Nov 16 2018

DOD Designs Home-Grown Solutions to ID Management Matters

DISA's Purebred key management server gives mobile users secure access to unclassified information.

Defense Department CIO Dana Deasy made clear in September that the Common Access Card “will remain the department’s principle authenticator for the foreseeable future.” 

CACs and personal identity verification cards have been the main federal solutions for identity management for years. While these proven authentication tools won’t disappear soon, but CACs and PIV cards are not the only solutions. Some agencies are beefing up their identity management strategies — and strengthening security in the process. Agencies whose employees work remotely turn to external cloud solutions and sophisticated key management systems to better control security.

At the Pentagon, the CAC is a way of life. However, the department also has other authentication methods that augment it

DOD employees using government phones or tablets have to swipe their ID cards through portable smart card readers, which are easy to forget or misplace. 

To overcome that problem, the Defense Information Systems Agency developed Purebred, a key management server similar to the technology that supports mobile payment applications for smartphones.

MORE FROM FEDTECH: Find out how feds can get the most from Cisco’s Identity Service Engine!

How DOD Uses Purebred to Aid Authentication

Purebred stores user credentials as software certificates on mobile devices. About 31,000 of DOD’s mobile devices now run it for access to unclassified systems. (A separate system authenticates users for access to classified networks via smartphones and tablets.)

U.S. Army officials believe Purebred can improve security in several ways.

“If a mobile user loses the Common Access Card, they have to go through the entire process of getting a new card,” says Rick Walsh, mobile program manager for the Army. “But if they lose a device with software tokens, they only lose a derivative of their credentials. We can start over without having to issue a brand-new CAC.” 

Because the Army assigns mobile devices to individual users, he adds, both the hardware and the user must be authenticated before someone can access a protected network. 

“If unauthorized people try to use the devices to access Army resources, they are blocked,” Walsh says. 

By contrast, when users share a common workstation in an Army office, CACs authenticate only the device credentials, making it possible for a user to buck security policies and loan a coworker a CAC and PIN to use. 

Agencies Pursue New Avenues for Identity Verification

DISA is considering making Purebred available to agencies outside of the Defense Department. Some civilian agencies use commercial products that rely on technology similar to the DISA solution

For example, the Drug Enforcement Agency and the FBI have deployed HID Global’s ActivID, a security solution that uses derived credentials to authenticate users.

“We see a fundamental shift in authorization techniques, from knowing a secret, like passwords or PINs, to using a multi-tude of factors related to someone’s identity and their operating environment,” says Jeremy Corey, DISA’s chief of cyber innovation and assured identity. “The latter is much more difficult for hackers to replicate.”


Bumblee_Dee/Getty Images