NIST releases draft guide for securing mobile devices
The National Institute of Standards and Technology released draft guidelines for securing mobile devices and is requesting comments through December 14.
The draft, “Guidelines on Hardware-Rooted Security in Mobile Devices,” defines the fundamental security components and capabilities needed to enable more secure use of products.
“Many current mobile devices lack a firm foundation from which to build security and trust,” said NIST lead for hardware-rooted security Andrew Regenscheid, one of the publication’s authors. “These guidelines are intended to help designers of next-generation mobile phones and tablets improve security through the use of highly trustworthy components, called roots of trust, that perform vital security functions.”
On laptop and desktop systems, these roots of trust are often implemented in a separate security computer chip that cannot be tampered with, but the power and space constraints in mobile devices could lead manufacturers to pursue other approaches such as leveraging security features built into the processors these products use, he said.
The NIST guidelines are centered on three security capabilities to address known mobile device security challenges, including device integrity, isolation and protected storage.
To attain the security capabilities, the guidelines recommend that every mobile device implement three security components that can be used by the device’s operating system and its applications.
- Roots of trust, which are combinations of hardware, firmware and software components that are designed to provide critical security functions with a very high degree of assurance that they will behave correctly;
- An application programming interface that allows operating systems and applications to use the security functions provided by the roots of trust; and
- A policy enforcement engine to enable the processing, maintenance and policy management of the mobile device.
Comments to the draft can be sent to firstname.lastname@example.org.