US federal agencies expand zero trust with hardware security keys, RFI
It is Cybersecurity Awareness Month in the U.S. and government agencies and digital identity firms are releasing news and advice and hosting events such as the Identity Defined Security Alliance’s BeIdentitySmart Week from 25 October. Federal agencies are learning how they will be going passwordless as the government goes for zero trust – at least for IT networks.
Physical security keys to tackle phishing attacks on the government
The White House plans to introduce hardware security keys for staff across federal government agencies and phase out SMS codes and app-based multi-factor authentication to reduce the risk of phishing, reports Vice, which spoke to an official from the Office of Management and Budget (OMB).
As a division of the White House, the OMB is part of a push towards zero trust for government organizations by 2024. The official said that the office is particularly concerned about automated, cheap and scalable attacks which can spoof government websites or push notifications and obtain multi-factor authentication (MFA) tokens from victims including one-time passwords via SMS or apps.
The OMB is also telling agencies to adopt single sign-on (SSO) services which provide an overall wrapper around the various online services an employee may use. The office is expected to release a final version of the Federal Zero Trust Strategy document and then collaborate with agencies to bring in the changes.
Education Department to take zero trust to bots
The Education Department wants to go even further and create a single identity for bots to be used across all its cloud environments, said its chief information security officer, Steven Hernandez, as reported by the Federal News Network.
While humans can use their Personal Identity Verification (PIV) cards or other tokens, nonhuman entities also need to confirm identity. Zero trust for bots would control what data they can access and prevent them from being tricked into giving data away.
The approach could also be applied to digital or virtual workers: “What platform are you coming from? What amount of hardware interrogation or device interrogation can I get as part of that assertion, and then how do I start to factor that into the authentication?” Hernandez is quoted as saying.
Army seeks update on SSO advances
The U.S. Army, and potentially the Department of Defense, is looking to enhance access control for its cloud and on-premise systems, and has issued a request for information on the state of the art in access management and single sign-on technologies.
The goal of the 18-question RFI is to assess the availability of integrated authenticators, “identity-aware proxy authentication,” secure session management and federation protocols that could improve on its existing authentication solution.
Vendors are asked to list the highest FedRAMP Impact Level their solutions reach.
Responses are due by October 29, 2021.
How to get employee buy-in for passwordless working?
Going passwordless will require staff training and dissemination after decades of passwords being the main protection for accounts and systems. Although consumers are starting to show a preference for biometrics, having only recently become accustomed to MFA, workers may need help moving to the next stage.
Speaking at the FIDO Alliance’s Authenticate 2021 conference, Ping Identity execs explained how they see the transition as a journey with four major milestones. The milestones are thought of as universal, although every organization is different, meaning they may not reach the points in the same order.
Centralizing authentication authority is the first step within an organization. This is followed by a range of approaches such as going passwordless just for web applications first, or a company decided simply to reduce the number of places where a password is used and MFA increased, explained Itai Zach, senior product specialist.
Companies then need to look at equipment, what mix they have, whether any incorporates biometric authentication, whether all staff have smartphones. The IT help desk also needs to be set up and ready to deal with a new type of request.
Firms also need a strategy for new hires joining while the company transitions and whether they start out passwordless.
Anthony Bahor, IAM architect at Ping Identity, explained how a change management process is vital. Companies already using MFA should have an established way to take an overview of how their staff are going through authentication on what devices. They can use this to develop a testing mechanism with vendors and platforms, even down to registering individual browsers separately.
IT departments can then start with small numbers of users on a small number of applications to go passwordless then slowly increase the number of uses and users to manage the amount of friction for users and the help desk.
The Identity Defined Security Alliance (IDSA), a non-profit group of 30+ identity and security vendors, solution providers, and CISO members including Ping, Okta, CyberArk, and BeyondTrust, has arranged a week of events during Cybersecurity Awareness Month. The schedule covers topics such as protecting machine identities and ways to improve customer experience.
Ahead of the events, the IDSA asked participants in the digital identity sector “What is going to be the biggest challenge for identity security in 2022?”
“Identity is gold,” states Manish Gupta, director of Global Cybersecurity Services, Starbucks. “Gold is the most malleable and ductile of all known metals. It can be thin and soft like hair and or solid like a brick with diverse applications from cancer treatment to jewelry. Very similar to how identity in combination with other technologies can be an enabler for ecommerce and socio-economic efforts, or a protector when viewed from a cybersecurity lens, or a key component of digital transformation of the world. All activities (human or machine) in the cyberworld that need to understand ‘who,’ rely on identity and this reliance will exponentially grow in years to come as we move to Metaverse.”
Other responses touched on new identity types based on emerging technologies, managing identities and entitlements in the cloud, and sophisticated ransomware attacks.
“While it seems that the biggest challenge for identity security would be successfully defeating the ‘bad guys,’ it is a lack of resources that could create the biggest hurdle for organizations in 2022,” predicts Kimberly Johnson, VP of Product, BIO-key International. “With the recent explosion of cyberattacks, organizations know that they need to improve their identity security, with many solutions to choose from. Yet many are deterred by the high costs and workload required to implement critical security controls, as well as the lack of cybersecurity talent required to do so successfully. Organizations will need to seek out flexible, affordable solutions to improve their identity security in 2022.”
access management | biometric security key | biometrics | cybersecurity | digital identity | identity management | IDSA | multi-factor authentication | Ping Identity | RFI | single sign-on | Zero Trust