1. Executive Summary
The Department of Defense (DoD) operates in a high-stakes environment where the security, efficiency, and reliability of its operations are paramount. Central to these operations is the Identity Hub, which manages identities across various networks, including coalition and mission-critical environments. As the DoD evaluates identity vendors, it is essential to scrutinize their features and functionality deeply. This whitepaper examines the critical aspects of selecting an identity solution, emphasizing the importance of confidentiality, integrity, and availability (CIA) in scenarios where lives are on the line. By comparing leading vendors such as Ping Identity, Okta, and Microsoft, this paper provides a detailed analysis to guide the DoD in making an informed, strategic decision.
2. Introduction
Importance of Identity Hub Design in the DoD
The Identity Hub is more than just a technological infrastructure; it is the foundation upon which secure and efficient operations are built across the DoD’s vast and diverse networks. The DoD’s global reach, including operations with coalition partners and in mission-critical scenarios, demands an Identity Hub that is robust, scalable, and resilient. Any failure within this system can compromise national security, disrupt operations, and put lives at risk.
Overview of DoD Requirements for Identity and Access Management (IAM)
The DoD’s IAM requirements extend beyond those of typical organizations. They must support a wide range of environments, from highly connected cloud infrastructures to disconnected, intermittent, and low-bandwidth (DDIL) tactical settings. This necessitates a solution that is not only secure and compliant with DoD Impact Level 5 (IL5) standards but also adaptable to various operational scenarios. The IAM system must seamlessly integrate with existing DoD systems, ensure data integrity, and provide consistent, uninterrupted access to critical resources.
3. Criticality, Integrity, and Availability: The Core Tenets
Definition and Importance in DoD Operations
In the DoD, the CIA triad—Confidentiality, Integrity, and Availability—is not merely a guideline but a critical operational requirement. Confidentiality ensures that sensitive information remains accessible only to authorized individuals, preventing data breaches that could compromise national security. Integrity guarantees that the information is accurate, trustworthy, and unaltered, which is vital for decision-making processes in high-stakes environments. Availability ensures that this information is accessible whenever needed, particularly during critical operations. Failure to maintain any aspect of the CIA triad could result in mission failure, loss of life, and compromised national security.
Real-World Implications for Coalition and Mission Partners
In coalition environments, where the DoD collaborates with international partners, maintaining the CIA triad becomes even more challenging. The IAM solution must support secure, reliable access across diverse networks, ensuring that all partners can collaborate effectively without compromising security. For example, the need for high integrity is paramount when authorizing the sharing of mission-critical data between coalition partners. Any alteration or inaccuracy in the data could lead to incorrect decisions with potentially disastrous consequences. Availability is equally crucial, as downtime or delayed access to information can hinder operations and coordination among partners.
4. In-Depth Vendor Evaluation
Need for Rigorous Assessment
Given the critical nature of the Identity Hub, selecting an identity vendor cannot be based on marketing materials or high-level feature comparisons. A thorough, rigorous assessment is required to examine the vendor’s ability to meet the DoD’s stringent data persistence and integrity requirements in detail. This includes evaluating the vendor’s compliance with DoD Impact Level 5 (IL5) and National Security Systems (NSS) standards, ability to maintain high levels of CIA, and support for complex federation scenarios. The assessment must also consider the vendor’s ability to scale their solutions to meet the DoD’s evolving needs, including the ability to operate in DDIL environments.
Key Criteria for Selection
- Certification and Compliance: Certification to operate within DoD IL5 environments is non-negotiable for any vendor under consideration. Vendors like Ping Identity, certified for high confidentiality and integrity operations, are more suited for the DoD’s needs than vendors like Okta, which only meet moderate criticality and integrity standards. The chosen solution must be certified to handle National Security Systems (NSS) and Personally Identifiable Information (PII) at the highest levels, ensuring that the solution can securely manage the most sensitive data.
- Confidentiality, Integrity, and Availability: The selected vendor must demonstrate their capability to maintain the highest confidentiality, integrity, and availability levels across all scenarios. This includes their ability to prevent unauthorized access, ensure data integrity, and maintain service availability, even in adverse conditions such as cyber-attacks or network disruptions. For instance, Ping Identity’s architecture ensures that sensitive data is not stored or persisted unnecessarily, reducing the risk of data breaches.
- Federation Capabilities: In a DoD environment where multiple partners and systems must integrate, federation capabilities are critical. Ping Identity’s ability to act as a federation hub without storing or persisting user data provides a significant security advantage. Okta, by contrast, requires user data to be stored in its Universal Directory, introducing potential vulnerabilities. The federation solution must also support dynamic policy evaluation and separation of duties across organizations, ensuring that access controls can adapt to the complex and changing needs of DoD operations.
