Access control: Feds search for scalable solution

Verifying an identity to allow access to online resources really isn’t that hard. There are many ways of doing it. Passwords, biometrics, digital certificates and tokens all provide levels of identity assurance.

But that's the problem. Scaling multiple tools and making them work together to meet the growing and complex demands for identity management and access control remain a challenge for most enterprises.

“The number of applications [requiring authentication] is growing rapidly,” said Steve Shoaff, chief executive officer of UnboundID, which enables access controls for large-scale service providers. “There are also more users and more types of devices accessing them. No one can anticipate what application is going to take off next.”

Related stories:

Need to crack someone else's password?

Will digital certificates replace passwords?

‘Identity ecosystem' to replace passwords, draft strategy suggests

Our picks for the best password strategies

The situation is complicated by the varying levels of authentication. Some applications require only a minimum level, with little or no personal information. More sensitive applications, such as financial transactions, require more rigorous authentication that is closely tied to a person’s identity. That creates a difficult problem: providing a single system that can use a single set of credentials for the full range of authentication while preserving privacy — and doing all that on a large scale.

The Obama administration wants to enable that kind of large-scale authentication with its National Strategy for Trusted Identities in Cyberspace. The strategy, a draft of which was released last month for public review, is one of the near-term priorities identified in the 2009 Cyberspace Policy Review. The review called on government to “build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.” It is expected to be finalized this year.

The strategy was developed by an interagency working group to enable a framework for strong authentication. The goal was an ID ecosystem that spanned policy and technology, said Ely Kahn, cybersecurity policy director of the White House national security staff.

White House Cybersecurity Coordinator Howard Schmidt said the strategy would be a voluntary effort that requires the cooperation of the private sector in designing, building and maintaining the needed infrastructure and tools. “This strategy cannot exist in isolation,” he said.

The strategy, while not specifying technologies, sets four primary goals.

• Develop a comprehensive identity ecosystem framework.
• Build and implement an interoperable infrastructure aligned with that framework.
• Build confidence in the system.
• Ensure long-term success.

The strategy will be a foundation for laws, policies and programs that will build on existing efforts, such as Homeland Security Presidential Directive 12, which mandated the creation of an interoperable government ID credential. The resulting scheme will need to enable the appropriate level of security for multiple types of access while being interoperable and supporting federation schemes that allow the systems to scale with increasing demand.

The final standard is likely to build on work already done through the government’s federated public-key infrastructure program, which enables trusted partners with compatible policies to share authentication of digital certificates that other organizations issue. Federation expands the use of any scheme and removes the burden of a single organization needing to issue and manage certificates for an entire population of users.

Whatever framework they are based on, authentication systems need to support controls for access from outside a network in addition to access by insiders who might have privileged or administrative rights to a system.

Dealing with that environment means decoupling identity management and authentication from the application so that multiple applications can use the same interface and tools across and between enterprises. But the industry is in a state of flux, and buyers are still focusing on targeted solutions for identity management and access control rather than building enterprisewide systems from a single vendor, said Jackson Shaw, director of product management at Quest Software.

“Most customers are focusing on point solutions” because they are afraid of committing to a system that might not be supported in the long term, Shaw said. “I think customers are fed up with being locked into products” and would like to see more standardized commodities for authentication and access control. “But there has not been enough. It’s an emerging area.”

Creating a single, voluntary and interoperable infrastructure that will support multiple technologies will be a challenge. But some components already are in place in government, said Josh Shaul, vice president of product marketing at Application Security.

“Government is ahead of the curve, because they have very specific standards laid out" by the National Institute of Standards and Technology and Defense Information Systems Agency, Shaul said. “With this guidance, they have a plan to execute on. Industry still is struggling with plans and prescriptive guidance.”

However, having the guidance and technology in place does not guarantee an effective, large-scale interoperable infrastructure to support them. The government has rigorously authenticated identity and provided electronic ID cards that contain biometric data, digital certificates and cryptographic keys to millions of civilian and military personnel. But personnel are still using most of those cards in the same way they used old ID cards: Holders flash the photo ID to a guard at the door when entering a facility.

Although technology exists to use the cards to ensure a high level of identity assurance for physical and logical access, those tools, such as smart-card chip readers, often aren't in place.

The challenge is greater for agencies such as the Homeland Security Department, which is in the process of folding 24 data centers from its component agencies into two centers.

“They sit in the cloud now,” said a security analyst at DHS' IT Services Office, who spoke on the condition of anonymity. “I call the DHS data centers the field of dreams — build it and they will come.”

It is built — the two new data centers recently went into operation — and now they are coming. In some ways, assuring the security of those centers is simpler in a consolidated environment because there is a limited number of data centers to protect. The new data centers' policy enforcement tools provide access management controls to ensure that data can be secured at the appropriate level. So DHS doesn't need to default to the highest common denominator when placing security controls on data, making it easier to provide access to the appropriate personnel from different agencies.

