Security credentials for the ‘non-person’
- By Brent Hansen, Dan Jeffers
- Oct 16, 2020
How does an organization provide security credentials for a robot? Those that haven’t started thinking about it yet soon will, as increased interest in robotic process automation (RPA) pushes government agencies to address that question.
In general, the government ensures the identities of entities in a public key infrastructure, with a securely stored private key and an associated digital certificate as unique user credentials. This is combined with a password to unlock access to these securely stored credentials.
For a person, identity certification is easy, using either a smart card or token. Of course, the standard certificate-based, multifactor authentication methods smart like cards and tokens have distinct limitations for what’s becoming known in the industry as “non-person entities” (NPEs).
When talking about a device, a software robot or other technology, tokens seem impractical to say the least – especially in cases where virtual machines are used and physical tokens can’t be accessed. Besides, “non-persons” don’t have any pockets in which to keep their cards or tokens.
The growth of robotics in federal processes
The concern about security for NPEs is coming to a head as the government is becoming increasingly focused on RPA. The President’s Management Agenda for IT Modernization aims to modernize IT to increase productivity and security by expanding the use of modern commercial technologies like RPA to improve efficiency, increase security and ultimately meet citizens’ needs.
In April 2019, the General Services Administration established a community of practice for RPA to help federal leaders share ideas, collaborate and explore ways that robotics can be effectively implemented in their agencies. The technology is being favorably received because with it, employees can spend less time on routine, repetitive jobs and focus more on mission-critical goals. In GSA’s view, RPA allows for an overall better customer experience, greatly reduced error rates and better management capabilities.
Despite these benefits, the very real challenge exists of how to grant security access to a thing, rather than a person. The Defense Department has issued basic instructions for authenticating the identity of all human and digital entities accessing DOD information systems, including the DOD network, DOD-managed environments, partner-managed environments, user-managed environments and untrusted environments.
The security concerns related to RPA are valid for all government agencies, not DOD. In response to these concerns, industry is now offering FIPS 140-2 up to level 3 certified hardware security modules to store user credentials. These devices can be accessed securely by endpoints in a distributed network. Where endpoints can’t use traditional tokens, these HSMs can extend authentication and sign-on for public-key-enabled websites or applications.
Replacing individual tokens?
Some such HSMs can, in fact, replace individual tokens by generating and protecting user credentials, which never leave the security boundary of the HSM. IT managers tasked with finding such a solution must ensure that the system can support multiple “credential bins.”
These credential bins are isolated locations in the module where private keys and certificates for individual entities are stored and cryptographically protected. Endpoints can access the credentials with passwords that correlate an internal credential directory with a corresponding bin.
To create a user experience similar to a traditional multifactor authentication login, a “credential client” should be installed at each necessary endpoint. Any time a certificate and its related private key are required, these clients can communicate directly and securely with the HSM. The client determines the proper credential bin for the entity and sends the relevant password to the module that can also be securely vaulted in the HSM. With a validated password, the endpoint can use the keys and certificates from the appropriate credential bin. A password can be automated with a non-person entity.
Authentication solutions will be in increasing demand because of the growth of mobile or remote work in government and the wide variety of devices those workers use. This is especially true as the government contends with conducting business as usual despite pandemic isolation.
For the moment, though, the real concern is how to extend credentials not to workers, but to the things that make the workers’ jobs easier. The combination of a hardware solution module and corresponding client-side automated lookup of credentials is undoubtedly where user authentication is heading in the age of “non-person entities.”
Brent Hansen is federal CTO of Thales Trusted Cyber Technologies.
Dan Jeffers is a sales engineer with Thales Trusted Cyber Technologies.