Cracking the Code on Identity Management
Promising techniques and technologies could put the common access card in the past and protect against faux users.
The Defense Information Systems Agency is dipping its toes into the huge pool of options for identity security to generate new approaches that go well beyond usernames and passwords. Hoping to roll out some solutions before the end of the fiscal year, the agency is weighing multifactor authentication, derived credentials and technologies to support mobile devices and rid its ranks of the common access card.
“Authentication and authorization are two key concepts we are trying to evolve, which are very challenging and require some new ways of thinking,” says Capt. Jeffrey Buss, USN, chief technology officer for the Cyber Development Directorate within the agency, known as DISA. “We’ve done a significant amount of market research in order to come up with a few venues, if you will, or a few different technologies that we think are promising as far as being able to get us past the [common access card] and make it a more user-friendly experience for the warfighter.”
Service members want one device on which they can talk, access and store data, view documents, chat, retrieve email and navigate the Internet—all without jumping through hoops, experiencing delays or using smart card readers, Capt. Buss says.
DISA’s work stems, in part, from a directive issued last year by Terry Halvorsen, then the Defense Department chief information officer, to find identity management and access-control solutions. During his two-year tenure at the Pentagon, Halvorsen launched a handful of disruptive measures, including one to do away with the common access card, often called the CAC. The CAC system lacks mobility, agility and a highly trusted level of security—all before even considering how impractical it is in combat zones, Halvorsen said before retiring in February. “Frankly, CAC cards are not agile enough,” he said. “It’s really hard to get you a CAC card when people are dropping mortar shells on you and you need to get into your system. That doesn’t work.”
But getting rid of the smart card, about the size of a credit card, is not quite as simple as coming up with and remembering strong passwords. “We know the common access card is used for multiple purposes today,” says Jeremy Corey, DISA’s lead for the Cyber Development Innovation Cell and assured identity program manager. “We know that it’s used for physical identity—showing and displaying your card. It’s used for personal access control—entering and exiting a facility. But there’s also public key infrastructure [PKI] encryption certificates that are issued onto these common access cards to help identify a person in cyberspace.”
From that perspective, DISA officials have found themselves addressing the form-factor challenge for mobile device platforms and leveraging those PKI certificates. One solution is the grass-roots Purebred initiative, a key management server and set of mobile device apps that separates key management from device management, Corey says. Developed by DISA PKI Engineering, Purebred securely distributes software certificates for Defense Department PKI subscribers’ use on commercial mobile devices. “Because we have now operationalized that capability … we intend to leverage the Purebred capability in that next-generation identity and authentication,” Corey says.
Additional identity management solutions that have piqued government interest include behavioral biometrics such as computer mouse habits, Internet navigation paths, keystroke cadence, device swipe methods and patterns-of-life technologies. (See “DISA Moves Beyond Conventional Biometrics,” page 27.) Another area of interest includes physical biometrics such as fingerprints, iris scans and voice recognition. DISA pilot programs are testing identification metrics security systems. Halvorsen had envisioned tapping from eight to 12 solutions at any given time, independently or in tandem, to authenticate user identity. Those controls would be randomly employed to throw off hackers.
Commercial and public organizations are moving away from the now-antiquated access and authentication techniques that involve physical cards or tokens in favor of entirely software-driven technology, says Andy Vallila, vice president, Americas at One Identity, an offshoot of Dell.
“At the highest level, identity and access management have evolved so much over the last 15 years so,” Vallila says, referring to when the Defense Department began using the CAC in the early 2000s. “What we’re able to do today digitally … really removes the need to have physical security as part of the user experience.”
Mobility presents many opportunities for technology users, Vallila says. One expectation it brings is the ability to access applications from many different devices, whether smartphones, tablets or laptops. Deep-rooted in those expectations are increased security risks, he adds, which can be mitigated with digital authentication mechanisms that detect risk and prioritize network access. Those mechanisms include profiling user behaviors, cataloging authorized devices and knowing the IP addresses from which users access the network. Organizations can define and tailor acceptable risk scores within the software, and any anomalies would trigger challenge questions asking users to provide additional authentication information before gaining network access. “Inherent in our solutions is that ability to assess the risk digitally and to act accordingly based on the score that our software provides,” Vallila explains. “Any secondary challenge that is not answered properly could remove the threat of a bad actor or someone trained to impersonate the user.”
Identity management engineers are hard at work developing techniques and technologies to keep intruders out as much as to keep legitimate users in—or at least to prevent them from circumventing security checks, Vallila says. Users regularly bypass cybersecurity controls in the name of convenience, he says. “There is a level of fatigue associated with digital users today. Most users have to remember something between 25 and 30 separate user credentials. That’s just more than most people can remember and recall quickly,” Vallila shares.
Layered and risk-based security platforms obviate all those separate logons, he says. “The speed at which we can provide risk-based layered security and the ability to integrate that with a lot of legacy technology that requires separate user credentials provide an answer to some of that fatigue that so many employees, whether it be commercial or public, are trying to overcome today,” Vallila says.