GSN Aug/Sept Digital Edition

Cybersecurity and ConvergenceFrom authentication to data access –ensuring mobile security in 2015 and beyondBy Nicko van SomerenA secure, productive and comprehensivemobile strategy is no longer onthe “want” list for IT. It’s a requirementfor any business in today’s technologycentricworld – especially forthose in the public sector.In the wake of recent cyberattacks,government agenciesare facing even higher stakesto protect their data. Hackerswill continually look for allnew ways to exploit any informationthey can use to theiradvantage, and mobile devicesare ripe for the picking as theyreplace laptops as the primarycomputing platform. It’s time for IT executivesto revisit their mobile securitypolicies to ensure the highest levels ofprotection.As “anytime, anywhere” access togovernment data becomes more imperativefor agency employees, executivesat defense- and civilian-focusedagencies alike continue to search forthe best solutions to ensure robust authentication,device management andsecure data access.The Path to Stronger AuthenticationThe Office of Management andBudget (OMB) listed strong authenticationas a cybersecuritypriority in its 2015 cross-agencygoals. Unfortunately, as we enterthe second half of 2015, many hurdlesstill remain with governmentauthenticationand identitymanagementon smart cardtechnology –namely, commonaccesscards (CAC)for Departmentof Defense andpersonal identification(PIV)for their civilian counterparts.Originally, the thought processin government was for every mobileapplication vendor to integratesmartcard middleware at the applicationlevel, which is a time-consumingand device-limiting process.This also causes usability issuesbecause smartphones running iOSand Android do not support CAClogins to the device. Users still needto enter a traditional password tolog on and utilize bulky card readersattached to the device. This process,in addition to CAC authentication,21must be completed each time a userneeds to access a certain applicationand/or data set. It’s a very cumbersomeand time-consuming method.To make authentication moreuser-friendly while maintainingthe highest levels of security, someagencies have opted for other methods.For example, a soft token approachstores an alternative set ofcredentials directly on the device,while derived credentials authenticatefrom other credentials on theusers device and store them in tokenform.No matter which path agencieschoose to take, user-friendly androbust authentication will continueto be a top consideration. Severalstandards laying out direction forauthentication will ensure it remainsan agency priority into 2016.These standards include HomelandSecurity Presidential Directive 12(HSPD-12), DoD Directive 8100.2and various National Institute ofStandards and Technology guidance.Most recently, NIST issued a draftsolution to help agencies with providingmultifactor authenticationvia mobile devices. The solutionMore on page 36