don’t mean embracing a full-blown PKI solution.”
PKI: Gold standard for MFA
Whatever the authentication factors available for MFA, the federal gold standard is public-key infrastructure, said Army Col. Tom Clancy, identity and asset management lead in the DOD CIO’s office. That is especially true for hardware PKI. But there are a number of situations in which the technology does not come into play.
“There are a bunch of use cases that were almost exclusively username/pass- word protected,” he said. “Old technol- ogy is one — devices or applications that didn’t support PKI.” As an example, he cited privileged users who access servers that don’t support PKI. “That’s a support case for MFA alternatives to PKI.”
Furthermore, DOD’s workforce is becoming increasingly mobile, but phone-based authentication is a chal- lenge. And because the department’s partners in state and local govern- ment, nongovernmental organizations and industry do not issue PKI to their personnel, DOD needs other physical authentication solutions.
Commercial MFA tools can play an important role where PKI-based authentication is not supported or read- ily accessible, said Brandon Iske, the Defense Information Systems Agency’s lead for mobile enablement and the Purebred program, which seeks to put security credentials directly on employ- ees’ mobile devices. He added that the National Information Assurance Part- nership certifies devices and hardware that have built-in MFA.
“We’ve been working to identify alternatives to username/password for use cases that cannot implement PKI for two years,” Clancy said. “DOD has approved two alternatives to PKI when PKI is infeasible: RSA SecurID [and] YubiKey.”
Nevertheless, device-based PKI should be used at the appropriate level. And the industry has been improving on the way that devices store PKI cer-
tificates to meet advanced assurance levels, he added.
“We don’t need to demand a high- assurance authenticator for public infor- mation, but [we should] be diligent for protection of sensitive information,” Clancy said.
The need to know and be cyber-aware
Of course, DOD has some of the coun- try’s most sensitive information, and it should be protected from external and internal leaks. It all comes down to the principle that employees should have access only to the information that is necessary for them to complete their appointed tasks and nothing more.
“The government organization’s access philosophy that is based on ‘need to know’ and ‘need to perform job function’ best supports the pass- word system,” said Carl Herberger, vice president of security solutions at Radware. “Regular reviews of personnel access profiles as well as logical security awareness through education and train- ing are imperative for the maintenance and support of the organization’s access philosophy. While password manage- ment is very serious, keep in mind that a password alone will not prevent unau- thorized access.”
That means every agency, regard- less of size, must create a cyber-aware culture and have a roadmap. Scope, resources and threat potential might impact how the plan is executed, but everything starts with the plan, said Mark Testoni, president and CEO of SAP National Security Services.
“Fostering cultural awareness through cyber education through- out the organization is paramount [because] each individual is a poten- tial entry point of exploitation,” Tes- toni said. “Cybersecurity among fed- eral agencies should be unambiguous. Agencies should proactively advance employee training programs — a jus- tifiable cost when research shows that the vast majority of all cyberattacks are a result of human error.” n
EVERY AGENCY, REGARDLESS OF SIZE, MUST CREATE A CYBER-AWARE CULTURE AND HAVE A ROADMAP. SCOPE, RESOURCES AND THREAT POTENTIAL MIGHT IMPACT HOW THE PLAN IS EXECUTED, BUT EVERYTHING STARTS WITH THE PLAN.
August 2017
FCW.COM 35