Safeguards Technical Assistance Memorandum Protecting Federal Tax Information (FTI) within a Mobile Device Environment
Today’s working environment has become increasingly distributed, with increased telework and distributed employees, leading to a highly remote workforce. This has driven the need for distributed employees to stay connected to corporate computing resources and perform work remotely. This has in turn has created the need for government agencies and corporations to provide accessibility to proprietary or sensitive data (i.e., FTI) on mobile devices such as tablets and smartphones. Additionally, with the introduction of “BYOD” (Bring Your Own Device), allowing employees to use personally owned mobile devices to access data in the environment, the risk of introducing an untrustworthy and insecure device to the internal network increases substantially.
Mobile devices provide several unique security and management challenges when used to access corporate resources, including sensitive data. Mobile devices can store vast amounts of data and by default, security options are not enabled. This leaves the devices vulnerable to allowing an unauthorized person to gain access to the information stored on them or accessed through them. In addition, due to the portable nature of mobile devices, they are susceptible to loss or theft. Another challenge to maintaining security of mobile devices is effectively tracking mobile device inventory. Many agencies don’t have an effective mechanism to track the device inventory in their environment, or the networks where connections to internal resources are initiated from, making it very difficult to consistently manage security across all devices. The unique challenges presented in a mobile environment highlight the need to increase the security posture of mobile devices in order to ensure the protection of FTI that may be stored on or accessed from a mobile device. BYOD presents additional security and privacy challenges, as it may not be possible to fully manage security of personally-owned devices.
The scope of this memo is focused on agency owned and BYOD devices such smartphones or tablets that rely heavily on network connectivity for many of their applications and functions. It is not intended to identify requirements for devices that are installed with traditional operating systems such as laptops since their security requirements differ considerably from those of mobile devices or devices with limited computing capabilities. The following characteristics are used in the NIST SP 800-124-rev1, Guidelines for Managing and Securing. Mobile Devices in the Enterprise to define a mobile device, and devices covered in this memo may have some or all of these characteristics:
- Small form factor
- At least one wireless network interface for Internet access
- Local Built in (non-removable) data storage
- Not a full-fledged desktop or laptop operating system
- Applications available through multiple methods
- Built in features for synchronizing local data with a remote location
- Bluetooth or near-field communications
- Wireless network interfaces for voice communications (Cellular)
- Global Positioning Systems
- Camera (still and/or video)
- Support for removable media
- Support for using the device as removable media
Mobile Environment Components and Architecture
The security of FTI in a mobile device environment is dependent upon each component in the agency’s mobile infrastructure. The mobile infrastructure typically consists of the following components:
- Client Devices are devices that communicate with agency’s network. These devices include but are not limited to smartphone and tablets.
- Client Communication Networks include Wi-Fi, cellular networking, or other technologies that provide the mobile device with Internet connectivity
- Network Perimeter Devices provide the access point for the mobile devices to access internal network resources, and typically include firewalls, routers, and VPN gateways. These devices control the flow of network traffic and protect internal network resources.
- Mobile Device Management (MDM) Software supports all deployed mobile devices providing capabilities to secure, monitor, and manage mobile devices, including application distribution and configuration of device settings.
- Authentication Servers provide authentication services to mobile device users, verifying the identity of remote mobile device users in order to authorize access to internal network resources.
Figure1. Mobile Device Components and Architecture
Mandatory Requirement for FTI in a Mobile Device Environment:
To utilize FTI in a mobile device environment including BYOD, the agency must meet the following mandatory requirements:
- Mobile device management controls must be in place that includes security policies and procedures, inventory, and standardized security configurations for all devices.
- An annual risk assessment must be conducted of the security controls in place on all devices in the mobile environment used for receiving, processing, storing and transmitting FTI.
- Protection mechanisms must be in place in case a mobile device is lost or stolen. All data stored on the device must be encrypted including internal storage and removable media storage such as Micro SD cards.
- All data communication with the agency’s internal network must be encrypted using a cryptographic module that is FIPS 140-2 compliant.
- The agency must control end user ability to download only authorized applications to the device, and limit the accessibility to FTI by applications to only authorized applications.
- All mobile device management servers that store, receive, process, and/or transmit FTI must be hardened in accordance with Publication 1075 requirements.
- A centralized mobile device management solution must be used to authenticate agency-issued and personally-owned mobile devices prior to allowing access to the internal network.
