how proper authentication can enable government to be productive and secure

8
How Proper Authentication Can Enable Government to Be Productive and Secure How Proper Authentication Can Enable Government to Be Productive and Secure Industry Perspective

Upload: govloop

Post on 29-Jul-2016

214 views

Category:

Documents


0 download

DESCRIPTION

 

TRANSCRIPT

How Proper Authentication Can Enable Government to Be Productive and Secure

How Proper Authentication Can Enable Government to Be Productive and Secure

Industry Perspective

EXECUTIVE SUMMARY

Distributed denial-of-service

attacks, zero-day attacks, email

phishing scams, Trojans – there

is no shortage of ways

adversaries can wreak havoc

on government networks and

computer systems. Nor is there

any shortage of ways that the

bad guys can gain entrance to

these systems, especially as

new access points continuous-

ly emerge. In this environment,

up-to-date, top-of-the-line

security is a must.

But access can’t be so restrictive that it prevents government work-ers who have a legitimate need for the data from getting it. Striking this balance is crucial for government information technology man-agers who need to ensure that the people logging into networks and systems are really who they say they are.

The answer, most experts say, is to marry the human and techno-logical elements. In other words, to allow a user access to a system, that person must provide a password and perhaps an access card or a biometric such as a fingerprint or retinal scan that the machine can read to verify identity. This is known as two-factor or multifactor authentication: providing something you know, something you have and something you are.

This form of authentication drew plenty of attention in 2015. As data breaches made headlines, with the best-known being the revelation that attacks in 2014 exposed 21.5 million records at the Office of Personnel Management, Federal Chief Information Officer Tony Scott called for a 30-day cybersecurity sprint. During this sprint, which ran from June to July last year, Scott required agencies to “dramatically accelerate implementation of multi-factor authenti-cation, especially for privileged users.”

As a result, the number of federal civilian agencies using strong au-thentication went from 42 percent to 72 percent, the number using it for privileged users increased by more than 40 percent and more than half of the largest agencies had implemented strong authenti-cation for nearly 95 percent of users. Additionally, Scott announced plans for more sprints and a Cybersecurity Sprint Strategy and Implementation Plan to run them.

Despite all the praise for this type of authentication, it might not be enough. Adversaries are wily and constantly working on the next way to penetrate obstacles to sensitive information.

To stay ahead of them, IT managers must have a two-pronged goal: protecting information and keeping employees productive. This means securely providing access to critical data wherever it is by employees wherever they are. That word “secure” means that two-factor and multifactor authentication might not be enough.

To figure out how to manage this issue, GovLoop partnered with Symantec and TVAR for this industry perspective. In this resource, we ask Kevin McPeak, a Symantec Security and Mobility Architect, how government can be both secure and productive.

2 Information Protection

The proliferation of access points has added to the problem of keeping information safe. Gone are the days when IT managers had to worry only about the desktops within the office building. Now data is being accessed from remote work centers and employees’ homes or positions in the field, plus mobile devices and more.

Here are four main access points to watch out for:

SECURITY CHALLENGES

Remote access Telework and green comput-ing initiatives throughout the government have contributed to the growth of and challeng-es with remote access. The federal workforce is more distributed today than it’s ever been.

“The whole idea is to be able to properly authenticate who that remote worker is, and then make sure that the data is cryptographically secure end-to-end,” McPeak said. “So there’s data at rest, data in transit and data in storage on the infrastructure side. Being able to manage that is obvi-ously complex.”

SaaS SaaS is a licensing and delivery model in which software is licensed on a subscription basis and centrally hosted. In essence, users are borrow-ing the software instead of installing it on their comput-ers. Because it usually follows that government agencies also pay only for what they use, the appeal of SaaS applications is obvious: They save money and space because fewer ma-chines are needed. But there are cons, too.

“When you have disparate software components, each one in turn needs to be man-aged, patched, updated and tracked for version control,” McPeak said. “Agencies also must make sure that none of those cloud-based software components are providing additional complex attack sur-faces for hostile adversaries and be able to identify what the attack surface is and how to secure it.”

Cloud-based file-sharing applications Popular applications such as Dropbox and Google Drive let data flow freely, with security often depending on the ven-dor. A January 2014 report by the Ponemon Institute found that 69 percent of IT and IT security respondents were not likely to know whether employees were using unap-proved and risky file-sharing tools.

Cloud-based file sharing comes down to managing permissions – which users should have access to what files. Agencies need to ask cloud infrastructure providers if they offer Federal Risk and Authorization Management Program-certified controls and whether they are living up to their service-level agreements, McPeak said.

BYOD The issue of whether employ-ees can use their own mobile devices to conduct govern-ment work, including access-ing government networks via the device, has been ongoing for years. As smartphones and tablets become commonplace and the devices’ capabilities grow, the debate over how to handle this problem continues.

“That poses a lot of inter-esting challenges for large enterprises, but especially for federal,” McPeak said of BYOD.

