Identity access management is the first layer for any viable zero-trust strategy, as it should be. The NIST 800-63-4 Digital Identity Guidelines revision coming out in draft at the end of the year should accommodate innovative authenticators while maintaining HSPD-12 security and interoperability goals and encourage stronger, centralized identity management.
Hopefully, that means PIV-D will finally be able to die as we move into the next generation of IAM. Apparently, that’s what it will take. The fact is that the technology to move to the next generation of IAM has been in place. But the government is clinging to PIV-D.
We have stronger levels of assurance based on current technology, so why is user authentication lagging behind when the way forward is clear?
[Controversial opinion alert] Because people are scared.
Nobody wants to be the person who says, “Make the switch,” and then something bad happens, and they get fired.
I believe the only reason the PIV industry has lived as long as it has is because people who sit on Capitol Hill are screaming fear, uncertainty, and doubt all the time. [end of controversial opinion]
The fact is, moving to any new technology has a risk. Absolutely. But when you bring in the smartest people to work through all the controls and all the problems, you can get through the risk and move forward.
And we must. We cannot rely on our past right now if we want to secure our future.
Imagine having to use a 20-year-old computer to do your work every day. Or you had to use an old flip phone in the field. If you walk into a meeting with a Blackberry today, people will laugh you out of the room.
That’s where PIV-D is for authentication today.
With every other technological advance, we figured out how to evolve and do better.
The Way Forward with User Authentication
The way forward is a world of dynamic trust based on the situation and risk of the data that is being accessed.
I want to share an example, so I’m calling out DHS here, although this applies to any agency.
It’s perfectly fine for anyone to see the lunch menu at DHS headquarters. Who cares, right? Sure, you can get into a discussion about the possibility that someone will see chicken nuggets every Tuesday and decide to poison the Tyson’s chicken nugget pipeline and kill everybody.
Well, guess what? They can sit in front of your building, watch the Tyson truck pull up every other week, and go from there. So stop using that type of scenario as an excuse to use outdated, over-burdensome technology.
With everybody working from home and the speed at which people change mobile and laptop devices, the traditional PIV-based and corporate-delivered model is broken. To replace that, we need to build dynamic trust between both the person and the devices they’re using.
That dynamic trust starts with an authenticator and a validation of who or what is behind the keyboard.
Today, the authentication process typically begins with the user physically taking their passport or photo ID to headquarters to prove who they are.
There’s no reason we can’t do that virtually today.
On top of that, we can add additional factors through dynamic identity proofing that allow people to register their own credentials from anywhere in the world. This identity proofing is just as strong as a PIV authenticator.
Once we have that high level of assurance of who the person is, they can walk into any Best Buy or Amazon and get a key that is just as strong as PIV-D and only costs $35. Instead, we currently spend thousands flying people all over the world to authenticate their devices. And when a device dies, they’ve got to wait three weeks to get another appointment to fly out and get a new device.
This is not efficient or practical.
The technology and standards are here; the Webauthn FIDO 2 profiles are easier to integrate than anything we’ve ever tried to do with PIV. Let’s use them.
From there, we’re building trust with the person and have contextual patterns of security based on where they’re coming from, time of day, etc. Then we layer that with their device-level security—if they want to get to their email, we need to know that the token they’re using is theirs. We don’t care what device it comes from.
Does that person want to read some encrypted mail? Then the device needs to be one with which we have some level of trust. Maybe that means we put a cert on the device. Maybe that means it’s got to be a government-issued device.
But this “it’s all or nothing” today doesn’t work. And it’s preventing the government from being able to move forward with the brightest and best people at one of the most challenging times for cybersecurity we’ve ever seen.
True Story: How outdated authentication hurts the cybersecurity industry
We know cybersecurity professionals are scarce. Finding the best and brightest to work with the government is even more challenging because the government makes it hard for people who don’t live near that government agency’s locations to work with them.
UberEther has an office in Michigan because that’s where I live. In a world where I can set up my company anywhere, I choose Detroit. That means that every time a new employee is going to work with DHS, we put that person on a plane to DC to get a card and a laptop. Every 90 days, they have to plug in their laptop and their card together on a DHS network—which means flying them back to DC.
I’m spending $2,000 a quarter to do that, and there is no reason. I’m crazy, though, so I do it. But many sane organizations won’t spend that kind of money (especially if they authenticate more employees than I do).
If we could remove that barrier to doing business, we’d open the doors to the entire country and pull from talented cybersecurity people in the middle of Iowa, for example. We could be putting some of the brightest and best people in the world on government cybersecurity. But right now, those people have to leave their families or uproot their families to move closer to a government facility, and they don’t want to. And they don’t have to. They have plenty of employment opportunities.
The point is, if the government doesn’t grow up and evolve, it will continue repeating the same patterns in the same echo chambers with the same consulting companies selling the same solutions that have yet to work. The government needs to be more flexible, up, down, left, right, and all over, to get past the cyber problem we have today.
The fix
The fix is using the next-generation identity access management technologies and taking a true look at the risk of the transactions and the data people are going after rather than setting the bar at the ultimate high no matter what you’re trying to do.
And it’s easy. That’s the best part. It’s all a matter of letting PIV-D die.
About UberEther
UberEther is a leading technology integrator dedicated to innovating solutions for government clients. Based in Sterling, VA, we specialize in transforming security and access control needs into strategic advantages. Our accolades include numerous awards and recognitions, and we have achieved FedRAMP High Authority to Operate (ATO) for our Integrated Managed Identity Platform. Learn more about our cutting-edge solutions at uberether.com.