- Security events must be logged for all mobile devices and the mobile device management server.
- The agency must disable wireless personal area networks (WPAN) that allow a mobile device to connect to a computer via Bluetooth, or NFC for data synchronization and/or storage.
- Access to hardware such as the digital camera, GPS, and USB interface must be disabled to the extent possible.
- Disposal of all mobile device component hardware follows media sanitization and disposal procedures from Publication 1075.
These requirements are explained in detail in the sections below.
#1 Mobile Device Policies and Procedures
Strong mobile device security policy and procedures should be developed to guide agency employees in the protection of FTI. The policy should cover at a minimum the types of mobile devices that are permitted to access the agency’s resources, mobile device/server management and administration, including FTI. They should also cover monitoring, training, acceptable use, encryption, passwords, client device security, and privacy. Agencies should enforce these policies through the appropriate security controls.
Agencies should maintain a complete inventory of all mobile devices used to connect to their network. The inventory should be updated on a periodic basis, at least annually, to account for device changes. In addition the procedures should maintain standardized security configurations for their mobile devices (i.e., smart phones and tablets) to ensure a standard level of security is implemented while reducing vulnerabilities and lessening the impact of successful attacks. These configurations should be deployed to the appropriate devices, and maintained throughout their lifecycle. If implemented correctly standardized configurations can significantly reduce the time and effort needed to detect and correct unauthorized changes to configurations, and to react quickly when newly identified vulnerabilities arise.
#2 Risk Assessments
Agencies are required to conduct a risk assessment (or update an existing risk assessment, if one exists) prior to providing access to FTI in a mobile device environment, and annually thereafter. The risk assessment should identify threats and vulnerabilities against these devices including a review of the security controls in place to ensure that devices are able to function while minimizing residual risk. The risk assessment must be reviewed annually to account for changes to the environment.
The agency must have a good understanding of their mobile environment and its limitations while being able to asses the risks based on the impact and likelihood of a data breach. For example, the agency may make a risk-based decision to only allow agency-owned mobile devices to access internal resources. Agencies that allow BYOD mobile devices may assess the risks of these devices and limit their exposures to risk by implementing tiered levels of access, providing minimal access, e.g., email, to BYOD devices, and more access, e.g., applications and data, to agency-owned devices.
#3 Physical Security
Portability is a major benefit to the use of mobile devices, however due to their portable nature the likelihood of the device being lost or stolen increases. One of the easiest ways to protect against this risk is to put a policy in place stating that FTI should not be stored on any mobile device. However, if FTI must be accessed on mobile devices, to ensure the confidentiality of FTI in the event the mobile device is lost or stolen, agencies must implement controls to protect the data.
If the device will be used to store FTI then all data stored on the device must be encrypted including internal storage and removable media storage such as Micro SD cards. In addition access should be restricted to the internal storage and removable media to only the user assigned to the device. The IRS does not advocate specific mechanisms to accomplish encryption as long as they are FIPS 140-2 compliant and configured securely.
Removable media (e.g., Micro SD card) must be “bound” to a device such that encrypted information can only be decrypted when the removable media is attached to the device it is bound to, thereby mitigating the risk of offline attacks on the media.
Mobile device access controls must include the following:
- Use a secure password/PIN and/or other authentication (e.g., domain authentication or certificate based authentication) to access agency’s resources that contain FTI. Where capable, mobile device authentication controls must meet Publication 1075 standards for password complexity, length, and aging.
- The device should automatically lock an account after three failed login attempts.
- The device should automatically lock out after 5 minutes of inactivity.
- Features such as swipe-based visual passwords must be disabled.
- Passwords and keys should be encrypted and not be visible in cache or logs.
- Access to the device operating system must be limited to prevent rooting/jail breaking.
- The device must be configured to ensure an individual does not have the ability to revert back to the factory default setting.
- Wireless network interfaces must be disabled when not in use.
If the device is lost or stolen agencies must make use of remote wipe and/or kill switch functionality to remove sensitive information from the device. The agency can also consider installing geo-location tracking software that will provide similar functionality in addition to tracking services that can help locate a lost device. In the event that a mobile device cannot be remotely wiped the device must be configured to purge all data automatically if a defined number of unsuccessful attempts are made to gain access.
