Improving identity and access management (commonly referred to as IAM or IdAM), especially after recent government hacks, continues to remain a top priority for federal agencies. In fact, this summer the Office of Management and Budget's 30-day cybersecurity sprint highlighted the need for two-factor authentication to support the data access and credential security that agencies require. While this quickly executed plan certainly helped many agencies improve their use of two-factor authentication, there is still work to be done for agency authentication to reach today's level of innovation — especially with regards to mobility on smartphones and tablets.

To resolve issues with traditional authentication methods, the National Institute of Standards and Technology (NIST) has provided guidance for derived credentials. And, with derived credentials set to enable more efficient and effective authentication while helping to ensure confidentiality, security and integrity of mobile device information access, these guidelines are certainly a powerful first step for agencies. To understand what path derived credentials are taking in defense agencies today, below are answers to the "5 Ws" of derived credentials.

Derived credentials in defense agencies

Before diving into the use of derived credentials, it's important to define the technology itself. So, what are derived credentials? Essentially, a derived credential (true to its name) is derived from the credentials on a user's common access card (CAC) or personal identity verification (PIV) card. The credential is then stored in soft token form and secured using the hardware protection on a mobile device (smartphone, tablet, etc.).

With this in mind, the next question about this type of authentication might be, "If we have a secure authentication method in place at defense agencies (i.e. CAC and PIV), why were derived credentials created?" Derived credentials were created to improve mobile authentication via mobile devices and tablets with the levels of security necessary for government agencies. Today, mobile access to government apps and data is bound by bulky methods of authentication, which lack both smooth user experience and cost-effective solutions. Even with multi-factor authentication improvements, users must still attach an expensive card reader to the exterior of a mobile device or complete multiple steps for login — such as traditional password, CAC card reader and third-party application smart card integration for access.

With this background in mind, one can look at who is pushing for derived credentials to become a realityin defense agencies today. Both NIST and defense agency executives have been echoing the need for derived credentials as a method of two-factor authentication. As mentioned above, NIST developed a draft solution to help agencies with the task of providing multifactor authentication, proposing the use of derived credentials. The solution, NIST SP 800-157, specifies the use of cryptographic tokens on mobile devices in which their corresponding private keys must be used, and we are already seeing strides in derived credentials implementation within defense agencies. Earlier this summer, the Department of Defense(DoD) announced it would be looking into derived credentials as a way to make its IdAM on mobile devices more user-friendly and cost-effective.

Derived credentials can be a powerful tool, but many IT executives are still asking when they should be used., "When should it be used?"Currently, NIST's draft solution for derived credentials encourages agencies to utilize the form of IdAM for multi-factor authentication. However, many agencies, including those in the defense sector, have their sights on using derived credentials for much more — from digitally signing documents and encrypting emails to authenticating websites. Given the vast use cases for derived credentials, we are poised to see this technology radically shape the ways government employees' work on mobile devices.

The path forward for derived credentials

The concept of derived credentials is nothing new. We have seen conversations, pilot programs and interest in the technology for years. But, we must ask: Where will we see it next within defense agencies?

Today, we are faced with a "wild west" of sorts when it comes to authentication. Until there's a concrete implementation for civilian and defense agencies to look to, the use of derived credentials will be open to interpretation. Right now it's poised to make waves in supporting authentication to mobile devices. But with the next wave of innovation, we look forward to seeing agency pilots such as those at the DoD take the use of derived credentials to the next level.

Eugene Liderman has over 15 years experience in the information technology field, specifically in networking, directory services, email, wireless email, mobility, and information security. Currently, Mr. Liderman is the director of public sector in product management at Good Technology where his primary responsibility is to assist customers in navigating the unique mobile security challenges that exist within the federal, civilian and DoD markets. Prior to that, Mr. Liderman was the Director of Public Sector within the Office of the CTO and was also a Sr. Cyber Security Architect focusing on Public Sector.

Share:
More In The Compass