Sure, you love your razor-thin mobile phone with the extended battery life, but the sacrifice made for size and convenience is the hardware-based security features that we are accustomed to in other devices like desktops and laptops. In order to accelerate the implementation of new technologies for better security in mobile devices, the National Institute of Standards and Technology (NIST) is seeking feedback on proposed baseline standards for implementing hardware-based security solutions or alternatives for smartphones and tablets.
Laptop and desktop systems ensure a level of user trust where security is concerned through the use of a separate processor chip that is for the most part immune to tampering, but the small size and limited power supply in mobile devices means that manufacturers have had to go without these hardware-based security solutions. NIST is seeking alternative measures manufacturers can take to increase security and user trust.
"Many mobile devices are not capable of providing strong security assurances to end users and organizations. Current mobile devices lack the hardware-based roots of trust that are increasingly built into laptops and other types of hosts," NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices states.
The NIST's guidelines were inspired by the increased use of mobile devices in the workplace for both government and the private sector, and the draft is intended to create a baseline for the development of security technologies that are compatible with a wide array of mobile devices, including both those issued by organizations as well as personal devices employees are bringing into the workplace, commonly referred to as BYOD (Bring Your Own Device).
"These guidelines are intended to help designers of next-generation mobile phones and tablets improve security through the use of highly trustworthy components, called roots of trust, that perform vital security functions," said one of the publication's authors, Andrew Regenscheid, NIST's lead for Hardware-Rooted Security.
In brief, the proposed guidelines recommend the following three features be developed for mobile operating systems and associated applications to ensure device integrity, isolation and protected storage:
- Roots of trust, which are combinations of hardware, firmware and software components that are designed to provide critical security functions with a very high degree of assurance that they will behave correctly;
- An application programming interface that allows operating systems and applications to use the security functions provided by the roots of trust; and
- A policy enforcement engine to enable the processing, maintenance and policy management of the mobile device.
The NIST requests that any feedback and comments on the draft guidelines be submitted by December 14, 2012, to email@example.com.