The MDM server must encrypt all data in transit (e.g., mobile device encryption keys, server PKI certificates, mobile device data bases) using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-36242 | SRG-APP-264-MDM-224-SRV | SV-47646r1_rule | Medium |
| Description |
|---|
| If data in transit is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. AES encryption with appropriate key lengths provides assurance that the cryptography is adequate. This requirement applies to data transmitted to managed mobile devices and to another enterprise network management application. |
| STIG | Date |
|---|---|
| Mobile Device Manager Security Requirements Guide | 2013-01-24 |
Details
| Check Text ( C-44482r1_chk ) |
|---|
| Review MDM server configuration, and NIST FIPS certificate to validate the server supports AES encryption for data in transit. Confirm that at least AES 128 bit encryption is used. If the MDM server does not support AES encryption for data in transit, this is a finding. |
| Fix Text (F-40772r1_fix) |
|---|
| Configure the MDM server to use AES 128 or AES 256 encryption for data in transit. |