- Open Standards and Vendor Lock-in: The DoD must avoid vendor lock-in to ensure that their IAM system can integrate with a wide range of tools and technologies, both current and future. Vendors that adhere to open standards and demonstrate a commitment to interoperability with other systems provide the flexibility to adapt to evolving mission requirements. Ping Identity’s adherence to open standards ensures that the DoD can maintain control over its identity infrastructure, even as technologies and requirements change.
5. Vendor Comparisons
Case Studies: Ping Identity vs. Okta vs. Microsoft
To illustrate the importance of thorough vendor evaluation, this section compares Ping Identity, Okta, and Microsoft, focusing on their suitability for the DoD’s Identity Hub.
Detailed Analysis of Capabilities
- Confidentiality and Integrity: Ping Identity stands out with its certification for high confidentiality and high integrity operations, making it particularly well-suited for handling the most sensitive DoD data. Okta’s solution, certified for moderate criticality and integrity, may be insufficient for scenarios with the highest data protection levels. While a significant player in the identity space, Microsoft has acknowledged limitations in fully supporting pass-through capabilities without integration with Ping Federate, which could complicate deployment and integration efforts.
- Federation Hub Design: Ping Identity’s ability to operate as a federation hub without storing or persisting user data is a significant advantage, particularly in scenarios involving coalition partners. This pass-through federation ensures that user data remains secure and no unnecessary data is stored, reducing the risk of breaches. Okta’s requirement for user data to be stored in its Universal Directory poses a security risk, as it introduces additional data storage points that could be vulnerable to attack. Microsoft’s approach, which often requires integration with additional Ping products to achieve similar functionality, may introduce complexity and additional points of failure.
- Coalition and Mission Partner Support: Ping Identity’s commitment to open standards and interoperability ensures that coalition partners using different identity solutions can integrate seamlessly without losing functionality. Ping is the only vendor that can enforce the advanced SAML proxy and OpenID Connect Federation profiles required to securely chain the identities of the identity providers and service providers across the federation utilizing standard, non-proprietary interfaces. This flexibility is crucial for the DoD, as it cannot mandate that all coalition partners use the same identity vendor. Okta and Microsoft, by contrast, may require all partners to use their respective solutions, leading to interoperability issues and increased complexity in coalition environments.
- Separation of Duties and Attribute Searching: Ping Identity’s ability to search multiple directories for user attributes, manage policies internally through OGNL (Object-Graph Navigation Language) and XACML (eXtensible Access Control Markup Language), and ensure separation of duties (SoD) without storing or syncing these attributes offers a flexible and secure approach. Utilizing standards-based policy languages greatly simplifies policy reuse and certifications across the DoD. Okta’s reliance on storing all attributes in its Universal Directory and its limitations on SAML (Security Assertion Markup Language) assertions may restrict its effectiveness in dynamic, cross-organization scenarios. This is especially important in DoD operations, where policies and access controls must adapt quickly to changing mission needs.
6. Importance of a Private Tenant Design
Dedicated Single-Tenant vs. Multi-Tenant SaaS
For the DoD, choosing between a dedicated single-tenant environment and a multi-tenant SaaS environment has far-reaching implications for security, scalability, and control. Ping Identity’s private tenant design offers maximum security by ensuring that the DoD’s data is completely isolated from other customers. This isolation extends to infrastructure, virtual servers, and encryption keys, ensuring no other tenants or vendor administrators can access or interfere with the DoD’s data. Multi-tenant SaaS environments, such as those offered by some vendors, may share infrastructure and other resources, introducing potential vulnerabilities and complicating compliance with DoD security standards.
Implications for Security, Scalability, and Control
A private tenant design offers the DoD complete control over its IAM environment, including using its encryption keys for all data within the tenant. This level of control is essential for meeting the stringent security requirements of DoD operations, particularly in scenarios where coalition partners are involved and data sovereignty must be maintained. Additionally, a private tenant environment can be scaled according to the specific needs of the DoD without the unpredictability or cost fluctuations that may occur in a multi-tenant SaaS environment during periods of increased user activity. Ping Identity’s approach, which provides a consistent set of binaries and configurations across all environments, ensures that the DoD can maintain a uniform security posture across different deployment scenarios, whether on-premises, in the cloud, or disconnected environments.
7. Coalition and Mission Partner Considerations
Data Sovereignty and Auditability
In coalition operations, where the DoD works closely with international partners, ensuring that foreign user data is not stored in U.S. systems is crucial, as this could lead to compliance and sovereignty issues. The IAM system must provide robust audit capabilities to track where data is stored and ensure that it complies with each participating country’s legal and regulatory requirements. Ping Identity’s solution allows coalition partners to authenticate and operate without persisting their data in a U.S. system. This addresses a critical concern for countries like Australia, which have strict requirements regarding the storage and auditability of their citizens’ data.
