Access control: Feds search for scalable solution

There are many practical technologies for verifying identity online. But tailoring them to meet the varied and growing demands for identity management and access control remains a challenge.

Verifying an identity to allow access to online resources really isn’t that hard. There are many ways of doing it. Passwords, biometrics, digital certificates and tokens all provide levels of identity assurance.

But that's the problem. Scaling multiple tools and making them work together to meet the growing and complex demands for identity management and access control remain a challenge for most enterprises.

“The number of applications [requiring authentication] is growing rapidly,” said Steve Shoaff, chief executive officer of UnboundID, which enables access controls for large-scale service providers. “There are also more users and more types of devices accessing them. No one can anticipate what application is going to take off next.”


Related stories:

Need to crack someone else's password?

Will digital certificates replace passwords?

‘Identity ecosystem' to replace passwords, draft strategy suggests

Our picks for the best password strategies


The situation is complicated by the varying levels of authentication. Some applications require only a minimum level, with little or no personal information. More sensitive applications, such as financial transactions, require more rigorous authentication that is closely tied to a person’s identity. That creates a difficult problem: providing a single system that can use a single set of credentials for the full range of authentication while preserving privacy — and doing all that on a large scale.

The Obama administration wants to enable that kind of large-scale authentication with its National Strategy for Trusted Identities in Cyberspace. The strategy, a draft of which was released last month for public review, is one of the near-term priorities identified in the 2009 Cyberspace Policy Review. The review called on government to “build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.” It is expected to be finalized this year.

The strategy was developed by an interagency working group to enable a framework for strong authentication. The goal was an ID ecosystem that spanned policy and technology, said Ely Kahn, cybersecurity policy director of the White House national security staff.

White House Cybersecurity Coordinator Howard Schmidt said the strategy would be a voluntary effort that requires the cooperation of the private sector in designing, building and maintaining the needed infrastructure and tools. “This strategy cannot exist in isolation,” he said.

The strategy, while not specifying technologies, sets four primary goals.

  • Develop a comprehensive identity ecosystem framework.
  • Build and implement an interoperable infrastructure aligned with that framework.
  • Build confidence in the system.
  • Ensure long-term success.

The strategy will be a foundation for laws, policies and programs that will build on existing efforts, such as Homeland Security Presidential Directive 12, which mandated the creation of an interoperable government ID credential. The resulting scheme will need to enable the appropriate level of security for multiple types of access while being interoperable and supporting federation schemes that allow the systems to scale with increasing demand.

The final standard is likely to build on work already done through the government’s federated public-key infrastructure program, which enables trusted partners with compatible policies to share authentication of digital certificates that other organizations issue. Federation expands the use of any scheme and removes the burden of a single organization needing to issue and manage certificates for an entire population of users.

Whatever framework they are based on, authentication systems need to support controls for access from outside a network in addition to access by insiders who might have privileged or administrative rights to a system.

Dealing with that environment means decoupling identity management and authentication from the application so that multiple applications can use the same interface and tools across and between enterprises. But the industry is in a state of flux, and buyers are still focusing on targeted solutions for identity management and access control rather than building enterprisewide systems from a single vendor, said Jackson Shaw, director of product management at Quest Software.

“Most customers are focusing on point solutions” because they are afraid of committing to a system that might not be supported in the long term, Shaw said. “I think customers are fed up with being locked into products” and would like to see more standardized commodities for authentication and access control. “But there has not been enough. It’s an emerging area.”

Creating a single, voluntary and interoperable infrastructure that will support multiple technologies will be a challenge. But some components already are in place in government, said Josh Shaul, vice president of product marketing at Application Security.

“Government is ahead of the curve, because they have very specific standards laid out" by the National Institute of Standards and Technology and Defense Information Systems Agency, Shaul said. “With this guidance, they have a plan to execute on. Industry still is struggling with plans and prescriptive guidance.”

However, having the guidance and technology in place does not guarantee an effective, large-scale interoperable infrastructure to support them. The government has rigorously authenticated identity and provided electronic ID cards that contain biometric data, digital certificates and cryptographic keys to millions of civilian and military personnel. But personnel are still using most of those cards in the same way they used old ID cards: Holders flash the photo ID to a guard at the door when entering a facility.

Although technology exists to use the cards to ensure a high level of identity assurance for physical and logical access, those tools, such as smart-card chip readers, often aren't in place.

The challenge is greater for agencies such as the Homeland Security Department, which is in the process of folding 24 data centers from its component agencies into two centers.

“They sit in the cloud now,” said a security analyst at DHS' IT Services Office, who spoke on the condition of anonymity. “I call the DHS data centers the field of dreams — build it and they will come.”

It is built — the two new data centers recently went into operation — and now they are coming. In some ways, assuring the security of those centers is simpler in a consolidated environment because there is a limited number of data centers to protect. The new data centers' policy enforcement tools provide access management controls to ensure that data can be secured at the appropriate level. So DHS doesn't need to default to the highest common denominator when placing security controls on data, making it easier to provide access to the appropriate personnel from different agencies.

