Written by Michael Covington
Mobile security vulnerabilities have been no stranger to national headlines lately. With examples ranging from WhatsApp reportedly allowing hackers to gain access to your smartphone’s sensors, to malicious apps making their way into the Google Play store, it’s no surprise the National Institute of Standards and Technology (NIST) saw the need for an update to its guidelines for vetting mobile applications.
A Theoretical Approach
From an academic perspective, the update to the NIST framework offers a solid theoretical approach to vetting applications for your enterprise; a process for managing risk and assuring compliance with security requirements. But, what sounds good theoretically can be near impractical to implement. While the guidelines laid out by NIST highlight an ideal, very few organizations have the resources to implement them across the board. This isn’t to say that these new guidelines don’t make sense. In fact, presenting the state of applications and offering suggestions on how to strengthen the security of systems, operations and data to organizations in a way that’s applicable and digestible is no easy task, especially in just 20 pages.
For organizations that have mobile devices locked down for one specific purpose, the techniques presented by NIST might be applicable, but that’s a rare circumstance. The issue is that application vetting and evaluation cannot be done in isolation. Additionally, it’s not always up to the security decision maker. A business’s goals, risk tolerance and other factors outside the realm of the true security professional also need to be taken into consideration. Thus, the current framework is closer to an ideal set of standards but farther from a practical one. So what’s the solution and how do we find a middle ground?
Compromise Is Key
In the real world, there’s never going to be a scenario where perfect security can be achieved. “Usable security” is often the result of compromise. Currently, NIST offers an outline of different threat classes. What’s needed is a measurable model that generates guidelines based on the consideration of individualized requirements from specific organizations. The idea is to understand what you need to protect, which devices have access to applications and then examine those applications within that specific context. As we move toward a world where risk in isolation matters less than risk on an endpoint performing a critical function on sensitive data it is critical to view scenarios more holistically and consider the context surrounding the threat.
The original NIST framework was published at a time when mobile devices were becoming more widely adopted in the workplace. At that time, just five years ago, there was the notion that mobile devices represented a new approach to how operating systems should be built and how applications could be delivered. But while this version of the framework includes integrity checks and suggests the re-vetting of applications once they’ve been allowed, it doesn’t factor in where the application will be used next and excludes the subset of devices that now have access to sensitive information from the overall security equation.
Timing Is Everything
The recent release of the 2019 Verizon MSI report indicate that the timing is right for NIST to update the mobile app vetting guidelines. While NIST represents the ideal for enterprises, it ultimately overlooks the end-user. Particularly when the user’s interests aren’t aligned with that of the company, which is often the case. The question becomes how to use this idealistic and theoretical framework to improve the security posture of your own organization without falling victim to the idea that it’s complete compliance or nothing. To achieve this balance, it comes down to workflow and conversations with app developers. Generally speaking, it’s the companies that keep an open line of communication with the developers that are best able to improve security and ensure that applications meet the requirements defined by the customer.
So, what’s the takeaway here? Get involved! Historically, time-to-market has been so important when it comes to application development that it’s come at the expense of a security development life cycle, and security has suffered because of it. Vetting applications after the fact won’t cut it—know what you’re trying to deploy that needs to be secure and get it right the first time. Since the initial NIST framework was released in February 2014, application risk and platform security have evolved to the point where it was time for a reminder. Enterprises need to be more active. You can’t achieve reliable mobile security without first covering the fundamentals of cybersecurity.
Michael J. Covington, Ph.D. is a seasoned technologist and the vice president of product for Wandera, a leader in mobile security and data management. He previously held leadership roles at Intel Labs, Cisco Security and Juniper Networks.