NIST drafts mobile security guidelines for responder tech
There’s arguably been no corner of government that’s profited more from the mobile revolution than the first responder community. The ability to quickly access public safety data in the field is critical to first responders’ performance during emergencies.
With those benefits, however, come concerns over how to secure that access. At any one emergency site, there are likely to be a number of public safety personnel from several departments or jurisdictions, all working in different operational environments, using an array of applications on various devices and separate operating systems. That’s a nightmare for sharing, and for securing the highly sensitive information to which responders must all have access.
The National Institute of Standards and Technology is trying to overcome this concern with a proposed reference design for both multifactor authentication and mobile single sign-on. The standards are aimed directly at this public safety/first responder community.
Developed by NIST’s National Cybersecurity Center of Excellence (NCCoE), in collaboration with the responder community, the draft discusses all the standards-based technical options and trade-offs that public safety organizations will need to build out a range of mobile security services for their users.
Based on commercially available and open source products, the reference design should also “improve interoperability between mobile platforms, applications and identity platforms regardless of the application development platform used in their construction,” the NCCoE said.
That approach fits exactly with the kind of concerns organizations such as the National Association of State Chief Information Officers have expressed about cybersecurity, particularly in the age of the Internet of Things.
Public safety agencies must have a better understanding of the risks of the Internet of Everything, as well as a way to mitigate those risks. “Success will be predicated on an open platform that allows partners working together to use the same baseline technologies,” according to a NASCIO study.
The NCCoE project draft lays out a number of scenarios in which its framework would apply and describes a high-level architecture that could be used for mobile devices. It stresses that the reference design and implementation use a standards-based approach that uses the “native capabilities” of the mobile OS of the device.
The NCCoE wants comments on the proposed Mobile Application Single Sign-On project by Sept. 16.
Separately, NIST has produced the first draft of a new Digital Authentication Guideline, a part of its SP 800-63 line of electronic authentication technical and procedural guidelines that began in 2004. Given the increasing attention to cybersecurity over the past few years, the new publication is a fairly extensive overhaul of the authentication requirements government agencies are expected to follow.
Much of the public attention on the draft guidelines has landed on the fact that NIST is recommending phasing out -- “deprecating” in NIST jargon -- the use of out-of-band secure message service (SMS) for authentication. That refers to situations when a bank, for example, will send a one-time code to a customer’s mobile phone that is used along with a password to gain access to accounts.
As NIST points out, there is a substantial risk that such an SMS message could be intercepted or redirected, particularly if the message is sent on a public network. Because of the risks involved, “implementers of new systems SHOULD carefully consider alternative authenticators,” NIST said. Out-of-band use of SMS in future releases of SP 800-63B likely won’t be allowed.
However, the guidelines offer far more, taking apart and putting back together again many different scenarios of multifactor authentication, as well as single-factor hardware and one-time password solutions. Many people have speculated on the end of the password for authentication purposes, but the guidelines stress its continuing value, albeit in very controlled circumstances.
The draft document also limits the value of previously accepted authentication methods, such as biometrics. At one time, biometrics were considered the best answer to access and security verification because of their supposed imperviousness to being copied or misused. Now, however, the NIST guidelines support “only limited use of biometrics for authentication,” and only when they are used with another authentication method.
Posted by Brian Robinson on Jul 29, 2016 at 12:47 PM