The key to securing mobile assets within DOD
- By Jeff Scott
- Mar 14, 2014
In the rapidly changing mobile environment of Defense Department security, agency executives are challenged as never before by two stark realities. First, in an ecosystem increasingly shaped by the “bring your own device” trend, they need to enable civilians and warfighters to use mobile devices. Second, they must make sure that they are able to provide a level of security for mobile devices that matches the level found on the desktop.
Advantages of multilayer authentication
When it comes to minimizing the authentication risks of mobile devices in DOD civilian and military environments, the most effective remedy would be “anywhere, anytime” multilayer authentication capability. But hardware and software developers must also provide interoperability to enable these applications to work together.
What do we mean by “multilayer” user authentication? Basically, multilayer proof-positive authentication should comprise a combination of what you know (password or PIN), what you have (ID card or token) and who you are (biometrics). The more layers or factors, the stronger the authentication.
Passwords alone are inadequate because they can be so easily compromised. While solutions combining password/PIN and ID card/token are often considered strong enough, biometrics — such as fingerprinting — can provide absolute proof that a person is who they claim to be.
Today the best way to secure a mobile environment is through a mobile ecosystem that utilizes currently existing smart card infrastructure around the Common Access Card (CAC) and Personal Identity Verification (PIV) card. Tomorrow, we should look to the future of mobile security and the integration of biometrics, near-field communications (NFC), derived credentials and their integration within the existing infrastructure.
Building an effective DOD mobile security infrastructure
The evolution of DOD’s mobile security infrastructure took a giant leap forward on July 1, 2013, when the Defense Information Systems Agency awarded a contract to develop its mobile device management (MDM) system. According to a DISA news release, the establishment of the MDM system “sets the stage for the digital ecosystem that will operate and assure the mobile devices that connect with DOD networks. [MDM] is the next major step forward in DOD’s process for building a multivendor environment, supporting a diverse selection of devices and operating systems.”
What will the new DOD multilayer authentication ecosystem look like? Let’s take a look at what we have today in the different DOD environments in which people are using mobile devices, and then look ahead to what’s coming in the future.
Currently, DOD uses CACs for login to desktop environments using a PIN from the smart card. Even though biometrics are issued on most CACs today, they are rarely used for any type of authentication. At the present time, the use of smart cards in mobile environments is in either proof-of-concept or pilot phases. Though with a growing ecosystem of solutions ready for deployment in first quarter of 2014, the DOD mobile environment will be able to take advantage of the existing CAC infrastructure to secure its everyday mobile environment through various stand-alone applications, MDM/MAM infrastructure and CAC readers.
For warfighters in the field, CACs or other smart cards may not always be ideal. In tactical situations where using a CAC card is not possible, having a derived credential, for example, would allow the warfighter to simply authenticate to the mobile device with the derived credential and authenticate access to email or a virtual private network via a PIN and credential check. Derived credentials would be an example of technology for lower security functions and procedures. Where a CAC is present in a card reader it could be used for higher security functions like S/MIME and higher classification authentication. For example, email a derived credential would work to read general email, , but sending encrypted mail or decrypting information coming to your mobile environment may require a higher authentication such as a CAC present function for a true two-factor secure session.
The use of NFC could also be a potential proof-of-concept use case where the warfighter would need limited access and has a CAC available for authentication. This authentication through NFC would have to have limited access to specific data and a specific time period that the authentication was valid for.
Whether both NFC and derived credentials can live together is yet to be determined. To make them a reality, both of these technologies need more study and development to become operational under policy. Today we have CAC smart card readers for most mobile platforms that would allow you to operate as if you were at your secure desktop while continuing to use your federally issued smart card. By using your smart card you are increasing the ROI on the investment of the card without incurring more backend infrastructure cost.
In the long run, interoperability will be the key to the development of a successful DOD multilayer authentication infrastructure.
The technology available today works and should be expanded on. We have smart cards, mobile card readers that allow users to keep their CACs present on mobile devices at all times, and biometrics on our smart cards. The scalable solutions are there and will continue to evolve to take into consideration a wide range of environments and usability cases. Whatever ecosystem DOD decides to deploy, interoperability will be needed across that deployment to ensure that CAC/PIV cards, biometrics, NFC and derived credentials all work together.
If we want to achieve “anytime, anywhere” objectives, we need to implement what we have available today, then add to existing systems as new and proven technologies emerge, are vetted and added to policy.
Jeff Scott is vice president of North American Sales at Precise Biometrics.