When I consider the technologies deployed to support the warfighter, a few mantras come to mind.
The first is “crawl, walk, run.” Technologies can only be fielded after ample testing, which slows the recognized advantages of a specific technology but reduces mission risk and potentially protects lives.
The second is “move at the speed of mission,” which translates to “you have to move faster to field supporting technologies because the mission can’t wait.”
These two ideas are important, yet contradictory. Fielding innovative technologies has always been paramount. In 1958, President Eisenhower created the Defense Advanced Research Project Agency (DARPA) to address this dilemma. However, even after DARPA, there was a time when the DoD deviated from this collaborative approach and decided to go it alone (or only with support of its most trusted integrators), typically producing poor, if not costly, results. Anyone remember the SME-PED [Secure Mobile Environment Portable Electronic Device]?
Public/private partnerships are a key component to the current administration’s IT modernization initiative. Cloud and mobile are critical and, subsequently, have created the necessity for the DoD to foster similar partnerships.
In fairness, the Pentagon must deal with many of the same issues that most enterprises struggle with: how to maintain a highly scalable, reliable capability while also providing the strongest, most transparent security model.
The transparent part has been difficult.
Solving the access dilemma
The Common Access Card (CAC) has long been the primary identification method for all of DoD. It made perfect sense at the time of its implementation, given the high-profile breaches and the looming presidential directive. This involved issuing everyone (active duty, contractors, etc.) a plastic card that allows them physical access to a space and logical access to their computer and backend data sources. The CAC was modeled after existing smart card technology and fit the requirement at the time it was introduced. Access was based on ‘something you have,’ and something you know,’ such as your assigned PIN. This worked fairly well, public key infrastructure (PKI) costs notwithstanding, for quite a while.
Then mobile happened.
There was no easy way to use a plastic card with a mobile device. The National Institute for Standards and Technology (NIST) and other agencies scrambled to resolve the disruption. A plastic card was not a long-term answer for logical access and identity from the modern endpoint.
Derived credentials, or PIV-D, was the proposed path forward. PIV-D tried to solve a current, and rather large, identity and access dilemma by leveraging the existing investment in the massive PKI backend that supported plastic cards. Yet, there was a problem with this approach: PIV-D is just PKI 2.0. It doesn’t solve the broader problem, which is that cloud and mobile have completely changed how employees work and access protected data. Also, PIV-D alone only offers a single factor login, increasing the risk of a breach if credentials are stolen or compromised.
IT modernization is happening this time
The good news is that there is hope. The public/private partnership is alive and folks at NIST, the National Cybersecurity Center of Excellence and others have recently revised guidelines to help modernize, looking at open standards such as OAuth, Fast Identity Online (FIDO), OpenID and others to try and help solve this problem. Biometric identity authentication on a government-trusted device, and the use of a FIPS-validated hardware token like the Yubico Yubikey for replacement of a CAC or PIV card will make agency life easier on the path to IT modernization.
The journey to modernize is also leading agencies toward a “zero-trust” security model, first discussed and implemented in the private sector, but now gaining traction in the public sector. A zero-trust security architecture makes everything pass the same test(s) before a system trusts it and grants it access, regardless if it’s “inside” your network or not. No matter where the user is, what device they’re using, or where the application they’re trying to access is housed (cloud or on-premises), they must pass the same security checks.
IT modernization is about using COTS (commercial off-the-shelf) technologies and services to give agencies the ability to be more agile in deploying and managing their environment and get better security for the bargain. Whether you leverage your existing PKI (PIV-D) or not, you can layer on strong multi-factor authentication and tie into modern cloud technologies with ease.
Technologies that support these standards are the way forward in not only allowing for quick fielding of open standards-based technology, but also future-proofing the access and identity conundrum we find ourselves in today.
Sean Frazier is the advisory chief information security officer for federal at Duo Security.