Diversity of critical system access points, awareness education need more congressional attention
Information security “authentication” — the ability to confirm individuals using a data system are who they claim to be and have legitimate access to that data and system — “is gaining prominence in discussions on cybersecurity,” according to the new Congressional Research Service (CRS) report for Congress, Cybersecurity: Selected Issues for the 115th Congress.
Authentication is one of the “key policy” issues for the 115th Congress CRS identified, noting, “federal programs and policies have … sought to increase awareness of secure computing practices …”
Presidential Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, directed “structural reforms to ensure … policies and minimum standards will address all agencies that operate or access classified computer networks [and that] all users of classified computer networks (including contractors and others who operate or access classified computer networks controlled by the federal government), and all classified information on those networks.”
The Cybersecurity Act of 2015 also requires the inspectors general of each agency with a national security system or a system that has access to personally identifiable information to regularly report to Congress on the security policies and practices of those systems.
As far as authorized users are concerned, because of equally growing concerns over insider threats, many forms of biometrics are being employed and researched to ensure authorized users are indeed authorized – and that their biometrics can’t be spoofed; also a growing problem, authorities acknowledge.
Mitigating insider threats and meeting compliance requirements with full audit trails and session capture of privileged user activity on Windows, Linux and UNIX servers is part of the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program Phase 2, which is managing “who is on the network?”
And this “requires the management and control of account/access/managed privileges (PRIV), trust determination for people granted access (TRUST), credentials and authentication (CRED), and security-related behavioral training (BEHAVE),” all four functions of which “have significant interdependence and are thus managed together as part of [CDM]Phase 2,” DHS explained.
Congress established the CDM program to provide adequate, risk-based, and cost-effective cybersecurity and more efficiently allocate cybersecurity resources.
Centrify was the selected solution for CDM Phase 2 CRED to ensure all federal agency “associates only have access to servers, applications or network resources based on their unique identity, role and responsibility within their organization,” earlier explained Corey Williams, Senior Director, Products and Marketing at Centrify.
He said, “Centrify Server Suite offers a robust Active Directory bridge to consolidate identity silos, PIV authentication everywhere eliminating password authentication, separation of duties and super user privilege management to ensure individual accountability and provide granular access control, role-based access to reduce the attack surface and comprehensive session recording and auditing to greatly enhance monitoring and visibility.”
“Centrify was selected to manage and prevent the misuse of credentials and authentication across systems, servers and applications … to consolidate identity silos, super user privilege management to ensure individual accountability and provide granular control, role based access to reduce the attack surface and comprehensive session recording and auditing to greatly enhance monitoring and visibility,” he added.
Additionally, DHS’s Science and Technology Directorate also earlier awarded a $749, 241 Small Business Innovation Program (SBIR) contract to Digital Bazaar, Inc., to develop fit-for-purpose blockchains for identity and access management.
Under the SBIR Phase II contract, the company will develop a flexible software ecosystem that combines fit-for-purpose distributed ledger technology, digital credentials and digital wallets to address a wide variety of identity management and online access use cases for the Homeland Security Enterprise (HSE). The project is being managed by DHS’s Cyber Security Division’s (CSD) Identity Management project, which is part of the Homeland Security Advanced Research Projects Agency.
“Blockchain technologies have the potential to revolutionize the way we manage online identity and access the Internet,” said CSD Director Douglas Maughan. “This R&D project will help bring this potential closer to reality.”
In late August 2015, DHS released its vision for biometric capabilities. The vision includes three components: enhance effectiveness of subject identification; transform identity operations to optimize performance; and refine processes and policies to promote innovation.
“While the agency’s progress and innovation is a step in the right direction for harnessing biometrics, its true potential will be realized when the technology is used internally as an additional factor within DHS’s overall IAM solution,” said Eugene Liderman, Director, Product Management at VMware. “Could a derived credential protected by a biometric template be a compelling two-factor alternative? Possibly – but there is still work to be done.”
Liderman said, “Federal agencies today require proprietary devices with specific readers to support biometrics – an expensive process that lacks the user-friendly capabilities many desire. As IT executives continue to move toward utilizing consumer technology, government employees will be able to simply use the embedded technology on the device for biometric authentication, such as the camera for a retina scan or the microphone for voice recognition.”
