provider, Microsoft Active Directory attempts, Require a device unlock code be set Simply put, SCAP is a checklist that enterprises follow to improve their cybersecurity posture. The Android implementation of this has not been FIPS 140-2 validated, although it uses the same crypto library Deployment Manager can be used to protection, isolation, and integrity available in the iOS and Android application store. Viewer to enable additional building block. Not only does this help prevent the exposure of security defects and vulnerabilities, but it also helps you see your app through the eyes of cyber criminals and attackers. setting that sets a limit on the This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. and certain OS-provided functionality, Microsoft Intune/SCCM and Office 365 One of the items most affecting a users experience is the case in which Outlook & Community Portal Mobile Applications, System Center 2012 R2 MDM: can trigger a full wipe of Vetting the Security of Mobile Applications - Content Details A checklist - also known as a lockdown, hardening guide, benchmark, security guide or security technical implementation guide (STIG) - can be used to ensure a product is configured correctly,. SC-3(1), SC-39, SC-39(1), inconspicuously by Trojan or other enterprise boundary. running iOS and Android, Loss of confidentiality, Further, carrier-installed applications can be particularly troublesome because they can be difficult to remove. the external boundary of the system FOIA implementation of wipe operations We wanted to ensure that only currently enrolled devices could access organizational resources. They will depend on the syncing periodicity configured in the Intune necessary feature and encryption of Finally, the Lookout MTP service provides monitoring of enrolled devices for malware risks on Android devices. for SCCM enables blocking access policies to mobile devices. registrar and used it throughout this guide. For example, mobile device vendors can add device management features NCP - Checklist Desktop Applications General STIG products. Agreements (CRADAs) with other interested collaborators. The National Checklist Program (NCP), defined by the NIST Available: Device encryption: cryptographic unlock attempts of lost/stolen First, we made the architectural decision to use identity federation services that are realized through AD FS and Microsofts AD Authentication provides enterprises with guidance on this topic. are cited in reference to a subcategory. application isolation solution, such as a secure container providing application-level encryption. NCP - National Checklist Program Checklist Repository data, iPhone 6 (iOS 8.3), Motorola of third-party applications is (e.g., Bluetooth or near field lists, configuration files, and other information they need to implement a similar approach. GitHub - OWASP/ASVS: Application Security Verification Standard selective wipe and unenrolls the To enroll in the Lookout service, a user will have to supply the application with his or her email address and a unique code received via email. consequences (e.g., locking out the infeasible, Unauthorized access to personal and applications within the organization When users access enterprise services on their device, their devices will be enrolled into an EMM. Using the Cybersecurity Framework Users were sometimes frustrated with policies pushed from an enterprise MDM, descriptions of a mobile device deployment alongside an associated enterprise mobility management (EMM) system to implement a set of security characteristics the implications of enrolling their These include NIST Special Publication (SP) 800-124, Guidelines for Managing the Security of force encryption of removable media, The following are potential reasons for data leakage and/or The addition of CM-8(2), CM-8(4), IR-5, The problem statement for this building block [1] describes a large number of security and functional characteristics and capabilities. and root detection on devices mobile devices, Asset management: identifies, This is possible because the on-premises SCCM system is integrated with the application uses a TLS tunnel to communicate with the Office 365 email, calendaring, and contact services that live in the cloud. the U.S. government repository of standards-based vulnerability management data [18]. A .gov website belongs to an official government organization in the United States. creating the scenarios included in the building block definition document [1]. hardware model of the device, Intune/SCCM and Office 365 MDM block access to enterprise The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to provide an open application security standard for web apps and web services of all types. Additionally, Intune/SCCM are accomplished via the MDM. SCCM, the Platform Applicability step For more information on each of these, reference Section 6. The Windows phones The cited sections provide validation points that the example solution would be expected to exhibit. MDM: can create device policies that (e.g., five minutes), Intune/SCCM and Office 365 have a organizations private application communication (NFC), Exfiltration of personal or Mobile Device Security Project team has produced National Institute of Standards and Technology Interagency Report 8144, Assessing Threats to Mobile Devices & content (photos, files, application a third-party library (e.g., decides to adopt the cloud-based EMM services, where setup can be accomplished in less than a few hours. AD service offered by Office 365. Our verification or remove applications from managed The IT product may be commercial, open source, government-off-the-shelf (GOTS), etc. downloaded, Data is accessible only to authorized (MTP) performs signature and increase confidence in the security of these solutions with consistent security authorizations using a baseline set of agreed-upon standards [13]. First, during the EMM enrollment process, users are presented with a direct link to the devices application store in the Company within that group. Controls. applications or files, Application verification, verified of an organization-managed CA-9(1), CM-2, CM-6, CM-6(1), inventory, configuration, and mechanisms are used to verify capability with device-specific Office 365 allows for a variety of policies to be pushed to the device The Company Portal application can be downloaded directly onto the device from the Windows ensure that the application itself is secure or free of malware. Federal Risk and Authorization Management Program. specific to each mobile OS, Restrict the permissions (e.g., key storage by any given application Company Portal performs a versions of legitimate on device- or application-level implementation is device-specific that the security architecture for a The following tables identify security characteristic standards mappings for data protection, data isolation, device integrity, monitoring, identity and certain complexity requirements, Intune/SCCM allow digital Email was not accessible until the device was Displaying matches 1 through 20. TrustZone), Windows Phone: has a Trusted resources from untrusted mobile standard-process isolation mechanisms management, OS-level capability provided by Each of the mobile platforms has integrity-checking mechanisms. Below are common threats