DOD identity and access management capabilities continue to evolve
The evolution of identity and access management (IdAM) solutions that protect sensitive information on Department of Defense (DOD) networks was discussed during the 2018 Armed Forces Communications and Electronics Association’s Defensive Cyber Operations Symposium in Baltimore, Maryland, May 16.
Lee Taylor, chief of the Defense Information Systems Agency’s (DISA) Infrastructure Applications Branch, said IdAM is a combination of technical systems, policies, and processes that create, define, and govern the use and safeguarding of identity information, as well as manage the relationship between an entity and the resources in which access is needed.
“IdAM provides enterprise services as a security discipline to enable the right individuals to access the right resources at the right times, and for the right reasons,” said Taylor.
DISA, the Defense Manpower Data Center (DMDC), and the National Security Agency (NSA) combine resources to provide IdAM solutions to the DOD. The solutions are governed by the DOD chief information office (CIO), in coordination with DISA and DMDC. The DOD CIO mandates use of some enterprise IdAM services and defines relevant processes and procedures.
The solutions are divided into three distinct areas: management of digital identities, authentication of users, and authorizing access to resources; all of which support network users across the DOD enterprise.
Taylor said the management of digital identities involves electronic representation of an individual’s identity.
“For managing digital identities, it provides secure accountability for creating, defining, and trusting digital identity data,” he said. “This includes processes for uniquely identifying users, securely binding the digital identity to users, and managing the identity across the enterprise. That data includes user contact information, organizational information, and attributes for access control.”
Authentication of users verifies a claimed identity is genuine based on valid credentials.
“It validates that you are who you say you are,” said Taylor. “Credentials include something you know, such as a password or PIN; something you have, such as a mobile device or Common Access Card (CAC); and something you are, such as facial recognition or fingerprints.”
Authorization for access to resources verifies a user should have access to a particular system, network, or resource within the network.
“Authorized access to resources enables the authority to restrict access locally or within the enterprise on the evaluation of applicable policies,” said Taylor. “Controlling access to resources is paramount to protect private and confidential information from unauthorized users.”
Recent IdAM enhancements involve implementing the Enterprise Privileged User Authentication Service (EPUAS) and virtual desktop infrastructure (VDI) to provide public key infrastructure (PKI) certificates based on two-factor authentication, which improves security for privileged users accessing systems maintained in DISA data centers.
“Migrating to EPAUS resulted in an 80 percent reduction in the number of privileged user accounts on DISA-owned and managed systems,” said Taylor. “Essentially, we went to a centralized privilege user directory service that allows users to log on to any system they have access to, which is based on a rule-based access control model.”
Taylor said migrating to VDI improved security because it “prevents non-compliant systems from connecting to our out-of-band network, reducing the possibility of an infected system connecting to the network.”
In addition, directory sharing is being piloted with multinational mission partners. It will allow DISA to populate contact information into the defense enterprise email global address list and allow DOD contact information to be populated in mission partner lists.
Current IdAM research and pilot activities include Purebred mobile security credentials, assured identity, expanding the types of authentication currently used, and biometrics.
- Purebred is a key management server and set of applications that separates key management from device management. It enables over-the-air certificate credentialing, replacing the need for a smart card reader, also known as a “CAC sled.”
- Assured identity establishes and continuously validates a digital identity, assigns attributes to that identity, and strongly associates it with the individual or trusted advice.
- Authentication types being used as part of IdAM include: proof of identity from a trusted verifier, such as a person providing first-hand evidence to verify their identity, such as a driver’s license or passport; comparing attributes of an object against what is known about objects of that origin, an example is currency with watermarks and holographic imagery; and the use of documentation and external affirmations that can be verified by certificates of authenticity, such as an evidence log, key card, or trademarks.
- Biometrics measures and analyzes unique physical and behavioral characteristics to verify personal identity. Continuous multi-factor authentication constantly verifies a user’s identity by collecting and validating user data points and comparing them against historic data.
“Within the information technology world, we consider biometrics a form of identification, typically for access control,” said Taylor.
Physiological examples of biometrics include fingerprints, face recognition, palm prints, and iris recognition. Behavioral examples consist of typing rhythm, gait, and voice and speech patterns.
Short term initiatives
In fiscal year 2019, the IdAM team plans to reduce the number of certificates on CACs issued by the DOD, pending approval of the plan by the DOD CIO.
Reducing the number of certificates will provide efficiencies by reducing the size of certificate revocation lists and using less resources to maintain the infrastructure supporting PKI.
CACs currently contain four PKI certificates: a DOD identity certificate, a Personal Identity Verification (PIV) authentication certificate, an email signature certificate, and an encryption certificate.
The certificate reduction will eliminate the DOD identity certificate and replace the authentication function with the PIV authentication certificate, which already exists on the CAC.
“The intent is to unhide the PIV authentication certificate for all CACs that are issued,” said Taylor. “The military services started this back in February, so agencies issuing CACs will also need to do so.”
For additional information about IdaM, download Taylor’s briefing slides or visit www.DISA.mil.
Posted May 22, 2018