ID federation and continuous authentication schemes have their fans and challenges
A panel discussion aimed at U.S. federal agencies regarding digital ID and authentication management this week took looks at federation and continuous authentication. Both options are liked but both have challenges.
One Advanced Technology Research Center panelist, Matt Topper, president of ID and access-management vendor Uberether, reportedly was exciting about the prospect that the National Institute of Standards and Technology will publish guidance on federation itself.
A fan of how federated schemes can provide security, Topper said, standards will enable authentication among agencies as well as between bureaucrats, contractors and citizens, according to reporting by trade publication Nextgov.
The challenge will be sorting out all the credentials that long-term contractors gather.
Like barnacles on ships, businesses who win multiple contracts – and do so on projects over the years – end up with a lot of access rights. Barnacles, however, will not render a ship dead in the water, prey for bad actors or bad weather.
A growing hodgepodge of IAM certifications that are not examined at the end of a project presents a very real threat. The Nextgov article points out that the infamous SolarWinds attack was able to move horizontally through organizations, a tactic that could be made less dangerous through a federated identity approach.
And a thorough understanding of who has what security certification and knowing who owns that certification.
The National Institute of Standards and Technology is planning to publish updated guidance on identity and access management that addresses federation, and the Cybersecurity and Infrastructure Security Agency has guidance coming soon.
Another view on the same event, from trade publication GovCIO, quotes a government IT officials saying continuous authentication as a category is evolving well. Gerald Caron is the chief information officer within the federal Health and Human Service Department’s office of inspector general.
Caron says derived credentials attached to a mobile device, for instance, are only as good as the schedule on which they are interrogated. The longer a device sits not directly monitored, the more likely that it will be used as a tool to access apps and data it sought by the cybercriminal at the device.
Hardware and software changes can make it so common access or personal ID verification cards can re-authenticate users, but that is going to be a hard sell in constrained budgets and even moreso if it means changing personal equipment.