PIV standardization has made it much easier to secure a domain with smart cards, requiring only a few configuration steps without any additional software. The goal of this article is to show the configuration steps so corporations can understand what it takes and even test PIV cards in their environment first hand.
Within only the past few years, the Multi-Factor Authentication (MFA) industry has made spectacular innovations that have started to integrate higher security into all of our daily transactions. The new advances in credential technologies have made cryptography (PKI), biometric and time-based authenticators mainstream and accessible by any consumer desiring them. Although the advances are broad, they can be summarized into the following three areas:
- Mobile Credentials: To streamline authentication and lower physical hardware costs, credentials in the form of one-time passwords (OTP), derived PKI credentials, and push notification tokens are now easily deployable to a person’s mobile device. This has helped reduce cost, promote security across different computing platforms and increase productivity.
- Micro-Tokens: To achieve the security of hardware-based tokens, while removing the burden of requiring additional token reader hardware, new USB and USB-C form factors are being utilized. These new form factors allow the consumer to easily use the credential without separate smart card readers.
- Embedded: Many computing platforms are being created with tokens on the mother boards, such as the Trusted Platform Module. These allow organizations to deploy credentials to existing circuitry that is part of the actual computing device thereby eliminating the need to purchase additional MFA hardware.
For consumers and businesses alike, these advances have helped fortify defenses and enabled a much wider spectrum of remote working and virtual collaboration options to drastically increase productivity. Now MFA credentials can be easily deployed and utilized in a matter of hours.
However, there is a segment of organizations that have not been able to benefit from these MFA advancements. This segment is comprised of organizations that have strict NIST 800-171 compliance requirements, technical interoperability needs, and privacy concerns. The organizations in this segment are known as high security organizations (HSO).
This article explores how new private MFA delivery options enable high security organizations to implement the newest MFA technologies without having to expose their personnel data or alter their existing PKI infrastructure so they too can experience the security and productivity boosting benefits of new credentialing capabilities.
MFA Barriers Unique to High Security Organizations
A High Security Organization (HSO) is an entity that requires additional privacy controls and has unique authentication requirements not generally offered by commercial MFA providers. For example, the HSO may be a commercial business processing controlled unclassified information (CUI) that runs its operations in a private cloud or secure data center and must implement the security controls listed by NIST 800-171.
The challenge the HSO faces is that they desire to implement the latest MFA innovations, however, they cannot use 3rd party MFA services that offer the innovative MFA products because they cannot share their human resource information (names, email, addresses, etc.) with 3rd parties. The HSO also cannot integrate new MFA options because they have significant investments in PKI technologies with intricate requirements for compatibility and consolidated management general MFA providers do not support. These challenges are detailed below:
Due to privacy and security controls, HSOs are not able to use 3rd party authentication services because they cannot submit their human resource data for their employees, contractors and partners to external providers. Therefore, HSOs have been limited in using traditional badging technologies that were only available within the HSOs security boundaries.
Another reason HSOs have been limited in their MFA options is because they have invested heavily in public key infrastructure and must only use MFA schemes that support their PKI set up. For example, many third-party mobile authentication approaches cannot be validated and used on PKI infrastructure with HSO tailored security requirements.
Finally, MFA platforms have not been interoperable and require separate management systems for credential distribution and management. This would require the HSO to create and manage separate credentialing systems throughout the environment. This growth in complexity not only increased costs, it also ironically created security vulnerabilities because the HSO had to ensure all the user’s secure credentials were properly deprovisioned when the employee separated for the organization.
Recent Advancements in Private MFA Technologies
Enterprise MFA technology providers have made vast improvements to their platforms to enable HSOs to implement the latest MFA credentials in private clouds and data centers. For example, HID Global has recently released new features to its Credential Management System (CMS) that enables HSOs to issue the newest credentials for mobile, micro-tokens and IOT/TPM. CyberArmed has also added new identity and device proofing, as well as reporting features to its IdExchange platform to help cover the most unique authentication requirements facing modern HSOs. These innovations provide the following features:
- Data control: The credentialing system is completely private and can be installed on a private cloud or server within the data center. The HSO does not need to share any information and does not need to be concerned that their personnel data is being used by another entity.
- Works with internal PKI: the credentialing system links to existing certificate authorities in order to generate digital certificates that are compatible with the HSO’s existing PKI technology platform. For example, when issuing credentials to a mobile device, the credential will have the same issuer and trust path as other credentials that have been issued.
- Consolidated system that manages the entire lifecycle for multiple credential technologies: One system manages different credential technologies, device and identity proofing and audit reports. This allows the HSO to issue PIV-C badges, mobile credentials and TPM credentials from one system.
- Compatible with Managed Service Organization issuance models: The credentialing system is compatible with external PIV issuance systems and allow organizations to augment their credentialing capabilities for custom MFA needs.
The End Result
With the new private deployment options that can allow HSOs to install and operate MFA platforms in accordance with their security policies, HSOs can take advantage of the latest MFA technologies in a manner commensurate with their security and technology needs. They can deploy to their private clouds or secure data centers and no longer have to share personnel data with other customers. They can also configure the system the way they want to ensure compatibility with existing investments. Most importantly, they too can leverage the security and productivity benefits to enable:
- Remote users to use mobile devices to access existing PKI protected resources
- A single card or mobile device to both open doors and cyber resources.
- Micro-Tokens for application specific PKI and encryption requirements
- Use of embedded circuits to deliver certificates to IOT and TPM devices through a single credentialing system.
With these advances, all businesses now have access to the newest MFA technologies to fully benefit from all of the innovations in the MFA industry.