But for trusted insiders, such as administrators with administrative rights, the consolidation makes security more problematic.

“They have the keys to the castle,” the analyst said. Having several dozen keys makes defending a single castle more difficult. “For the most part, the folks who control the data center consolidation need to provide the same level of security as with stand-alone centers.”

The trusted insiders might be trusted, but they are not infallible. If an administrator makes a change to one firewall, it could open holes elsewhere, exposing what could otherwise be a minor vulnerability to an exploit. So DHS must not only control the access of those administrators in the data centers but also be able to monitor and track activities.

Privileged Access

That level of access control is available with Xceedium GateKeeper, which can regulate privileged insiders.

“It is deployed as an access control gateway that can create virtual network segments on the fly to contain users to specific resources,” said Dave Olander, Xceedium’s senior vice president of engineering

When administrators access a system, the Secure Sockets Layer virtual private network connection routes them to the hardened appliance, which allows access to the proper network segment after authentication. Along with access control, GateKeeper also restricts each user once inside and monitors and records their activity. The system operates with a lightweight agent that can enforce policy on each protected server. GateKeeper can enforce white- and black-list policies for applications and activities, producing a record of those activities to help detect and remedy mistakes or malicious acts.

DHS uses a white-list approach to specify only those actions that are allowed because “you can’t control all of the bad things,” and it is easier to specify the things that are allowed, the analyst said.

The network segments prevent users from moving from one device or virtual machine to another once inside the data center, Olander said.

The tool’s original use was for managing remote access, primarily in the financial industry, he said. It evolved for controlling privileged access and supports a variety of authentication techniques, including directories, local authentication databases, PKI and smart cards, and Radius servers.

The federal government comprises about 65 percent of Xceedium’s market. The DHS analyst said GateKeeper's purpose is not so much to prevent malicious activity — although it does that — but to watch for errors and correct unintended consequences. “It’s a great tool for lessons learned,” he said. “It’s a great tool for configuration control.”

The toughest part of access control isn’t finding the technology to enforce it but developing and maintaining the policies to be enforced, he said. Each user account can have multiple roles, with a specific set of access privileges for each role. Matching the privileges to roles and the roles to an account is a huge undertaking, he said. “That’s why we’re approaching it from the enterprise. It’s constantly changing.”

Public Access

Securing assets from trusted insiders is one side of the challenge to identity and access management. The other is scaling technology to support large-scale authentication and authorization for public access. UnboundID is targeting large enterprises and service providers, such as those that offer cloud infrastructure, with tools to scale and speed directory services.

The tool provides database functionality for directories and can replace or work with existing directories. It works with multiple types of authentication, supporting user names, passwords and digital certificates. Hardware tokens require an additional application.

The key to making that tool or any other access management scheme work on a large scale is federation, UnboundID’s Shoaff said. “It’s unrealistic to assume that everyone is going to agree on a common data standard or infrastructure, so strong federation capabilities are needed.”

Equifax is moving into the government market this year with a tool to make identity proofing, the front end of the identity management process, more effective.

“The lion’s share of the business we do today is being a credit bureau,” said Frank Blaul, vice president of Equifax Government Solutions. The company maintains records on more than 500 million consumer accounts and employment records at 81 million businesses. But during the past three years, it has invested $1.6 billion in acquiring data analysis technologies to make more use of this data.

Knowledge-Based Authentication

Equifax already provides business risk analysis for government by profiling companies and principals doing business with the government. It now plans to provide electronic authentication to the government through knowledge-based authentication. That technique would use statistical modeling with personal information in databases not generally available to the public. By asking a series of questions of the user, it can provide a strong assumption of identity online.

“We have the ability to deliver identity proofing to the widest possible population in the United States,” said Ron Carpinella, vice president of identity management at Equifax Government Solutions.

Equifax has started pushing knowledge-based authentication this year, offering it as a hosted service or software. It can substitute for in-person identity proofing when electronic credentials are being issued and can provide an additional authentication factor during a transaction.

The scheme should provide an adequate level of security for most online activities and, if widely adopted, could provide an easy source of trusted credentials for much of the population, Carpinella said. “The federal government is not going to issue 300 million chip cards,” he said.

Equifax is in talks with the National Institutes of Health, which would be the first agency to use its knowledge-based authentication. Researchers would use it to access NIH program information.
 
In identity management and access control, as in any other area of security, there will be no silver bullet, despite efforts to create a scalable, interoperable infrastructure.

“One tool will never be the be-all and end-all,” the DHS security analyst said. “It’s a layered defense,” and security tools and requirements will change.

“It’s a journey, not a destination,” said Steve Lawrence, vice president of federal service at Quest Software’s public-sector subsidiary. “There is no set definition.”

Editor's note: This story was updated July 12.