E-authentication: What IT managers will be focusing on over the next 18 months
- By Shawn McCarthy
- Jul 31, 2013
If you are a federal systems manager working in government today, chances are good that, over the next 18 months, you will be focusing heavily on identity management and authentication.
This boost in electronic authentication solutions is triggered by several factors, including the growth of new cloud solutions, the migration to enterprisewide authentication as storage and shared databases are centralized, and the growth of new types of integrated systems — such as those created in mash-up environments.
Today's sprawling IT environments mean that it's more important than ever for person-to-machine and machine-to-machine identities to be properly established for each connection. Across the federal government, more than $70 million will be spent on identity management solutions in fiscal 2013, and about the same will be spent in 2014, according to the Office of Management and Budget.
For IT managers embarking on such efforts, a good starting point is OMB Memo M-04-04, which focuses on e-authentication guidance for federal agencies. Even though the memo is nearly 10 years old, it's still the most highly cited directive for authentication, and it provides a useful outline for the decision process agencies are likely to follow when evaluating e-authentication.
At a basic level, e-authentication is the process of establishing confidence in user identities electronically presented to an information system. A key message within the memo is that OMB encourages agencies to make decisions on the type of e-authentication posture they want to enforce. There are different levels of need, and it doesn't make sense to pay for the most secure systems if they aren't necessary.
Four levels are described:
- Level 1: Little or no confidence in the asserted identity’s validity.
- Level 2: Some confidence.
- Level 3: High confidence.
- Level 4: Very high confidence.
This is not a decision that should be made arbitrarily. Each agency needs to conduct a risk assessment of their systems, identify and map those risks and make business decisions on which assurance level is acceptable for their systems. For example, when allowing guest access to the Wi-Fi system, and then to some portions of a public network, Level 1 authentication may be perfectly acceptable. But when allowing access to databases and important business applications, Level 3 or Level 4 may be more appropriate.
Next, the agency must select appropriate authentication solutions based on technical guidance for e-authentication. This will vary significantly based on the types of resources in question. More details on this process can be found in the National Institute of Standards and Technology's Electronic Authentication Guideline from 2011 (Special Publication 800-63-1, which has a follow-on Draft publication from this year, Draft SP 800-63-2).
Once the system is in place, organizations should conduct periodic risk assessments of their solution, and map how any newly discovered risks will be addressed. This may require new validation that a solution still meets its required assurance levels. If it does not, new configuration or programming may be needed, and new testing may be required after the work is done.
As spending plans associated with these types of investments are made, keep in mind that identity and authentication management is a solution that is tracked by OMB as a "primary investment area." So if you plan to install or improve a current identity management solution, OMB will want to know the associated system name and any associated ID number, as part of your agency's annual Exhibit 300 submission.
Also, an authentication solution usually requires compliance with the Federal Information Security Management Act, which can vary depending on the type of systems being connected. It might be worth enlisting the services of a cloud provider who handles authentication as a service. FISMA compliance is part of their approval process. The Homeland Security Department has been the most progressive agency for moving in this direction. Last year, DHS announced that over 30 applications were using AaaS; this year that number reportedly has grown to 70.
For background information on how e-authentication works with ID cards and HSPD-12, visit idmanagement.gov.
There's also the evolving space of mobile device authentication. Recently, Akamai Technologies, working with ID authentication provider Daon, announced the availability of Mobile Authentication as a Service (MAaaS). For the federal government, this solution is available as a cloud-based application through CGI Group.
The General Services Administration’s FedRAMP service has a process for those providers that wish to offer AaaS. Check out this document, which is intended to be used by cloud service providers, Third Party Assessor Organizations (3PAOs), and contractors that want to coordinate the certification of cloud-based eAuthentication requirements.
Cloud-based AaaS is poised to grow as demand for a quick authentication solution picks up — especially for connected resources that may be geographically disbursed. And if you haven’t considered it yet, the time to do so could be now.