“For example, if the device is managed, then an employee may be concerned about their location being tracked even when they’re off-duty.”

Another problem is separating personal content and applica-tions from government ones. The answer is through mobile device management or provid-ing a federal agency app store that provisions specific apps out to that endpoint. That way, the work-related apps are wrapped and secure, and the agency can stream specific content and revoke access to certain types of content.

Industry Perspective 3

4 Information Protection

Besides security, other obstacles stand in the way of protecting in-formation while staying productive. One is a lack of understanding of the cybersecurity setting on the part of agency leaders.

“Sometimes at the senior levels, they’re being briefed on the cyber posture of their organization, and they’re being briefed by exec-utive dashboard reporting,” McPeak said, meaning they glance at visualizations on a screen without diving into their meaning. “If somebody actually then goes under the hood and takes a hard look at what’s being reported on those executive dashboards, there might be certain things that are being missed or not reported. So leadership might not have the full picture.”

For example, ahead of an audit, system administrators might temporarily disconnect or isolate certain subnets where they know there would be things that would not pass scrutiny.

“Even though the worker bees in the trenches know ‘We have a reason why this isn’t locked down. We’re still developing it,’ or what have you, it becomes a cyber vulnerability,” McPeak said.

Another mistake is having many point products that don’t comple-ment one another and not identifying the gaps between them. For instance, the products defend parts of the enterprise but other components are weak or missing.

“It’s just like chain mail in medieval times – the suits of armor – you’re only as strong as your weakest link,” McPeak said. “If you do a great job at securing certain things but not others, then the adversary will find out where those weaker penetration points are, and that’s how you’ll be compromised.”

The biggest challenge, however, is the growth of data, McPeak said. “The amount of data – sensitive data, even – that is stored and all the locations where it’s stored, it just keeps growing exponentially,” McPeak said. “Trying to secure everything that’s been archived is incredibly difficult.”

For help, records managers are more open now to partnering with industry.

There was a time when the government would give each systems integrator or each vendor very specific requirements and there would not be a lot of cooperation among the different companies, but now there’s a lot more collaboration.

“Recently, there has been a proliferation of government/industry working groups where government IT managers, federal systems integrators, and technology vendors sit together at the same table and develop some very creative things,” McPeak said. “They’re helping develop a common taxonomy and common nomenclature for cyber events, and working collaboratively to face our nation’s challenges.”

COMMON MISTAKES WITH INFORMATION MANAGEMENT

“It’s just like chain mail in

medieval times – the suits of

armor – you’re only as strong

as your weakest link. If you do

a great job at securing certain

things but not others, then the

adversary will find out where

those weaker penetration

points are, and that’s how you’ll

be compromised.” Kevin McPeak, Security and Mobility Architect, Symantec

THE NEED FOR BETTER AUTHENTICATIONMultifactor authentication can go only so far in today’s multifaceted IT environment. Here are some ways it could fail:

Third-party applicationsComing up with a unified, infrastruc-ture-wide, single sign-on platform is not a trivial task, McPeak said. Agencies might have legacy applications or applications from third parties such as allied nations or other agencies at the federal, state, local and tribal levels, and those applications might not support the enterprisewide two-factor authentication scheme.

Example: A phishing attack could mimic a password reset methodology that one of these applications uses and then attackers can target a user who infrequently uses that application. The adversary could reset the password and use those modified credentials to log in and the user wouldn’t even know.

Repetitive use of passwords

“A lot of users will use the same password over and over again, so if an adversary is able to somehow obtain and compromise that password, it could help resolve one of the factors of authentication, and then the adversary would only need to try to break down the other factor,” McPeak said.

Example: If a Trojan – malware disguised as legitimate software – is loaded onto a user’s device and performs keystroke logging in real time, it could capture the username, password and, say, random number generated by something like Google Authenticator. As a result, that adversary could access a federal system using two-factor authentication.

Validation of Secure Sockets Layer (SSL) certificates

“There are also deep issues specific to validating SSL certificates in non-browser software. The root causes of these vulner-abilities are typically in the design of the application programming interfaces that do SSL certificate validation and data transport libraries,” McPeak said. “This presents the developers with a mishmash of settings and options.”

Example: Because of these shortcomings, government IT managers are starting to look at other options, namely tokenless authentication such as device finger-printing, hardware-based identifiers and user-behavior risk analysis. Gartner estimates that by of the end of 2017, more than 30 percent of organizations will use contextual, adaptive techniques for work-force remote access.

Industry Perspective 5

REDUCE RISK WITH SMART AUTHENTICATION

reputation. When log-on behavior is normal, a password might be enough, but when a log-on is detected via an unknown device, an unusual location or under other suspicious circumstances, the user would be prompted via text, email or a voice call to respond to a challenge question.

For instance, if an employee logs into a federal network from Wash-ington, D.C., and 45 minutes later logs in again from Los Angeles, that would raise a flag.

