The Defense Information Systems Agency is taking action to improve its authentication practices. Agency leaders no longer consider the Common Access Card (CAC) optimal for authentication in today’s mobile-centric environment and are exploring alternatives.
While CACs are effective, they’re not as agile or secure as the Department of Defense needs to be. Cards are easily confiscated, lost or stolen and acquiring a new card is time consuming. Also, CACs don’t plug into mobile devices and tablets, limiting members of the defense community’s ability to utilize technology that could help accomplish its mission.
As a result, DISA is considering hardware attestation and biometric factors, specifically related to a user’s face, voice and gait. Biometric factors provide a more continuous approach to authentication. In addition to the considerations DISA has referenced, behavioral biometrics can validate a user based on key strokes, mouse movements and other elements that can identify if an unauthorized individual has hijacked a device in as little as 20 seconds.
As DISA evaluates authentication solutions, it’s a good time to raise questions about other elements of identity and access management (IAM). Authentication, the process for confirming the identity of the user, serves a limited function without attention to other aspects of IAM — authorization, administration and audit.
Authorization ensures the user has the right permissions. To make authentication processes relevant, employees should only be granted the access necessary to accomplish their jobs, but nothing more. If a DoD employee is switching jobs or projects, access needs to be updated. This means paying attention to not just new needs, but also information and systems a user no longer needs to see that could lead to a potential vulnerability.
Administration supports appropriate authorization, including steps to set up accounts and enforce access controls. This includes provisioning and de-provisioning accounts. Much of this process can now be automated to provide more immediate access and quick deprovisioning as authorization changes. This is essential for the DoD, as work inside the agency needs to be completed quickly to guarantee citizen and war-fighter safety, yet unnecessary access can leave sensitive national security information vulnerable to bad actors.
Audit is the last element of complete IAM. It focuses on the ability to track and report on what applications users access and when. Audit is important for compliance, but these capabilities also make it possible to identify the root of security incidents when they happen. The defense community needs to know it’s prepared for the worst and can act if a breach occurs.
As agencies enhance IAM efforts, they must also consider the role of privileged accounts. Privileged accounts allow access to a broad range of sensitive information and are frequently the cause of notable security breaches. Rather than providing a standard password that can be shared from administrator to administrator, privileged user access should be temporarily granted and the actions they can take on the system should be limited and monitored. Privileged accounts hold keys to the kingdom in terms of sensitive data and personal information. Making access to these accounts too easy can negate the impact of all other IAM efforts.
As DISA reconsiders its approach to authentication, there are important elements of IAM to focus on as well. By starting with this comprehensive approach to IAM, security becomes an enabler rather than a hindrance. It reduces risk, while allowing agencies to effectively and efficiently complete their missions. With the right people, who have the right access to the right systems and information, the DoD can focus on the issue of securing our country, not its own IT systems.
Dan Conrad is federal chief technology officer at identity and access management company One Identity.