And, “From a mobility perspective,” he noted, “one of the most important aspects to the future of biometrics (or any other factor) when it comes to authentication will be to move away from the monolithic approach of embedding authentication middleware. Today, mobile authentication solutions are tightly coupled with proprietary middleware, which is typically embedded in the mobile application that supports it. This approach causes scalability and future innovation issues because mobile application developers must build multiple versions of their apps to support a wide range of middleware and hardware vendors.”
In addition, he said, “every time a hardware or middleware update is needed, the developer for each app will need to release a new version to support it. If agencies instead implemented a framework to support the application ecosystem, multiple hardware/middleware vendors can be supported using an abstraction layer, creating a plug-and-play approach. This will result in competition which helps drive cost down and drive innovation up!”
“Above all else,” Liderman pointed out, “in order to support innovation and reach the goal of utilizing biometrics for two-factor authentication, it will be imperative for specific guidelines to be set. While the National Institute of Standards and Technology (NIST) has created a biometrics and usability resource, there is still progress to be made on drafting guidelines for agencies to follow when developing pilot programs or looking into implementations. It will be exciting to see how programs, like the external identification use case from DHS, continue to shape the conversation around biometrics.”
Finally, he stated, “With pilot programs in place today, the power of biometrics is bound to reshape the way federal agencies look at, and support, two-factor authentication, creating a more secure, mobile and user-friendly workforce.”
The CRS report further noted that adequate training of incumbent workers throughout the federal government in secure computing practices may require “continuing development of existing certifications, or the creation of new, non-traditional educational credentials, such as micro-credentialing and digital badging.”
“Over the past decade,” CRS said, “analysts seeking to document the scope and scale of the US cybersecurity workforce came to realize that the federal government, private employers, and academics were not using the same language to describe cybersecurity jobs or the knowledge, skills, and abilities necessary to hold those positions. This lack of a common language was perceived as a potential barrier in the cybersecurity labor market and an impediment in federal hiring.”
In response, the National Initiative for Cybersecurity Education (NICE), the federal agency that coordinates cybersecurity education, training, and workforce development, began a multi-year effort to develop standard terms and uses.
“When finalized,” CRS said, “the NICE Cybersecurity Workforce Framework (Framework) is to provide a standard vocabulary that can be used to better align education and employment in cybersecurity fields. Among its many other cybersecurity education-related activities, NICE also provides grants to regional education-employment partnerships for the purpose of aligning academic pathways with cybersecurity occupations.
CRS emphasized that, “One key policy issue for the 115th Congress may relate to the Framework’s implementation.”
The CRS study determined that, “Although the central issue for the Framework is its use as a cybersecurity workforce management tool in federal agencies, cybersecurity education programs may begin to adopt the language (and align curriculum and grantee requirements) during the next few years as well.”
Additional related policy topics for the 115th Congress “include the role or expansion of educational benefits as tools for attracting and retaining federal cybersecurity personnel; as well as funding for federal cybersecurity education, training, and workforce development programs. Longer-term policy issues in cybersecurity education may include the ongoing challenge of ensuring that educational content evolves in tandem with the rapidly changing cyber defense and operations landscape …”
Disturbingly, CRS found, “The federal effort in cybersecurity education, training, and workforce development has not been comprehensively inventoried,” although “federal funding supports a wide variety of activities … which are sometimes offered in partnership with multiple federal and non-federal entities,” which include cybersecurity awareness (StaySafeOnline.org), summer camps (GenCyber) and student competitions (CyberPatriot and the National Collegiate Cyber Defense Competition), scholarships for cybersecurity postsecondary students who agree to serve in government after graduation (CyberCorps), and professional development for federal personnel in specialized cybersecurity positions (College of Cyber and the Federal Virtual Training Environment).
CRS said, “Federal policymakers have grappled with questions about both the quality and the quantity of US postsecondary education graduates with cybersecurity credentials (in general) and the civilian and military workforce needs of the federal government (in particular) … policymakers and agency officials often view educational benefits (e.g., scholarships, training) as a tool for attracting and retaining federal military and civilian cybersecurity workers.”
From a “policymaking standpoint,” cybersecurity includes the security of devices, infrastructure, data, and all the users involved with and working in cyberspace, CRS said, noting that, “The elements of ensuring cybersecurity involves policies spanning a range of fields, including education, workforce management, investment, entrepreneurship, and research and development. Software development, law enforcement, intelligence, incident response, and national defense are involved in the response when something goes awry in cyberspace.”