This approach has several benefits.

“Because there are no tokens, smart cards or biometrics, the cost is lower and the user experience for legitimate users is identical as in the password model,” McPeak said.

Symantec offers two tracks of this solution: one for e-citizen en-gagement — people who are not federal employees — and anoth-er for enterprisewide identity management of federal employees, contractors and government partners. Typically, the agencies that work with e-citizens, such as for the Supplemental Nutrition As-sistance Program (SNAP), need to validate their identities. For that, Symantec offers Norton Secure Login, a Kantara-approved LoA 2-3; Federal Identity, Credential and Access Management (FICAM)-certi-fied; National Institute of Standards and Technology (NIST)-compli-ant credential service provider.

For enterprise customers, Symantec offers three tools that inte-grate with VIP to produce a robust solution:

“If agencies don’t take action to shore up protections, the risk they face is three-fold,” McPeak said. “It can be summed up as CIA: confi-dentiality, integrity and availability.”

“If the systems are compromised, then an adversary could conduct data exfiltration, so that impacts the confidentiality of the data,” he said. “They could do what is called data diddling or data modifica-tion, so that impacts the integrity of the data. They could impact the availability. They could simply knock the system offline or do massive deletion or massive corruption of files, thus rendering those federal systems useless.”

The best way to make authentication failsafe is to make it smart using a solution such as Symantec’s Validation and ID Protection (VIP) service. The cloud-based VIP is based on open standards, a range of authentication methods and integration with the company’s Identity Access Manager.

“Intelligent authentication is when risk-based authentication occurs,” McPeak said. “This is where a full risk analysis is performed in real time, and it’s typically based on the device itself, possible threats and user behavior profiles. It works by establishing a baseline for a user’s normal behavior upon login.”

Here’s how it works: IT managers record the device’s location or the location from which a federal employee would normally gain ac-cess. A threat analysis is performed using data from other Syman-tec tools such as the Global Intelligence Network, which gathers information from the largest collection of sensors in the country, to detect recent attacks so managers can ascertain the device

Symantec Identity Access ManagerIntegrates single sign-on with strong authentication, access control and user management so that you can control and audit who accesses your internal and third-party cloud-based applications.

Symantec Data Loss PreventionLets you discover, monitor and protect your confidential information wherever it’s stored and however it’s used – on mobile devices, within your data centers or in the cloud.

Symantec Encryption PortfolioProvides full-disk and removable media encryption for endpoints, email encryp-tion to secure sensitive communications and file-share encryption to protect files on shared network drives and in the cloud.

6 Information Protection

GovLoop’s mission is to “connect government to improve govern-ment.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.

For more information about this report, please reach out to [email protected].

ABOUT SYMANTEC

ABOUT TVAR

ABOUT GOVLOOP

“Agencies looking to use Symantec solutions should conduct vigor-ous testing as the first step to implementation,” McPeak said.

“As with all large enterprises, there’s a need to first evaluate the technology in a lab environment, develop familiarization with the solution and then work with the system integrators and vendors to ensure the federal agency can have everything working in the lab environment, because you don’t want to deploy in production and have something go wrong,” he said.

Next, put project plans in place for rolling out the solution. They should include a communications plan to inform the user commu-nity and user training.

Additionally, agencies should anticipate how other factors could affect the rollout.

“Always have a rollback plan,” McPeak said.

Lastly, ask how you best validate final success of the project.

“You have to begin with the end in mind to have a successful techni-cal rollout,” he said.

Whether it’s the number of access points or the amount and type of data being generated, growth is inevitable. What’s more, govern-ment workers are growing accustomed to being able to work from home or remotely on any device while being guaranteed the same access to data that they could get from the office.

As a result, vulnerabilities will also grow, and government IT manag-ers need to limit them. Smart authentication offers a more robust approach to identity management and access control than strong authentication, which itself has weaknesses.

Our government faces escalating cyberrisks and IT challenges, often with fixed or even declining budgets to do so. Government must simultaneously protect information and keep the federal workforce productive by simplifying and streamlining across the current jumble of IT products. It can do this by partnering with industry leaders, like Symantec.

Symantec helps federal agencies develop and implement compre-hensive and resilient security strategies to reduce risk and meet Cross-Agency Priority Goals, the NIST Cybersecurity Framework, the Joint Information Environment and other federal mandates.

TVAR Solutions has been focused on IT sales to the US Federal Gov-ernment since 2006. We are a value-added reseller that can design, deploy, and manage effective infrastructure, from data centers to cloud to mobile devices. Our senior technical advisors, experienced engineers, and proven performance ensure a fully functional, dy-namic, and secure enterprise.

BEST PRACTICES FOR IMPLEMENTATION

CONCLUSION

Industry Perspective 7

1152 15th Street NW, Suite 800 Washington, DC 20005Phone: (202) 407-7421 | Fax: (202) 407-7501

www.govloop.com@GovLoop