[Fed-Talk] Trade group objects to proposed NIST mobile security guidelines
[Fed-Talk] Trade group objects to proposed NIST mobile security guidelines
- Subject: [Fed-Talk] Trade group objects to proposed NIST mobile security guidelines
- From: Jeffrey Walton <email@hidden>
- Date: Tue, 18 Dec 2012 02:25:20 -0500
I'm question TIA's claims that a smartphone is like a laptop (top of
page two). When's the last time you heard an encrypted laptop hard
drive leaked passwords and other secrets like an iPhone's KeyChain?
There is definitely a gap in security controls. Confer:
http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords-faq.pdf.
http://www.networkworld.com/news/2012/121712-nist-tia-265172.html
A mobile security technology proposal drafted by the National
Institute of Standards and Technology (NIST) is being soundly rejected
by one of the main trade groups representing a broad cross-section of
industry.
NIST's "Guidelines on Hardware-Rooted Security in Mobile Devices,"
issued in draft form in October and out for public comment until last
Friday, has drawn sharp criticism from the Telecommunications Industry
Association, which labeled NIST's proposal as "over-prescriptive"
because it "suggests that security in mobile devices can only be
realized using a specific architectural implementation of secure or
trustworthy environment, namely the Trusted Platform Module (TPM)
architecture specified by the Trusted Computing Group (TCG).
TPM is "one way to implement security in mobile devices but it's isn't
the only way," said Brian Scarpelli, senior manager of government
affairs at Arlington, Va.-based TIA, adding that software-based
security can also be relied on. He indicated the TIA membership of
carriers and software vendors would prefer not to have to adhere to a
specific implementation to meet new federal guidelines for mobile
devices, and TIA is reaching out to NIST to voice its objections. TIA
industry membership includes carriers such as Verizon Communications
and Sprint Nextel, as well as Apple, Dell and VMware.
The TPM specification from the TCG is a hardware-based
cryptographic-processing technology that can be used for several
security purposes, primarily device integrity. TPM is used in desktops
and servers but not mobile devices at present. The National Security
Agency, for example, which influences technology decisions made at the
U.S. Department of Defense, has been an enthusiastic proponent of TPM.
TPM exists in much internal computer hardware today, though it appears
to suffer from lack of widespread deployment in part due to lack of
applications making it easy to deploy.
NIST argues for TPM by saying that "many mobile devices are not
capable of providing strong security assurances to end users and
organizations. Current mobile devices lack the hardware-based roots of
trust that are increasingly built into laptops and other types of
hosts."
NIST says it wants to "accelerate industry efforts" to use
hardware-rooted trust technologies, and specifically TPM, in mobile
devices such as smartphones and tablets that the federal government
would acquire. NIST criticizes today's mobile devices, saying they are
"vulnerable to 'jailbreaking' and 'rooting,' which provide device
owners with greater flexibility and control over the devices, but also
bypass important security features which may introduce
vulnerabilities."
NIST asserts in its guidelines proposal that TPM and hardware-based
root of trust is the model the federal government would like to see
for use in assuring device integrity and verification, and that this
would also help the government in adopting a bring-your-own-device
approach where government employees could use their personally owned
devices for work as well.
...
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden