PIV-D Credentials Are Not Up to the Zero Trust Challenge

Matt Topper
Matt Topper

Let’s talk about why PIV-D credentials are not up to the zero trust challenge. Derived personal identity verification (PIV-D) credentials, a NIST-compliant method to protect government data on mobile devices, are critical as people increasingly use mobile devices for work. However, are PIV-D credentials the optimal zero trust security solution for identity management? That is a big no. PIV-D credentials face several challenges in the realm of zero trust security, and as someone who lives and breathes identity access management (IAM), I firmly believe IAM is the first step to successful zero trust implementation. Zero trust security is fundamentally an identity and access management problem.

The situation today…

In the old days, PIV credentialed authenticated users through traditional devices, like desktops and laptops. A PIV card would provide a common authentication through integrated smart card readers. 

Great. 

But fast forward a few years and mobile device use has exploded. Guess what? Mobile devices do not have integrated smart card readers. This complicates PIV credentialing and authentication.

Enter derived PIV credentialing, which authenticates individuals using mobile devices. Based on federal PIV standards, PIV-D enables two-factor authentication via mobile devices while meeting policy guidelines. It does this by leveraging identity proofing and vetting results of current and valid PIV credentials. 

The National Cybersecurity Center of Excellence (NCCoE) released a final version of the NIST Cybersecurity Practice Guide SP 1800-12 Derived Personal Identity Verification (PIV) Credentials on August 27, 2019. The Guide explores how to: 

  • Authenticate mobile device users via secure cryptographic authentication exchanges

  • Provide a feasible security platform based on Federal Digital Identity Guidelines

  • Use a public key infrastructure (PKI) with credentials derived from a PIV card

  • Support operations in a PIV, PIV-Interoperable (PIV-I), and PIV-Compatible (PIV-C) environments

  • Issue PKI-based derived PIV credentials at authenticator assurance level (AAL) 2

  • Provide logical access to remote resources hosted either in a data center or the cloud

The Problem with Derived PIV Credentialing 

The traditional way of doing derived credentialing required a person to physically come into the office to get a laptop and government issued phone and link them together. Other challenges include:

  • PIV-D requires additional hardware and software if you’re using a smartcard—which is not practical for mobile device users.

  • There is always a threat of rogue applications compromising the secure area where the credentials are stored.

  • Creating and distributing credentials throughout an agency with thousands of users is costly.

  • The PIV doesn’t connect users to specific devices, which leave a security hole that zero-trust architectures aim to fix. 

NIST SP 1800-12 is now five years old—the world has evolved to a point where it is possible to get the same or better levels of security without deriving from the PIV directly. For example, there are now web standards for strong authentication built into every browser. 

And that makes life so much easier for the user. That is, if you’re using another form of authentication.

Perhaps one of the biggest challenges with PIV-D though is not with the technology itself, but how it is used for federal identity management. 

The federal government is finally focused on identity. The Executive Order on National Cybersecurity put identity squarely in the first steps for zero trust. It mandated that government agencies deploy multi-factor authentication (MFA) and data encryption. 

However, digital credentials are now often provisioned to non-GFE (government furnished equipment) like a personal mobile device. If those devices are not being actively managed or patched, the federal agencies run the risk of security breaches.

How do you manage them? Currently, employees must physically come to headquarters every 90 days to plug in the devices and link them to the network. 

That is not practical, which makes it a big problem. 

The Answer is Change

It’s time for some change. The fact is perimeter is no longer the enterprise network firewall, but the identity of every person or device accessing corporate workloads and data.

There are other authenticators and other options that provide the government with stronger levels of assurance of the person behind the keyboard.

Exploring the next generation of derived credentials is the answer.

Imagine alternate authenticators with a particular focus on scalability and innovation. 

Image the user and device(s) identities couple tightly (regardless of how many devices the user has). The user has the PIV. But from the backend, there is a way for a device to assert identity once the user has “registered” the device as theirs.

That would change everything. Identity Management would be the first layer of zero-trust, as it should be.

NIST 800-63-4 Digital Identity Guidelines are coming out in draft at the end of the year. Those standards have been in place but were never applied to PIV. This revision should accommodate innovative authenticators while maintaining HSPD-12 security and interoperability goals and encourage stronger, centralized identity management. Hopefully that means PIV-D will be able to die as we move into the next generation of IAM.

 

About UberEther

UberEther is a leading technology integrator dedicated to innovating solutions for government clients. Based in Sterling, VA, we specialize in transforming security and access control needs into strategic advantages. Our accolades include numerous awards and recognitions, and we have achieved FedRAMP High + DoD IL5 Authority to Operate (ATO) for our Integrated Managed Identity Platform. Learn more about our cutting-edge solutions at uberether.com.

You might also enjoy