Agencies navigate the identity-based security ecosystem
- By Brian Robinson
- Mar 06, 2015
First of two parts.
For most of the history of the Internet, security has meant stopping attackers from breaching the walls surrounding networks and computer systems. While that’s still important, identity systems – and the electronic formats for managing them – have become the top priority for organizations looking to safeguard the government data attackers now target.
Homeland Security Presidential Directive-12, put into action in 2005, is the basic policy underlying the use of security credentials in the federal government. The Obama administration took that a step further in April 2011, with the release of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which set a focus on public/private collaboration to "raise the level of trust" associated with online identities.
Following a rash of high-profile data breaches in the both the public and private sector in 2014, the Obama administration has raised the pressure even more. In October it issued an executive order aimed at cutting down on identity-related crimes and directed various agencies by the beginning of this year to start issuing credentials with stronger security.
The government “must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system,” Obama said.
Even before the release of the order, the market had been responding to this need by providing multi-factor authentication that has stopped many common types of attacks, according to Jeremy Grant, the senior executive for identity management at the National Institute of Standards and Technology. Grant also heads the NSTIC National Program Office.
“Through more than a dozen NSTIC pilots, the private sector has demonstrated material progress in advancing more secure, privacy-enhancing, easy-to-use identity solutions," he said in a recent blog post. "It's time for the government to make sure our own services are embracing the best the market now has to offer."
Government agencies at least now understand the need to become more data-centric in how they look at security, said Jerry Irvine, chief information officer at Prescient Solutions and a member of the National Cyber Security Task Force.
The use of data-supported security has become more urgent even though traditional forms of perimeter-based security such as firewalls, intrusion detection systems and virus detection continue to be the most common solutions currently used, according to Irvine.
What’s more, mobile phone proliferation has exposed agencies to a steady shifting of vulnerability across its networks.
“Firewalls look like so much swiss cheese these days because there are so many open ports and types of applications that people are allowed to access from their mobile phones and other devices and through the Internet," said Irvine.
"Now it's become a matter of seeing how you can better secure data with … protocol protection, access control rights and data loss prevention applications,” he said. And managing the identities and security credentials needed for that is no small project.
For one thing, each agency has its own needs when it comes to security and the level of information assurance it can apply to its data. For example, military and intelligence agencies will have different requirements from the National Oceanic and Atmospheric Administration.
The idea of what identity actually means within an agency may also change over time, said Jill Canetta, public sector vice president for Experian, a global data analytics company.
"It's no longer just about being able to prove the identity of an individual, but also what attributes are needed for that," she said. "We are also seeing an evolution from identity proofing to identity relationship management, as there is more of a need to see how a particular identity and the relationships its had with various devices and other things that are also assigned identities on a network have changed."
Mobile is proving to be a particularly thorny ID management challenge, given the explosion of smartphones and other mobile devices in government. It’s also not an easy one to fix, according to mobile security experts.
The way government employees and contractors use their personal identity verification (PIV) cards to log on to desktop systems, for example, is not readily transferable to the mobile arena. Desktop users normally put their cards into a reader on the computer and leave it there, so having to take it out for use with mobile card readers is an ongoing ergonomic challenge.
NIST's release of special publication 800-157 in December of last year, which describes technical details by which PIV credentials can be provisioned on mobile devices in lieu of a physical smart card, could go a long way to solving the problem.
While it may take a while for the derived PIV credentials to make their way into products, they are already prompting changes.
“The guidance has helped move some projects from pilot to development," said Paul Nelson, chief technology officer for Thursby Software Systems, a government IT integrator. "The trick is how to provision devices with necessary certificates,” he said. “The [National Security Agency] thinks it can make it work, and the DOD supposedly has an aggressive schedule where they want to get something out by July of this year."
In fact, this could be the year when the government smart card reader market dries up, according to Nelson.
“If the government is not willing to commit to readers as its credential authentication solution in significant numbers, “then there’s going to be no reason for us to continue making them,” he said. Mobile authentication will, by default, then become a software-based solution.
Meanwhile, other identity-based security problems that must be grappled with are piling up across the government security community.
So-called insider threats, where data and systems are compromised – by willful theft or employee error – are becoming a major problem, for which the Edward Snowden and Wikileaks breaches are just the most notorious examples.
Inside attackers are becoming much more sophisticated in how they do their work, increasingly targeting the theft of security credentials themselves.
And despite such measures as SP 800-157 and NSTIC, there are still "fundamental questions about whether we have the technologies we need, and whether they will work on the scale we intend, to be able to do such things as identity-driven encryption," said Mark Cohn, chief technology officer of Unisys Federal Systems, who contributed to the technical basis for NSTIC.
"I would hope that, by the end of this decade, we will wrestle these issues to the ground, but I'm not optimistic that we know yet exactly how we are going to do that," he said.
NEXT: 5 tools for improved identity management
Brian Robinson is a freelance technology writer for GCN.