[BrieFing]
  Why PIV cards fall short of their security promise
Deasy: There’s no single cloud solution
BY LAUREN C. WILLIAMS
The Defense Department’s new CIO, Dana Deasy, is getting up to speed on the Pentagon’s plans for using cloud technology. When asked his opinions about multicloud environments during a congressional hearing in May, Deasy told lawmakers
that “in a cloud world, there is no such thing as one solution that’s going to solve for all.”
BY PATRICK MARSHALL
Personal identity verification cards — smart cards that contain an employee’s photo, biometrics, encryption keys
and credentials — are a great idea. They offer secure authentication and the ability to centrally manage that individual’s access to federal resources.
Unfortunately, PIV cards have never quite lived up to their promise
to control access to federal networks and physical locations.
Some of the problems have been technical. There were glitches using PIV
card readers with Microsoft Windows 7, for example. And there is always the challenge of keeping up with new technologies. It was only in 2015, for example, that the National Institute
of Standards and Technology updated its specifications for the cards to allow them to work with smart phones.
But the biggest problems with PIV cards have been administrative. A 2017 Government Accountability Office report noted that agencies often fail to retrieve PIV cards from employees and contractors after they stop working for the government. And a February report by the Department of Homeland Security’s inspector general found that the department lacks effective protocols to ensure
that no-longer-authorized contractors cannot use PIV cards to access facilities and networks.
Dan Conrad, federal CTO at identity access management vendor One
Identity, said PIV cards face another major challenge: working with legacy programs.
“Anytime I authenticate with my
PIV card, the validity of the certificate on the card is checked, so in theory [an agency] can revoke the certificate centrally,” Conrad said. The problem
is that many applications aren’t PIV- compatible, and in some cases, the vendor might no longer be in business.
“What the organizations are looking for is someone to go back and rewrite the authentication modules of this application so it can be rolled under the PIV module,” he added. “That is almost impossible in a lot of situations, or extremely expensive.”
As a result, agencies using such applications create “exception lists” that allow individuals to access those programs without being under the PIV umbrella. Other options include abandoning incompatible legacy applications or acquiring a PIV- compatible single-sign-on solution. Which option is best depends, of course, on how critical the legacy software is to the agency’s mission.
One Identity and several other vendors offer workarounds. “Our solution for that is a bridge solution that will take applications that require usernames and passwords, and we encrypt and walletize those usernames and passwords and inject them after authenticating with a PIV,” Conrad said. “Upon successful entrance of your PIN and certificate validation, we decrypt the password from the wallet and then inject the credentials. The user doesn’t even know what they are.”
He added that another shortcoming of the current generation of PIV cards is that many smartphone apps fall outside the PIV umbrella because they don’t accommodate derived credentials.•
There
will always
be a need
for “specific
requirements that are going to be best served by unique providers,” he added. “That is no different than [what] has always been the case with technology.”
During the hearing, Rep. Will Hurd (R-Texas), chairman of the House Oversight and Government Reform Committee’s IT Subcommittee, asked about DOD’s controversial Joint Enterprise Defense Infrastructure cloud acquisition.
Deasy said he wasn’t completely up-to-date on DOD’s cloud strategy
— namely, any discussions specific to contracts, arrangements or requests for proposals — due to his ongoing public financial disclosure review.
However, Deasy said he plans to ramp up cloud migrations across
the military services. “The delivery
of new cloud capability promises to provide commercial solutions that will accelerate data center closures, achieve cost efficiencies and improve return on investments,” he added. •
  12 GCN JUNE/JULY 2018 • GCN.COM
Dana Deasy, DOD CIO
PHOTOS: LOUISIANA STATE UNIVERSITY,DEFENSE.GOV