Defense Department CIO Dana Deasy made clear in September that the Common Access Card “will remain the department’s principle authenticator for the foreseeable future.”
CACs and personal identity verification cards have been the main federal solutions for identity management for years. While these proven authentication tools won’t disappear soon, but CACs and PIV cards are not the only solutions. Some agencies are beefing up their identity management strategies — and strengthening security in the process. Agencies whose employees work remotely turn to external cloud solutions and sophisticated key management systems to better control security.
At the Pentagon, the CAC is a way of life. However, the department also has other authentication methods that augment it.
DOD employees using government phones or tablets have to swipe their ID cards through portable smart card readers, which are easy to forget or misplace.
How DOD Uses Purebred to Aid Authentication
Purebred stores user credentials as software certificates on mobile devices. About 31,000 of DOD’s mobile devices now run it for access to unclassified systems. (A separate system authenticates users for access to classified networks via smartphones and tablets.)
U.S. Army officials believe Purebred can improve security in several ways.
“If a mobile user loses the Common Access Card, they have to go through the entire process of getting a new card,” says Rick Walsh, mobile program manager for the Army. “But if they lose a device with software tokens, they only lose a derivative of their credentials. We can start over without having to issue a brand-new CAC.”
Because the Army assigns mobile devices to individual users, he adds, both the hardware and the user must be authenticated before someone can access a protected network.
“If unauthorized people try to use the devices to access Army resources, they are blocked,” Walsh says.
By contrast, when users share a common workstation in an Army office, CACs authenticate only the device credentials, making it possible for a user to buck security policies and loan a coworker a CAC and PIN to use.
Agencies Pursue New Avenues for Identity Verification
DISA is considering making Purebred available to agencies outside of the Defense Department. Some civilian agencies use commercial products that rely on technology similar to the DISA solution.
“We see a fundamental shift in authorization techniques, from knowing a secret, like passwords or PINs, to using a multi-tude of factors related to someone’s identity and their operating environment,” says Jeremy Corey, DISA’s chief of cyber innovation and assured identity. “The latter is much more difficult for hackers to replicate.”