Topics about PIV implementation and research.

The sprint is over…now the marathon begins

By now, agencies have finished their cyber security sprint and are in the midst of their retrospective. Undoubtedly this initiative has provided much needed focus to help fortify some of the most critical elements of IT infrastructure. If all went as planned, organizations have started to close obvious security vulnerabilities by; 1) enforcing multi-factor authentication (MFA) for computer access 2) digitally signing messages to prevent the spread of malicious code via email 3) encrypting data for resource protection.

But where do we go from here? How do we continue the MFA and data loss protection (DLP) practices started in the sprint phase, and continue to improve security across the organization for the long term? How do we do this effectively without losing productivity, doubling operational expenditures and frustrating our users? How do we continue this momentum to make meaningful, long term change that is not undone by the next system upgrade?

This article explores ways to continue to mature security architectures with the support of PIV technologies. Specifically, we cover techniques to help accelerate the adoption of PIV amongst users so that security architects can employ PIV in more areas of their infrastructure for improved identification and authentication services.

Why focus on PIV?

Given the broad scope of security, how does PIV help in a larger strategic context? In other words, why focus on PIV and not something else? The answer is that all of the successful attacks have one thing in common…the attacker was able to successfully digitally impersonate a high powered user to give them unfettered access to critical IT resources. Each time, this was a direct result of a stolen credential.

With PIV based authentication, the underlying trust and technology frameworks makes these traditional credential theft attacks impossible. The security controls of the identity proofing process, tamperproof cryptographic features combined with the multi-factor services prevents adversaries from remotely stealing and utilizing PIV credentials. Below are some features that eliminate the common credential threat vectors:

  • Level of Assurance 4: This is the highest level of assurance possible. This means that the person holding the PIV credential has been verified in person, had a background check and has been issued an advanced cryptographic token with tamperproof features.
  • Multi-Factor Authentication (MFA): In order to use the PIV credential, the credential holder must possess knowledge of the PIN and the physically possess token. And even in some cases, must provide their biometric for additional identity verification. So unlike a password that can be stolen from a database and used without any other factors, a stolen PIV credential is useless without all the factors necessary to perform the authentication transaction.
  • Hot listing: Unlike a password that can be stolen without the user’s knowledge, when a PIV credential is stolen or lost, the user knows because they do not physically possess the credential. They can then report the credential stolen or lost where the credential is then placed on a revocation list that prevents it from being used.

Sounds great, but we have tried PIV before…

PIV has been around for a decade. For years, numerous organizations have attempted to integrate PIV credentials to strengthen their processes, but with little success. Although the cost of the technology decreased, and more technology vendors added out of the box support for PIV, user adoption has remained low and the PIV credential has never been fully utilized to reach its potential.

But why don’t users like PIV?

Based on years of working directly with users as they attempt to use PIV, the dislike of PIV can be attributed to two fundamental factors 1) usability and 2) perceived usefulness. Let’s explore these two factors.

USABILITY

It sounds so simple…just insert the PIV credential into a reader and type in your PIN. However, the simplicity associated with this statement is extremely deceiving and has derailed numerous well intentioned PIV integration plans. Many times, security managers just assume the user will know how to perform this action without proper training or instruction. Thus, when things do not work properly, the user becomes frustrated and develops a dislike for the technology. Compounding this problem is poor software design that is needlessly confusing and prone to unrecoverable failures that drastically increase the authentication burden and reduce productivity.

PERCEIVED USEFULNESS

Many of the users we have interviewed think their PIV credential is just a new ID badge used to gain access into their building. They did not know that the credential can also be used as a way to access their computers, protect messages or digitally sign documents. More importantly, they did not realize that their PIV credential can help protect their organization against hackers. Once we explained that the PIV credential can be one of the most effective ways to protect their digital identity and information, their desire to use the technology drastically increased.

