Adopting strong authentication by using derived PIV credentials may be an agency’s best and first line of defense.
Chris Edwards is the chief technology officer of Intercede.
In the wake of the recent security breaches of the Internal Revenue Service and Office of Personnel Management, government officials are starting to fully address their own data vulnerabilities to ensure their agencies do not suffer the same fate.
To fight back and protect sensitive data from falling into the hands of nefarious organizations or opportunistic hackers, federal agencies with a mobile workforce must now deploy more robust technology to enhance data security on mobile devices. Fortunately, there is now a way to create mobile identity credentials to the same strict security standards as federal employees’ smart cards, without the process becoming cumbersome for the end user.
According to a recent survey by IDC Government Insights, growth of tablets in the government sector is projected to increase by double-digits for the next several years, following the meteoric rise of smartphone adoption. Federal employees now can – and do – access sensitive information from their mobile devices, and agencies of all sizes must take the appropriate steps to protect digital assets and sensitive data. Failure to do so could lead to the theft of such data, causing disruption not just for the agency, but also for the data security of the entire federal government. The nature of federal data means that any damage done could have a detrimental impact on national security.
Since the government standardized identity and credentials across all agencies nearly 10 years ago, almost 5 million smart card-based Personal Identity Verification credentials have been issued to government employees and contractors for secure access to government buildings and IT systems. This same technology can now be extended to mobile devices by taking the secure and verified PIV standard and applying it to mobile devices.
What this means in practice is using the existing PIV card as the “root of trust” for the new credential, which is installed directly onto the mobile platform. This enables users to move away from insecure passwords and usernames – a security practice that, in recent times, has become more of a hindrance than an effective safeguard.
Federal IT managers are discovering one of the best methods for protecting data on mobile devices is the secure key store. The “black box” of security certificates and verifications for mobile devices, the secure key store holds cryptographic keys unique to each device and are tamper resistant.
This is the same principle as the smart card – the traditional form factor used by the U.S. government to securely hold employees’ identity credentials. In this case, it derives its chain of trust from the processes used to issue the original PIV card. Using a secure keystore to protect sensitive data has the potential to turn what has been previously seen as a security vulnerability – the device itself – into an agency’s first line of defense for data protection.
The rise of mobility has killed the 9-5 office mentality and transformed the federal workforce into a 24-7 culture. For federal employees, increased use of smartphones and tablets has opened the door to more flexible working, but has also increased the possibility of employees accessing government data and networks beyond the secure perimeters of government buildings.
Implementing rigorous methods of authentication to verify the identity of workers accessing federal networks and systems would allow agencies to immediately bolster their cybersecurity. Two-factor authentication is a method that combines a secure and verified physical token with a PIN or other code. Such authentication is now possible on mobile devices by deriving a new secure credential directly onto a device without compromising the security or integrity of the two-factor concept.
This level of authentication – “something you have” combined with “something you know” – has proven to be successful with chip and PIN security.
The key to enhancing mobile security is in combining a secure digital identity with a second authentication factor such as a PIN or fingerprint to let people use their devices to authenticate themselves for physical and digital access. Strong authentication is now widely used in consumer banking and online services, and is becoming an increasingly familiar technology in the U.S.
By using a mobile credential that first authenticates the user (with PIN or biometric) to authorize a cryptographic signature, we now have a viable alternative to passwords that is highly secure, convenient, and simple to use. This allows agencies to have far greater confidence and control over who is accessing their networks and sensitive data.
Strong authentication enables federal agencies to reap security benefits while allowing for a more mobile and flexible federal workforce. Federal agencies’ old-line approach of keeping employees inside agency buildings and accessing sensitive information from designated terminals isn’t in keeping with today’s mobile society. It is neither a practical, desirable nor effective way to combat cyber criminals.
(Image via motestockphoto/ Shutterstock.com)