Mobile Security: Trade Group Opposes Proposed Guidelines
Finding fault in a recent proposal from the National Institute of Standards and Technology, the Telecommunications Industry Association is speaking out.
Is hardware-based mobile security the best medicine?
A recent proposal from the National Institute of Standards and Technology (NIST) says yes. But to hear it from the Telecommunications Industry Association (TIA), the approach is “over-prescriptive.”
So what’s the best option? More details:
The proposal: In October, NIST, a government agency, issued a draft proposal [PDF] suggesting that security measures for government-issued devices need to be hardware-rooted. “Unfortunately,” the proposal explains, “many mobile devices are not capable of providing strong security assurances to end users and organizations; these devices lack the hardware-based roots of trust that are increasingly built into laptops and other types of hosts.” The report, “Guidelines on Hardware-Rooted Security in Mobile Devices,” suggests a narrow form of mobile security called Trusted Platform Module (TPM)—a cryptographic-processing technology recommended by the Trusted Computing Group. TPM-approved devices are more commonly seen in laptops or desktops than mobile devices, where space is at a premium.
Arguments in favor: In the document, NIST argues that current mobile devices do not have nearly enough security mechanisms implemented to protect organizational data. “Organizations may wish to verify the integrity of a mobile device before granting it access to the organization’s information,” the proposal advises. “This verification provides some level of assurance that the organization’s information will be properly protected—for example, the device’s security adheres to policy, the device was not modified, the device is authorized to access the organization’s information, and locally stored information from the organization has its confidentiality and integrity protected.” The proposal, intended to prevent modifications such as jailbreaking and rooting, is intended to apply to a variety of devices, including employee-owned bring your own devices (BYODs).
Arguments against: The TIA, which counts major mobile providers such as Verizon and Sprint among its ranks, along with phone makers like Apple and Dell, argue that such measures aren’t needed. “Today’s smartphones and tablet implementations support immutable, hardware-based root of trust that provide security features equivalent to those supported by laptops and personal computers,” the group said in the response [PDF]. It also warned that adding features such as TPM could force drastic design changes that may convince some manufacturers that the federal market is not worth it.
The TIA warns that such changes could hurt users.
“If this were to happen, it would bifurcate the [information and communications technology] market that currently successfully serves both government and private entity alike, and would deprive federal users of the benefits of the dynamic private research and development ecosystem,” the group said.