Military Aims for Identity Security Trifecta
An innovative system would provide identity verification, authentication and system access management.
The Pentagon is looking to buy an enterprisewide identity management system to provide a single authoritative source of user information, identity authentication and information technology access for millions of U.S. Defense Department computer network users. The Defense Information Systems Agency’s call for white papers on the development and deployment of a Defense Department Enterprise Identity Service is the first step in identifying two or three vendors to take part in a competitive prototyping contest under an other transaction authority effort.
The agency will provide $600,000 to each vendor chosen to compete. The winner will scale its solution across the entire Defense Department enterprise at a price the company will negotiate.
The endeavor is the latest sign of defense officials’ grand ambitions to modernize and streamline the sprawling identity, credentialing and access management (ICAM) machinery in the Defense Department. It’s a huge undertaking driven by the department’s information technology modernization strategy. ICAM systems bring together all the various elements of the identity life cycle in an organization, including identity proofing, credential issuance, authentication and access management.
The department’s information technology modernization strategy is driving this huge undertaking despite the absence of a long-delayed ICAM policy document. In general, the Defense Department does a much better job managing the first three elements. Many regard the Common Access Card (CAC) as the gold standard in secure credentials, with its rigorous in-person identity proofing, at-scale issuance and secure chip.
Validated by a personal identification number or a biometric, and back-ended by the department’s huge public key infrastructure encryption architecture, the CAC is about as secure an enterprise credential as possible. And, if smartcards are considered yesteryear’s technology, derived credentials, which are essentially software copies of the CAC, are now available on mobile devices.
When it comes to identity verification, the U.S. military historically has been a series of fiefdoms. Each service had its own procedures for issuing CACs, and base commanders had the final say over who could access the command’s networks.
Officials say that’s led to agencies and other department components establishing their own systems for linking the universal CAC with the network its holder is entitled to access.
“A lot of the investment in ICAM has been done within programs of record or inside specific components,” Col. Tom Clancy, USA, identity management and public key infrastructure lead, Defense Department Chief Information Officer’s Office, told AFCEA International’s Federal Identity Forum and Expo participants in Tampa, Florida.
“We need a complete set of ICAM capabilities at the enterprise level,” he said, noting that a centralized set of identity services would enable partnerships, both within the U.S. government and with state and local governments, as well as allies. “We need to be able to support that joint, interagency, intergovernmental, big multinational mission set and those business activities at the enterprise level,” he told conference attendees.
Those enterprise capabilities need to be at the floor, not the ceiling level, he added. “So that when you have a component … that has more specific [identity] needs that are tailored to their mission, they should be able to rely on the preponderance of the identity stack and focus on what they need to do their mission.”
The aim of the Defense Information Systems Agency (DISA) procurement, according to written answers provided to vendors’ questions, is not to replace the current multiple Defense Department ICAM systems but rather to “provide an overarching DOD ICAM that subsumes and integrates all of the existing DOD ICAMs.” Rick Moon, the Air Force identity assurance lead, explains, “We’re not looking to burn anything down. We’re looking to federate things together.”
This federated approach is vital, says Tim Baldridge, senior design architect for the Defense Manpower Data Center, Defense Department. “I believe that federation at the inter- and intra-agency levels will be key. Agencies will issue credentials locally, they will have credential verifiers locally and then they will participate in a federation exercise.”
The call for white papers gives examples of the kinds of “inefficiencies to be mitigated” by the new system. They include the paper Defense Department Form 2875 access request process; ineffective account life-cycle management; lack of visibility into which systems users can access; and lack of flexibility to leverage authenticators beyond public key infrastructure-based solutions.
The overhaul will create a decentralized, federated system for the provisioning of identity through CACs but with a menu of alternative or derived credentials as well.
With a properly automated back end, CACs can be used to enroll in, for example, different programs that use other kinds of multifactor authentication (MFA) credentials, Col. Clancy says. The key, he explains, will be to “maintain, from a technology and business process perspective, the linkage between that new MFA and the original digital identity” on the CAC, he states.
And that, according to Baldridge, is “the interesting thing” about the overhaul. It will enable the department to create other kinds of authenticators based on a personal identity verification credential or a CAC to provide enrollment assurance, he explains.
At the same time as creating a federated structure for identity provisioning, the overhaul aims at centralizing the management of network access and providing login data that can be used to audit access controls and detect insider threats.
Col. Clancy highlights work the U.S. Air Force Directory Services (AFDS) is already doing as a model of what can be achieved. The AFDS automatically draws identity information from nine different authoritative sources both within the service and beyond, including the Defense Enrollment Eligibility Reporting System and the Military Personnel Data System.
The AFDS has a memorandum of understanding with each organization about how the data is obtained and used, he says. It runs scripts that take data from those sources and makes an authoritative, comprehensive list of Air Force personnel available within the service’s enterprise, effectively federating its ICAM among those nine sources.
The organization was a single source of trusted identity information for more than 100 Air Force systems, Moon says, providing not just identity assurance but also information about the user’s role in the enterprise that could help make access decisions. “AFDS is the honest broker … It’s a one-stop shop” for authoritative identity data in the Air Force enterprise, he relates.
But Moon acknowledges that keeping clean data on more than 800,000 Air Force personnel—with over 46 million attributes between them—was a heavy lift. “The volume of garbage collection is extremely high because, as many of you will probably have experienced, there are too many people touching the directory, so a lot of what AFDS does is garbage collection,” he states.
However, that garbage collection enabled the service to provision and maintain its Windows active directory automatically, Moon explains, adding, “It’s a pretty powerful process that works very well for us.”
Col. Clancy says that modernization didn’t equal centralization. Indeed, automating identity provisioning required a federated approach. Different parts of the enterprise trusted each other’s assertions about the identity of their personnel and the resources they needed to access. He calls it an “ecosystem of authenticators.”
The colonel says federated identity eventually should enable the department to adopt a zero trust model in which users are dynamically provisioned for only the system access they need at that moment. “As we make those modernization pathways, we’re paving the road to do zero trust and a more dynamic, more granular authorization regime,” he states.
“Ultimately,” Moon adds, “all these roads lead to the need to have some kind of enterprise authorization system; to get us to fine-grained access control, to get us to the principles of zero trust, to get us to different kinds of mobile authenticators.”
But for the time being, Col. Clancy proposes the department would stick with role-based access controls. “Our first run [is] at the 95 percent of resources in the department that are account based,” he relates.
The colonel adds that officials were seeking to be transparent about their plans, “We’re trying to establish a pattern of having publicly accessible resources for everything, so it’s a not a secret what DOD’s doing.”
You may also enjoy: