Guide to better security for mobile access to networks
- By William Jackson
- Dec 19, 2011
The National Institute of Standards and Technology has developed guidelines that address the growing use of remote access, setting standards to raise the security level for cell phones and other mobile devices used by government workers, contractors and citizens.
Revision 1 of the Electronic Authentication Guideline, Special Publication 800-63, provides technical guidelines that address the special challenges presented when someone is accessing resources across a public network such as the Internet.
It reflects the changes that have taken place in enterprise and personal computing since the document originally was released in 2006.
Are mobile devices already making PIV cards obsolete?
Agencies aren't making full use of smart PIV cards
The proliferation of increasingly powerful mobile devices such as smartphones and tablet computers, and the growing availability of technologies such as public-key infrastructure to provide strong authentication of remote users, has changed the way systems control access to assets. Passwords still are the leading mechanism for authenticating user identity, but a growing number of systems rely on cryptographic keys or physical tokens. The revised guidelines address only traditional, widely implemented methods for remote authentication based on secrets.
Under traditional authentication models, each server offering content would maintain its own user accounts and credentials and do its own authentication. In today’s more dynamic environment, authentication can be distributed or entirely outsourced. Once an identity has been validated by a trusted party or system, it can be passed as an assertion to a variety of content servers.
The trust level of assertions is enabled though the Security Assertion Markup Language. Although SAML was emerging in 2006, it was not then widely used in government. It can provide scalability and its use represents one of the biggest changes in the revised guidelines.
Agencies have the option of using services from companies that have had their authentication systems certified through the Federal CIO Council’s Trust Framework Provider Adoption Process (TFPAP). This program assesses credentialing processes against federal requirements, including those established in SP 800-63.
The revision also addresses other new options, such as mobile tools now in the hands of users that can be leveraged for authentication. One-time passwords can be sent out-of-band to a user’s cell phone, for instance. Cell phones were not new in 2006, but they were not as common as they are today and the original NIST guidelines did not address this technique. Today, cell phones are nearly ubiquitous.
For transactions within government, the standard for identity management and authentication is the Personal Identity Verification card, the civilian government ID that contains digital certificates and biometric data for use in both logical and physical access. PIV is another technology that was emerging in 2006 and has since become widespread. But although most government employees have the PIV card, they are not yet broadly supported by technology. The challenge now is getting applications developed to support them for use in online authentication and for physical access control.
Because it is a government standard, PIV addresses only authentication within government and with contractors. It is not a general-issue card and is not intended to work with the wider public.
“Organizations outside the U.S. government have begun issuing credentials under a parallel set of policies and requirements known collectively as PIV Interoperability specifications,” the document states. These standards allow the private sector to develop cards that can be trusted by government.
Because of the biometrics, digital certificates and identity proofing procedures established in the standards, PIV cards and the non-governmental PIV-I cards meet requirements for the highest level of assurance established by the Office of Management and Budget for authentication.
This could make PIV Interoperability cards a practical tool for first responders in state and local government and in critical industries whose employees need to communicate and cooperate with federal officials during emergencies. Because they could operate at Level 4 assurance, PIV-I cards could be used in the most sensitive situations.
But the cards have not yet been widely adopted outside of government and Level 4 assurance comes at a cost, so PIV-I cards operating at this level of trust probably would not be cost effective for the general public. The standards do enable agencies to trust cards operating at a lesser level of assurance for accessing less critical resources.
William Jackson is freelance writer and the author of the CyberEye blog.