But for trusted insiders, such as administrators with administrative rights, the consolidation makes security more problematic.

“They have the keys to the castle,” the analyst said. Having several dozen keys makes defending a single castle more difficult. “For the most part, the folks who control the data center consolidation need to provide the same level of security as with stand-alone centers.”

The trusted insiders might be trusted, but they are not infallible. If an administrator makes a change to one firewall, it could open holes elsewhere, exposing what could otherwise be a minor vulnerability to an exploit. So DHS must not only control the access of those administrators in the data centers but also be able to monitor and track activities.

Privileged Access

That level of access control is available with Xceedium GateKeeper, which can regulate privileged insiders.

“It is deployed as an access control gateway that can create virtual network segments on the fly to contain users to specific resources,” said Dave Olander, Xceedium’s senior vice president of engineering

When administrators access a system, the Secure Sockets Layer virtual private network connection routes them to the hardened appliance, which allows access to the proper network segment after authentication. Along with access control, GateKeeper also restricts each user once inside and monitors and records their activity. The system operates with a lightweight agent that can enforce policy on each protected server. GateKeeper can enforce white- and black-list policies for applications and activities, producing a record of those activities to help detect and remedy mistakes or malicious acts.

DHS uses a white-list approach to specify only those actions that are allowed because “you can’t control all of the bad things,” and it is easier to specify the things that are allowed, the analyst said.

The network segments prevent users from moving from one device or virtual machine to another once inside the data center, Olander said.

The tool’s original use was for managing remote access, primarily in the financial industry, he said. It evolved for controlling privileged access and supports a variety of authentication techniques, including directories, local authentication databases, PKI and smart cards, and Radius servers.

The federal government comprises about 65 percent of Xceedium’s market. The DHS analyst said GateKeeper's purpose is not so much to prevent malicious activity — although it does that — but to watch for errors and correct unintended consequences. “It’s a great tool for lessons learned,” he said. “It’s a great tool for configuration control.”

The toughest part of access control isn’t finding the technology to enforce it but developing and maintaining the policies to be enforced, he said. Each user account can have multiple roles, with a specific set of access privileges for each role. Matching the privileges to roles and the roles to an account is a huge undertaking, he said. “That’s why we’re approaching it from the enterprise. It’s constantly changing.”

Public Access

Securing assets from trusted insiders is one side of the challenge to identity and access management. The other is scaling technology to support large-scale authentication and authorization for public access. UnboundID is targeting large enterprises and service providers, such as those that offer cloud infrastructure, with tools to scale and speed directory services.

The tool provides database functionality for directories and can replace or work with existing directories. It works with multiple types of authentication, supporting user names, passwords and digital certificates. Hardware tokens require an additional application.

The key to making that tool or any other access management scheme work on a large scale is federation, UnboundID’s Shoaff said. “It’s unrealistic to assume that everyone is going to agree on a common data standard or infrastructure, so strong federation capabilities are needed.”

Equifax is moving into the government market this year with a tool to make identity proofing, the front end of the identity management process, more effective.

“The lion’s share of the business we do today is being a credit bureau,” said Frank Blaul, vice president of Equifax Government Solutions. The company maintains records on more than 500 million consumer accounts and employment records at 81 million businesses. But during the past three years, it has invested $1.6 billion in acquiring data analysis technologies to make more use of this data.

Knowledge-Based Authentication

Equifax already provides business risk analysis for government by profiling companies and principals doing business with the government. It now plans to provide electronic authentication to the government through knowledge-based authentication. That technique would use statistical modeling with personal information in databases not generally available to the public. By asking a series of questions of the user, it can provide a strong assumption of identity online.

“We have the ability to deliver identity proofing to the widest possible population in the United States,” said Ron Carpinella, vice president of identity management at Equifax Government Solutions.

Equifax has started pushing knowledge-based authentication this year, offering it as a hosted service or software. It can substitute for in-person identity proofing when electronic credentials are being issued and can provide an additional authentication factor during a transaction.

The scheme should provide an adequate level of security for most online activities and, if widely adopted, could provide an easy source of trusted credentials for much of the population, Carpinella said. “The federal government is not going to issue 300 million chip cards,” he said.

Equifax is in talks with the National Institutes of Health, which would be the first agency to use its knowledge-based authentication. Researchers would use it to access NIH program information.
 
In identity management and access control, as in any other area of security, there will be no silver bullet, despite efforts to create a scalable, interoperable infrastructure.

“One tool will never be the be-all and end-all,” the DHS security analyst said. “It’s a layered defense,” and security tools and requirements will change.

“It’s a journey, not a destination,” said Steve Lawrence, vice president of federal service at Quest Software’s public-sector subsidiary. “There is no set definition.”

Editor's note: This story was updated July 12.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.