Chris Edwards is chief technology officer at Intercede.
Recent breaches to U.S. federal computer networks – such as the Office of Personnel Management hack – have catapulted the need for improved identity management and authenticated access to the top of the national agenda. The White House-mandated a 30-day call for action for all federal agencies: tighter control of privileged user access and multifactor authentication.
After closing out the “30-day sprint” July 11, the government committed to a July 20 results announcement date only to delay the release until an undetermined date. The delay may serve as an indication the government has a long way to go in its efforts to increase network security, yet meeting the call for improved identity authentication is largely achievable within the existing infrastructure of any government computer network. Today, all federal employees have already been issued Personal Identity Verification credentials, which can be leveraged by a derived credentials system to instantly enhance secure network access from mobile devices.
The U.S. government is playing catch-up on security primarily because it has not been able to keep up with the advances in technology over the last decade. With the imminent availability of derived PIV credentials, the U.S. government can effectively address the critical need to improve the current state of cyber security. The growing demand for a more mobile work environment for federal employees and the introduction of new connected devices will create new potential entry points for unauthorized access within a government network.
One of the major considerations for the White House is that enhancements to secure federal computer systems must account for tomorrow’s hyperconnected world. A derived credential management system that uses an existing verified PIV credential to create a mobile, trusted identity that is stored on the mobile device itself is a powerful solution.
By deriving the trust from an existing credential, bound to an assured identity, any federal agency can ensure only “the good guys” gain entry to sensitive data networks. Only users who have been properly vetted, identified and authorized from one central system are granted an approved mobile credential.
Once that credential has been issued, the provider can manage it throughout the lifecycle of that device – including planned events such as expirations and renewals and unexpected events such as theft, loss, or damage.
This level of authentication provides employees with the flexibility of mobile working, while still maintaining the security government agencies need. Streamlined and efficient, the future of identity management and secure user authenticated access is in mobile derived credentials. Only then can the U.S. government effectively align the need to protect critical networks with the future technology landscape.