Lastly, educating the users to the risks of using the device in public should be a normal part of user briefings and annual security awareness training provided to employees.
#4 Encryption of Data in Transit
Mobile devices use many different connection mechanisms that are outside of agency control to gain access to agency internal networks (e.g., Internet, cellular networks), and there is no guarantee that public Wi-Fi network will be appropriately secured. It is important that the organization plans the security posture around the idea that most of the devices are going to be accessing the information on untrusted networks.
To reduce the threats and risks associated with untrusted networks, encryption must be used to ensure that data is protected when transmitted from the device to the agency’s systems. Most often this is accomplished through the use of a VPN or other form of encryption such as using trusted certificates to authenticate to a corporate node before establishing a secure end-to-end channel (such as SSL/TLS). Agencies must ensure that all encryption implementations utilize a cryptographic module that is FIPS 140-2 validated. Further, the IRS does not advocate specific mechanisms to accomplish encryption as long as it is FIPS 140-2 compliant and configured securely.
In recent years with the growing popularity of mobile devices and apps, the third-party applications (Apps) have become easier to obtain. Due to their widespread adoption and number of security flaws, they are becoming a favorite target for attackers. The more applications you use, the larger your security risk. Apps can be downloaded from various vendors and on-line stores (e.g., Apple App Store, Google Play) and they all have access to different amounts of data and features of the device. Third party applications are programs written to work within the operating system, but are written by individuals or companies other than the provider of the operating system. Some apps are inherently more risky than others because they may not be designed with security as a priority. Apps are often rushed to the market with the desire to offer increased functionality, but with security not being given proper consideration, resulting security flaws may exist inadvertently. Whereas other apps may be designed with malicious intent to propagate malware such as sending spam or recording keystrokes to obtain personal credential information.
Many of the risks associated with third-party apps may be reduced by implementing robust system security policy and procedures, however these strategies are typically easier to accomplish with agency-owned devices as opposed to BYOD, since the agency would have limited control over the entire BYOD device. The security configurations listed below must be implemented for all devices that access FTI:
- Perform a risk assessment on each third-party application before permitting use on their mobile devices.
- Prohibit the installation of any unsigned third-party app. Digitally signed apps ensure that apps from only trusted entities are installed on the device and that code has not been modified.
- Create application whitelists or blacklists. Whitelist being that the organization approves which applications can be installed, and blacklist with ones that are prohibited.
- Limit application access to sensitive information by creating a sandbox area to store corporate applications and data. The sandbox would virtually separate the corporate property from the rest of the device’s storage be it internal or removable card. (This requirement is optional for agency-owned devices, but required for BYOD devices to provide enhanced application security for non-agency owned devices).
- Each device should be monitored for signs of being “rooted” or “jail-broken”. Jail-breaking which is similar to rooting enables the user to get past the native protections installed on the device giving them full access while leaving the device susceptible to security issues. Rooted or jail-broken devices must not be allowed access to agency resources.
- Agency policy must state that anti-malware software must be installed on the device. Most mobile devices have anti-malware available but users do not typically install them.
- Ensure applications are kept up to date with the latest vendor updates and patches.
Lastly, these strategies mitigate majority of the risks associated with the use of third-party apps, however users can still access untrusted web-based applications through browsers built into their mobile devices. While not required for IRS security compliance, prohibiting or restricting browser access, or using a separate browser within a secure sandbox is a best practice for enhancing device security.
#6 System Component Hardening
Each system component that comprises the mobile device management architecture, including the mobile devices themselves, management and authentication servers, and network devices should be hardened in accordance with IRS Publication 1075. At a minimum, all components should be updated with the latest patches and configured following IRS standards.
All platforms supporting the mobile device infrastructure must be hardened to Publication 1075 standards by utilizing the Safeguards Computer Security Evaluation Matrix (SCSEM). These SCSEMs are available for download from the IRS Safeguards web site (http://www.irs.gov/businesses/small/article/0,,id=177651,00.html). A Mobile Device specific SCSEM is also included in this library, but agencies are encouraged to review all SCSEMs to achieve overall compliance for the components that comprise the mobile device infrastructure.
