to Remediate Those Risks
- 4.2 Example Scenario: Putting Guidance into Practice
- 4.3 Technologies that Support the Security and Privacy Objectives of the Example Solution
- 4.4 Architecture Description
- 4.5 Enterprise Integration of the Employees’ Personally Owned Mobile Devices
- 4.6 Mobile Components Integration
- 4.7 Privacy Settings: Mobile Device Data Processing
- 5 Security and Privacy Analysis
- 6 Example Scenario: Putting Guidance into Practice
- 7 Conclusion
- 8 Future Build Considerations
- Appendix A List of Acronyms
- Appendix B Glossary
- Appendix C References
- Appendix D Standards and Guidance
- Appendix E Example Security Subcategory and Control Map
- Appendix F Example Privacy Subcategory and Control Map
- 1 Applying This Build: Example Scenario
- 2 About Great Seneca Accounting
- 3 Great Seneca Accounting’s Target Profiles
- 4 Great Seneca Accounting Embraces BYOD
- 5 Applying NIST Risk Management Methodologies to Great Seneca Accounting’s BYOD Architecture
- Appendix A List of Acronyms
- Appendix B Glossary
- Appendix C References
- Appendix D A Note Regarding Great Seneca Accounting
- Appendix E How Great Seneca Accounting Applied NIST Risk Management Methodologies
- Appendix F How Great Seneca Accounting Used the NIST Risk Management Framework
- F.1 Understanding the Risk Assessment Process
- F.2 Risk Assessment of Great Seneca Accounting’s BYOD Program
- F.3 Development of Threat Event Descriptions
- F.4 Great Seneca Accounting’s Leadership and Technical Teams Discuss BYOD’s Potential Threats to Their Organization
- F.5 Identification of Vulnerabilities and Predisposing Conditions
- F.6 Summary of Risk Assessment Findings
- Appendix G How Great Seneca Accounting Used the NIST Privacy Risk Assessment Methodology
- G.1 Privacy Risk 1: Wiping Activities on the User’s Device May Inadvertently Delete the User’s Personal Data
- G.2 Privacy Risk 2: Organizational Collection of Device Data May Subject Users to Feeling or Being Surveilled
- G.3 Privacy Risk 3: Data Collection and Transmission Between Integrated Security Products May Expose User Data
- G.4 Mitigations Applicable Across Various Privacy Risks
- G.5 Privacy References for Example Solution Technologies
- 1 Introduction
- 2 Product Installation Guides
- 2.1 Network Device Enrollment Services Server
- 2.2 International Business Machines MaaS360
- 2.3 Zimperium
- 2.4 Palo Alto Networks Virtual Firewall
- 2.5 Kryptowire
- Appendix A List of Acronyms
- Appendix B Glossary
- Appendix C References
- Appendix D Example Solution Lab Build Testing Details
- D.1 Threat Event 1 – Unauthorized Access to Sensitive Information Via a Malicious or Intrusive Application Practices
- D.2 Threat Event 2 – Theft of Credentials Through a Short Message Service or Email Phishing Campaign
- D.3 Threat Event 3 – Confidentiality and Integrity Loss Due to Exploitation of Known Vulnerability in the OS or Firmware
- D.4 Threat Event 4 – Loss of Confidentiality of Sensitive Information Via Eavesdropping on Unencrypted Device Communications
- D.5 Threat Event 5 – Compromise of Device Integrity Via Observed, Inferred, or Brute-Forced Device Unlock Code
- D.6 Threat Event 6 – Unauthorized Access to Backend Services Via Authentication or Credential Storage Vulnerabilities in Internally Developed Applications
- D.7 Threat Event 7 – Unauthorized Access of Enterprise Resources From an Unmanaged and Potentially Compromised Device
- D.8 Threat Event 8 – Loss of Organizational Data Due to a Lost or Stolen Device
- D.9 Threat Event 9 – Loss of Confidentiality of Organizational Data Due to its Unauthorized Storage in Non-Organizationally Managed Services
- D.10 Privacy Risk 1 – Wiping Activities on the Employee’s Device May Inadvertently Delete the Employee’s Personal Data
- D.11 Privacy Risk 2 – Organizational Collection of Device Data May Subject Employees to Feeling or Being Surveilled
- D.12 Privacy Risk 3 – Data Collection and Transmission Between Integrated Security Products May Expose Employee Data
- D.13 Privacy Risk 4 – Employees Might Feel Compelled to Participate in Data Processing Practices Inconsistent with Expectations
- D.14 Privacy Risk 5 – Unauthorized or Invasive Application Processing of Information Exposes Employee Data