The National Weather Service manages agency security with Microsoft Active Directory.

Creative Ways to Authenticate Users Also Improve Cybersecurity

FCC, DOD, NWS are among the agencies hardening access to mobile devices.

The National Weather Service, with its large, remote staff and multiple operating systems, needed to create secure access to its network. Common Access Cards complied with the identity regulations established under Homeland Security Presidential Directive-12, but that solution worked only under certain conditions.

For instance, the agency could centrally manage only Windows-based systems; it could not push out updated security policy settings to Mac and Red Hat Linux computers. Those machines, which the NWS uses to model weather and process large volumes of data, had to have their settings manually adjusted.

“We had to find a way to make all of our systems compliant with HSPD-12 by securing everything with certificates,” says Jeff Williams, chief of the NWS Systems Integration Branch. “The best option was to use Microsoft Active Directory accounts to manage security on an enterprise level.”

Common Access Cards and personal identity verification cards have been the main federal solutions for identity management for years. These proven authentication tools won’t disappear soon, but CACs and PIV cards are not the only solutions. Some agencies are beefing up their identity management strategies — and strengthening security in the process.

Agencies whose employees work remotely turn to external cloud solutions and sophisticated key management systems to better control security.

“With the rise of the cloud and mobile applications, IT departments have lost some of the direct control they used to have over security,” says Mark Bowker, senior analyst with the Enterprise Strategy Group. “As a result, organizations are focusing more attention on identity management.”

MORE FROM FEDTECH: Find out how feds can get the most from Cisco’s Identity Service Engine!

Agencies Lock Down Access Based on Users' Roles 

To better manage their environment, NWS officials turned to the Centrify Identity Platform for administering card-based, two-factor authentication plus Federal Information Processing Standards (FIPS) cryptography ­certification. Centrify’s close integration with Microsoft Active Directory ­simplified implementation of the plan, says Williams.

“Once we had the console set up with policies for authentication, we could set up machines within a couple of hours by just pushing the software out,” Williams says. “That saves many man-hours.”

The agency’s large, remote staff required more consistent enforcement of identity management policies, he adds. With policies implemented on the enterprise level rather than in each remote office, NWS managers can more closely control who has root access privileges on the Linux systems in the field.

9.5 million

The number of PIV cards and CACs in use by federal workers

Source: Gemalto, National Institute of Standards and Technology

“We can lock down accounts based on each person’s assigned roles,” Williams says. “People don’t have root access rights unless it’s absolutely required for their work.”

Some agencies must consider public interaction when it comes to security and identity management. The Federal Communications Commission moved its identity management to Okta’s Identity Cloud, which provides multifactor authentication and single sign-on capabilities for applications such as Microsoft Office 365.

About 2 million people yearly apply for FCC licenses, and the Okta app ensures that proper authorizations and security are in place as the outside world interacts with the agency.

MORE FROM FEDTECH: Discover why it is time to reevaluate password security best practices! 

State Department Uses a Variety of Authentication Tools 

Many State Department personnel work in far-flung, sometimes adversarial nations, but they still need access to sensitive information contained in internal systems. To securely manage identity verification, the department’s IT staff focuses on a variety of current and emerging technology options.

“Identity management is one of my soapbox topics because it touches so many areas, including the proliferation of mobile and cloud applications,” says Gerald Caron, acting director of enterprise network management.

For personnel working at desktops in State Department facilities, IT managers rely on CACs, local domain controllers and Active Directory to authenticate personnel. To secure access to mobile applications, the department achieves multifactor authentication with RSA tokens and ­passwords managed by a commercial application.

Other multifactor options include a derived-credential solution that would install the information captured on CACs onto chips embedded within mobile devices.

Gerald Caron
Facial recognition is intriguing, but it requires a discussion about risk tolerance."

Gerald Caron Acting Director of Enterprise Network Management, State Department

The expansion of cloud-based services creates new authorization challenges. Caron advocates centralized identity controls that ensure access rights can be updated or deleted when people change roles or leave the agency. For internal resources, this role may be Active Directory, but clouds require more.

“People may have different usernames and passwords for different cloud services, all of which need to be changed when someone’s status changes,” Caron says. “The identity management solution must be able to tie those identities together within a single identity authority.”

Agencies May Explore Advanced Biometric Authentication Methods

To successfully address this and other new challenges, agencies shouldn’t view identity management as a discrete f­unction, but as an element within the larger security architecture.

“Identity management is part of larger governance policies, including those regarding mobile devices and access to cloud resources,” Caron says. “Agencies should also review their IT modernization plans to understand how identity management will support both current and long-term requirements.”

Security researchers across government are exploring more exotic ID management methods, such as using sensors on mobile devices to identify a user by his gait

This would make it easier for workers who are required to wear gloves and goggles, which cover fingerprints and irises, to use biometrics as a way to ­verify identity.

State Department officials must sort through security considerations before identity management via facial recognition can be released in the field.

“Facial recognition is intriguing, but it requires a discussion about risk tolerance and how that’s impacted by turning on cameras in government locations,” Caron says.

Cybersecurity_IR_stayprotected_700x220%20(1).jpg

Photography by Justin Clemons
Nov 08 2018