Review of the publication NIST SP 1800-22 (Draft) "Mobile Device Security: Bring Your Own Device (BYOD)"

Ruslan Rakhmetov, Security Vision

The mass transition of employees to remote work during the pandemic was accompanied by an unprecedented increase in the number of personal devices (smartphones, laptops) connected to corporate networks. Indeed, not all companies were preoccupied in advance with purchasing backup devices that could be promptly issued to employees for remote work. This approach, where personal and often uncontrolled devices are connected to corporate resources (such as VPN gateways, web services, email, etc.), increases cyber risks manifold.

An unmanaged and unowned device may be accidentally or deliberately infected with malware, may not receive timely updates for system and application software, and the personal device may not maintain the correct security settings (password length for unlocking, data encryption, connection to open wireless networks, privacy settings, etc.). One of the solutions to these difficulties is the BYOD (Bring Your Own Device) concept, which is a structured systematic approach to selecting, configuring, and providing secure access to corporate resources for employees' personal devices. NIST SP 1800-22 (Draft), ‘Mobile Device Security: Bring Your Own Device (BYOD),’ which we will review in this publication, is dedicated to recommendations for implementing the BYOD concept for Android and Apple iOS smartphones.

In summary, NIST SP 1800-22 offers guidance on how to use the BYOD framework to ensure:

- protecting sensitive corporate data from unauthorised access when devices (Android and Apple iOS smartphones) are lost or stolen;

- Reducing the risk of breaching the confidentiality of employees' personal data when using smartphones;

- improving cyber security of mobile devices and applications through the use of specialised technologies;

- reducing the cyber risk of unauthorised access to corporate data by separating personal and work information;

- improving device health monitoring to detect compromise of sensitive data and the device itself, as well as timely notification of the user of such facts;

- leveraging international best practices and technologies to improve data and device security and privacy.

The paper also notes possible challenges in implementing BYOD, such as:

- the diversity of OS versions and ‘shells’ for them (relevant mainly for Android-based devices);

- the variety of Android smartphone models from different manufacturers;

- the variety of functional (software and hardware) capabilities of portable devices that require analysis and protection;

- difficulties in the application of classic protection systems for mobile devices and, as a consequence, the need to select, purchase, operate, and support specialised protection solutions;

- lack of security features built into mobile operating systems, the use of which is mandatory to ensure cyber security and the level of cyber risks set by the company;

- the possibility of unintentional installation of malware by the user (e.g., under the guise of games), transfer of the device into other hands, as well as possible loss, theft, sale of a smartphone with confidential information;

- the need to ensure the privacy of the user's personal information stored on their mobile device with a BYOD solution installed.

The implementation of BYOD is discussed in NIST SP 1800-22 using the example of a typical organisation whose goals in using the concept of using a personal device for work purposes may be to:

- Separating personal information from work information by differentiating information flows between work and personal applications;

- encrypting data in transit over potentially insecure networks by building a VPN tunnel and authenticating with certificates;

- identifying vulnerable applications installed by the user and then temporarily blocking access to corporate resources until such applications are removed or updated;

- detecting malicious software accidentally installed by the user and then removing it;

- ensuring trusted access of the device and user to corporate resources through two-factor authentication, including a password and a digital certificate;

- control and restriction of information collection about the device and its use by the employee on the part of the BYOD-system.

It is proposed to realise these objectives by applying the following technologies and approaches:

1. Trusted Execution Environment (TEE)

A trusted execution environment is an instruction processing and execution environment that is protected from unauthorised modification and tampering, guaranteeing the authenticity of executable code, the integrity of the runtime state of the processor, registers, memory, I/O devices, and the confidentiality of data, instructions, and runtime states in persistent memory. This environment protects devices from executing code with integrity errors (i.e., likely to be unauthorisedly modified or spoofed), which helps ensure information security when the user runs arbitrary applications.

2. Enterprise Mobility Management (EMM) system for mobile devices

EMM solutions allow managing some functions of smartphones that have passed the enrollment procedure in the corporate BYOD system. Such solutions usually contain a server part with policies and settings applied to different groups of devices and users, as well as a client part in the form of an agent installed as an application on a smartphone and interacting with the EMM server. The EMM solution performs Mobile Device Management (MDM) functions, including installation of configuration profiles on devices, setting up security policies, and control over compliance of device settings with the applied policies. The agent part notifies the user about security problems and device non-compliance with corporate policies and settings, as well as separates personal and work data (using containerisation and encryption technology) and automatically corrects some errors and inconsistencies. Based on the data on the device status, the server part makes a decision on whether the device is allowed to access corporate services and data.

3. VPN tunnelling

The use of VPN tunnels allows to ensure confidentiality, integrity, authenticity of data transmitted through unprotected networks, as well as provides an additional level of control over connecting devices depending on their geographical location, the level of cyber risk of a particular device, compliance with corporate EMM-policies. In addition, VPN tunnels can be used to protect only corporate data transmitted by certain applications: such a software-based VPN tunnel will protect and redirect to the VPN gateway not all smartphone traffic, but only the traffic of work applications, e.g., work email, collaboration tools, corporate web applications.

4. Mobile Application Vetting Service

User-installed applications can be either purposefully malicious or harmless, but may contain vulnerabilities or redundant functionality. The Application Vetting Service client is used to monitor applications and can use a set of static, dynamic and behavioural indicators to make a conclusion about the security of an installed application. As a result of the analysis, the device is assigned a certain level of cyber risk, according to the value of which the device is allowed to access corporate services and data. For example, a device with modified firmware, ‘rooted’ or with a modified bootloader is likely to have a very high risk score and will not be able to access work data or establish a VPN connection to a corporate VPN gateway.

5. Mobile Threat Defence (MTD)

Mobile Threat Defence is implemented using an MTD agent that is installed on the device and provides data on the security status of the device based on installed applications, device activity, and the status of security features. The properties of the device itself are checked, such as OS version, version of installed security updates, insecure smartphone settings configurations, elevated privileges (root rights), installed profiles, signs of device compromise, as well as the security of the wireless network connection and signs of traffic interception/decryption.

6. Cybersecurity mechanisms built into mobile operating systems

6.1 Secure Boot: The process of sequentially booting OS components with integrity and authentication of the downloaded code, starting with the bootloader;

6.2 Device Attestation: The process of checking the integrity and authenticity of all OS components and running software;

6.3. MDM API: the ability for an MDM solution to use the security features built into the OS by accessing them through the API and then configuring, for example, encrypting the device (full-disk or file-by-file), verifying digital signatures of software or OS updates, setting a password to unlock the device, configuring remote management settings, and wiping the device;

6.4. iOS App Transport Security (iOS App Transport Layer Security): enforce the use of TLS protocol to protect data transferred by apps over the Internet (enabled by default for iOS 9.0 and older);

6.5. Android Network Security Configuration: prohibit by default the transmission of traffic in cleartext, with the ability to select trusted certificate authorities and issue corresponding digital certificates.