#7 Centralized Mobile Device Management
A centralized mobile device management solution will enable the agency to have control over agency-issued and employee-owned mobile devices used to access their network, agency resources, and FTI. The typical solution is a client/server architecture where one or more client applications are installed on each mobile device and configured to run in the background at all times. These solutions are very beneficial in managing mobile device deployments, as they provide the ability to quickly enroll devices in the agency’s enterprise services (e.g., domain authentication services and VPN), configure and update device settings, enforce security policies, secure mobile access to confidential data such as FTI, and remotely lock and wipe managed devices.
Agencies must manage all configuration and security settings on the agency-issued devices; however this may not be fully possible on BYOD devices since the agencies have limited control over the entire device. For BYOD devices where the agency has limited control over device settings, agencies should develop a sandbox area (e.g., encrypted space) on the device to segregate agency data and applications from the rest of the device. This will provide added security if a BYOD device is ever compromised, lost or stolen.
If there is not a centralized management solution available, or certain mobile devices cannot use it, then mobile devices have to be managed individually and manually to ensure compliance with IRS requirements.
All mobile device system components must ensure compliance with IRS’s audit logging to the extent possible to capture access, modification, deletion and movement of FTI by each unique user or device. The audit logging capability must automatically monitor, detect, and report when policy violations occur where a device configuration has deviated from the baseline secure configuration.
The agency should regularly review the system audit logs to ensure the confidentially of FTI and compliance with agency policies. Audit logs should be stored on a separate logging server and retained for at least 6 years.
#9 Personal Area Network
A WPAN (wireless personal area network) is a personal area network for interconnecting devices within a very short range. These are small-scale wireless networks that require no infrastructure to operate and they are most often used to connect to another device for synchronization and data sharing. WPANs may pose significant security risks if they are not managed appropriately and they should not be utilized to transfer FTI to another device.
Bluetooth capabilities on today’s smartphones may make it easy to talk on a hands-free headset and transfer data but they’re also a target for hackers, who can take advantage of its default always-on, always-discoverable settings to launch attacks. Users should disable Bluetooth when it is not actively transmitting information and switch the Bluetooth devices to hidden mode. The agency should implement a policy that states FTI must not be transmitted via Bluetooth.
NFA (near-field communication) allows devices to pair by simply “tapping” one device against the other, followed by the user accepting the pairing via a single button push. If this function is not secured properly it may expose the device to eavesdropping and man-in-the-middle attacks. This function should be disabled when it is not actively transmitting information. The agency should implement a policy that states FTI must not be transmitted via NFC.
#10 Hardware Access
Access to hardware such as the digital camera, GPS, and USB interface must be restricted to limit the exposure of malware and to prevent malicious attacks.
It has become common practice for Quick Response (QR) codes to be found everywhere. QR codes relay information from videos, contact information to websites. Mobile devices have the ability to use their digital camera to view and process QR codes. If a user is not careful these codes have been known to be attached to viruses or spam. Sometimes the viruses connected to these codes can access your personal information in your phone, or even send messages and other updates through your social media. To mitigate this threat, digital camera functionality should be disabled on devices that will access FTI.
USB interface allows the device being connected to act like a removable hard drive. If the mobile device is infected with malware or the host to which it connects is this could adversely affect the agency’s network and may lead to the exposure of FTI to unauthorized individuals. Mobile devices that will access FTI must have anti-virus software to protect against viruses and malware. Lastly, with the device being able to act like a removable hard drive agencies should implement policies to ensure that FTI is not transferred between devices.
With mobile devices and social media being as popular as they are in today’s society location services are often utilized in map/direction applications available on such devices to help users find nearby businesses and other areas of interest. Location services, as with any sensitive data, have the ability to be abused by third parties. Potential attackers can use location data to conduct targeted attacks on individuals in many ways. For example, knowing exactly when a person leaves their house, and when they are returning is a substantial help when planning a potential attack. Agencies should disable location services or prohibit the use of location services on devices that will access FTI.
Additionally, it is important to educate users to the dangers of posting their locations to social media sites. Educating the users to the threat and at a minimum training the users to understand when performing online activity to be cautious of the type of work that is accomplished and how that can be interpreted and used against the agency.
When disposing of any mobile device component, the agency should remove all sensitive configuration information, including pre-shared keys and passwords in accordance with the sanitization requirements described in Publication 1075. In addition the agency should ensure that its audit records are retained as needed to meet legal or other requirements.
- NIST Additional information can be found in the following documents:
- Special Publication 800-124, Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise
IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities
- The OWASP Top 10 Mobile Risks