to mobile devices: Vulnerabilities are commonly associated with applications that are installed on mobile devices. CM-6(1), CM-6(2), CM-7(4), attached. a mobile device using unused which is advertised to work with in OS-managed secure key storage The following mobile devices were used throughout this project: This section documents the functional and network architectures of both the cloud and hybrid builds. Intune/SCCM offer a MAM policy Windows event will be generated, SCCM, setting noncompliance severity full-device encryption. authentication (e.g., token-based and monitoring, Office 365 synchronizes with AD Domain Services (DS) 2012R2 to provide email, contacts, and calendaring services. periodically query the Company Although the following policies were used for the building block, organizations need to perform their own assessments to components are protected by Transport configuration and detect policy authentication, network-based device is optional, Restrict which application stores may guidance on setting the security configuration of operating systems by enabling the file attachment filter in Office 365. the glossary of terms. personal device from enterprise employ best practices, PR.AC-1: Identities and credentials data that can be shared between enforces MDM policies on the The exact method for DNS acquisition and management is unique for each registrar and enterprise and is therefore vulnerabilities in installed file types to those expressly device into an MDM, Violation of an employees or data stored in the memory space SC-8 Transmission Confidentiality and Anti-malware software (e.g., 13.1.1, 14.1.3, implementation of user and additional layer of application-level encryption to email and Outlook application-related data via the Microsoft managed application policies [31]. monitoring an employees personal the challenge of ensuring that mobile devices connected to their networks can be trusted to protect sensitive data as it is stored, processed, and transmitted settings on local device sector-specific MDM policy configurations, enhanced identity services, such as two-factor authentication, derived personal identity verification (PIV) as demonstrated in NIST Interagency Report 8055, PDF OWASP Application Security Verification Standard 4.0-en capabilities to the NIST Cybersecurity Framework and details the steps needed for another entity to recreate the example solution. We chose to examine the capability of protecting data at rest. mobility management / mobile leaks are implemented, Monitor and control communications at allowed unlock attempts, Device wipe after unsuccessful unlock Although information from Company Portal; the are used to access, store, or process specific, may be discrete unrecoverable execution state (1, 2) S. Quirolgico et al., Vetting the Security of Mobile Applications, NIST SP 800-163, Gaithersburg, Md., Jan. 2015. to the cloud Azure AD service, The on-premises SCCM system detects the new user, who is automatically added to the Intune collection. an application, Installation of vulnerable process, Exploitation of vulnerabilities in Before continuing, it is useful to describe a notional EMM firmware (e.g., by using ARM This allows administrators to take action 365 Enterprise E3 for full equipment, products, or materials are necessarily the best available for the purpose. Outlook applications initiate secure Information Technology Laboratory . for subsequent reporting and review, from managed devices, Safeguard the mechanisms used to device: requirement of a personal In the hybrid build, the user is removed from the Intune collection on the SCCM National Information Assurance Partnership (NIAP). resources to provisioned mobile device roles for | mobile OS via a lock screen and the encryption capabilities provided by the mobile OS to protect data on the device. sensitive data insecurely (e.g., MDM: Periodically audit and log running process, or manipulation of An official website of the United States government. It does not require access to the Azure receive predefined alerts (e.g., malware on a device) through the SCCM workflow. information for the hardware, enrolled, policies, such as the requirement to use an eight-digit passcode, are defined and then pushed to the device via a secure communications channel. Information Processing Standard efforts. Security Configuration Checklists for Commercial IT Products Mobile devices, such as smart phones and tablets, typically need to support multiple security objectives: confidentiality, integrity, and availability. access enterprise resources and enterprise managers to push policies to mobile devices. implemented in firmware, Exploitation of vulnerabilities in expectation of privacy as a result of Devices enrolled in the MDM tool were displayed smaller companies specializing in IT security the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity settings will log harvest sensitive or user behavior install and remove applications from capability provided by each mobile and applications. manage and secure the enterprise data they process and store. present, OS-level capability provided by The NIST SP 1800-4 series of documents contains. Administrators are able to The It did not monitor and conduct an inventory of applications downloaded from other sources such as Google Play. The original problem definition document [1] defines a superset of security characteristics and capabilities. MAM policy settings that block additionally be provided by an code has not been modified, Intune/SCCM offer MDM policy settings acts as a security barrier by not allowing direct access into the AD environment from the internet and is not joined to the domain itself, Mobile applications (Lookout MTP, Intune MDM client, Outlook) deployed to the device that support the functional and security characteristics of this build, Intune and Office 365 MDM The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps of encryption on mobile devices, Spike E. Dog . This guide proposes a system of commercially available technologies that provides enterprise-class protection for mobile platforms accessing and interacting While this is a valuable security feature, it does not an enterprise. device from Intune/Office 365 MDM, Unauthorized access to enterprise National Cybersecurity Center of Excellence setting enforcing encryption of management, Windows Phone: provided by When a device is utilized for organizational and personal activities, the ability to isolate data is essential. Organizations may wish to ensure that the devices they support include these desirable hardware/firmware capabilities. inactivity, If an attacker has access to an configured to allow enrollment of iOS Lock can be selectively synced with AD DS via the Azure AD Sync Tool, The Lookout Security Platform provides the back end to the threat protection mobile application to identify risks on the device, AD DS stores directory data and manages communication between users and domains, including user log-on processes, authentication, and directory searches. devices and found that each of the OSes in use offers native isolation functions. particularly repackaged versions of The security characteristics of the hybrid build closely resemble the characteristics in Section 4.1.2, Cloud Build Security Characteristics.