Times (and PIV technologies) have changed

Thankfully in only the past few months, we have seen drastic changes and improvements in the management and usability features of PIV that eliminate many of the frustrations currently experienced by users. New technologies have been developed and standards have been refined to make PIV much more user friendly and practical. Even private industry has realized the power of the PIV security specifications and have built in native support for PIV in their products. Finally improved NIST standards have recognized the need for better usability and provided improved specifications for:

Mobile compatibility: New standards enable the user’s PIV card to be synchronized with their mobile device so they can easily employ PIV MFA and data protection controls on whatever platform they choose without needing a card reader.

Biometric flexibility: New standards, algorithms and privacy controls allow users to easily use their fingerprints to both strengthen and accelerate the authentication process.

Speed: New cryptographic algorithms and PIV card platforms have almost doubled the speed of a typical security transaction. Now the end user can authenticate and encrypt within seconds.

Self-service credential management: New software suites allow the user to securely manage their PIV credential from the convenience of their desk or home, thus eliminating the frustrations and productivity loss associated with travel.

The key to a sustainable security strategy – focus on user experience

With these PIV refinements, integration and usage of PIV credential technologies are much easier to achieve and maintain thus making an implementation of MFA and DLP technologies enterprise wide much more feasible and realistic. However, to achieve meaningful PIV adoption amongst users, frustrations must be replaced with productivity enhancements to make the user actually want to use their PIV credential. The seven steps below provides both fundamental and advanced guidance to make PIV much more valuable for the user.

Step Description
1. Provide user education One of the most effective (and most overlooked) actions to accelerate PIV adoption is to provide user training focused on 1) what the purpose of the PIV credential is, 2) how to properly use it, and 3) how to maintain it. One of the biggest barriers to large scale adoption is the user simply does not know what the PIV credential is or what it can do to protect their agency. When they realize how the new PIV credential can protect their digital identity and their agency, plus they are given basic training on usage, they are much more motivated to use the credential and adopt the technology.
2. Streamline delivery and maintenance New instant credential issuance models, secure self-service desktop software and faster technologies can dramatically reduce the burden on the end user to obtain a PIV credential. Users can now receive a credential immediately without requiring multiple visits to the security office or even perform credential maintenance from their desk to completely eliminate the need for travel.
3. Simplify the authentication experience New standards for biometrics and contactless security transactions can drastically reduce the authentication burden for the end user. For example, with the on card comparison biometric feature, users simply use their finger for authentication and do not have to enter a PIN. With the new contactless feature, the user does not need to insert the credential into a reader, but can just be in proximity of their computer to perform authentication.
4. Automate protection settings Various infrastructure configurations for authentication, email signing and data encryption can be configured in a manner that completely automates the security transaction for the end user. For example, active directory and outlook can be configured to automatically use the PIV credential for computer logon and email encryption without requiring the user to take any further action.
5. Synch with their mobile devices New specifications and technologies can enable users to synchronize their PIV card with the mobile device. Now the user can continue to apply the same PIV security controls on their mobile device as they do on their desktop platforms. For example, they can access a PIV secured web site from their mobile device without requiring them to boot up their laptop and insert their card.
6. Require less authentication Along with the new PIV credential specifications, numerous new authentication protocols are available to enable the user to authenticate one time for access to different systems. Based on our experience, eliminating even one additional log in requirement for the user significantly improves their experience and further drives PIV adoption.
7. Provide a credential replacement process Once users have become dependent on PIV technology, they must have a way to easily obtain a replacement if they lose or damage their credential. Additionally, when systems have been fortified to only use PIV credentials, it is bad practice to have to downgrade the security control to accept passwords simply because the user forgot their card. Therefore, have a plan so that the end user can instantly receive a temporary or replacement credential so they can continue to use PIV credentials regardless of the scenario.

Conditions for success

Like running a marathon, meaningful security requires strategic planning, disciplined execution and most importantly, creating the conditions for success. The new features of PIV allow security architects to design and build vastly improved user experiences using security technologies. This combination provides the necessary environment and conditions to implement a long term security strategy capable of withstanding both the dynamic security threats of both today and tomorrow.