Avoiding Foreign Data Storage in U.S. Systems
The ability to avoid storing foreign data in U.S. systems is particularly important in coalition environments, where data sovereignty is a significant concern. Ping Identity’s federation capabilities ensure that foreign data does not persist in U.S. systems, allowing coalition partners to maintain control over their data and comply with their regulatory requirements. This feature is essential for maintaining trust and cooperation among coalition partners, as it ensures that sensitive data is handled according to the highest security and compliance standards.
Ensuring Seamless and Secure Integration
The IAM system must integrate seamlessly with other identity solutions used by coalition partners without compromising security or functionality. Ping Identity’s open standards approach ensures that the DoD can collaborate with partners using different tools, such as those offered by Okta or Microsoft, without losing critical capabilities. This flexibility is essential for maintaining operational integrity in coalition environments, where the ability to adapt quickly to changing mission requirements is crucial. The system must also support dynamic policy evaluation and separation of duties across organizations, ensuring access controls can be enforced consistently and effectively, even in complex, multi-partner scenarios.
8. Case for Ping Identity
Unique Strengths and Advantages
Ping Identity offers several unique strengths, making it an ideal candidate for the DoD’s Identity Hub. These include its ability to operate as a federation hub without persisting user data, its high confidentiality and integrity certifications, and its commitment to open standards. Ping Identity’s private tenant design offers maximum security, with complete isolation of the DoD’s data and the ability to use DoD-controlled encryption keys. This design is particularly well-suited for the DoD’s needs, as it provides the highest levels of security and control while allowing for flexible and scalable deployment across different environments.
Proven Track Record in Critical Operations
Ping Identity has a proven track record of supporting some of the largest banks and critical infrastructure providers, demonstrating its ability to meet the high-security demands of mission-critical environments. This experience makes it well-suited to meet the DoD’s stringent requirements, particularly when confidentiality, integrity, and availability are paramount. Ping Identity’s consistent use of a single set of binaries across all environments ensures that the same features, code, and configurations are available, regardless of the deployment scenario. This consistency is crucial for maintaining security and reliability across different environments, whether on-premises, in the cloud, or in DDIL tactical environments.
Single Set of Binaries Across Environments
One of Ping Identity’s key strengths is its use of a single set of binaries across all environments, ensuring that the same features, code, and configurations are available, regardless of where the solution is deployed. This consistency is particularly important for the DoD, as it ensures that the IAM system can maintain a uniform security posture across different deployment scenarios. Whether the solution is deployed on-premises, in the cloud, or in disconnected, intermittent, or low-bandwidth (DDIL) environments, Ping Identity’s approach ensures that the DoD can rely on a consistent, secure, and reliable identity solution.
9. Conclusion
The Necessity of Depth in Vendor Evaluation
Selecting an identity vendor for the DoD’s Identity Hub is a decision that requires thorough evaluation and a deep understanding of each vendor’s capabilities. The high stakes involved in DoD operations make it essential to choose a vendor that can provide the highest levels of security, flexibility, and reliability. Vendors like Ping Identity, which offer unique strengths such as high confidentiality and integrity certifications, pass-through federation capabilities, and a commitment to open standards, should be prioritized. The DoD cannot afford to make this decision lightly, as the consequences of choosing the wrong vendor could be catastrophic.
Final Recommendations for the DoD
The DoD should prioritize vendors like Ping Identity, which have demonstrated their ability to meet the unique and critical needs of the DoD’s Identity Hub. Ping Identity’s strengths, including its private tenant design, proven high confidentiality, high integrity and availability of DoD IL5 certification, and commitment to open standards, make it the best choice to ensure that the Identity Hub meets the DoD’s stringent requirements. By selecting a vendor that can provide the highest levels of security, flexibility, and reliability, the DoD can ensure that its Identity Hub will support its mission-critical operations effectively and securely, both now and in the future.
Appendix: Reference Links
Microsoft Federation Hub with Ping Identity Blog / Tutorial:
Microsoft and Ping Integration
Okta Support Site Links:
Okta for the Distributed Global 2000
Modernizing IAM for Higher Education
Assertion Replay Prevention
Ping actively prevents any replay attacks from being executed or abused
https://docs.pingidentity.com/r/en-us/pingfederate-121/pf_assert_replay_prevent_service
Okta cannot prevent replay attacks, all they can do is give the assertion a time window (5 minutes by default), and they do not do other checks.
https://support.okta.com/help/s/article/okta-service-has-protection-against-replay-attacks?language=en_US