NIST's new draft guidance on derived credentials may offer piece of mind for agencies that shied away from bring-your-own-device programs. ()
The bring-your-own-device movement has taken off in the private sector, but in the government and the Defense Department, it remains just out of reach as leaders wrestle with ongoing security and privacy concerns.
Managers and CIOs with strapped budgets see the promise of savings through BYOD, but decision-makers and IT leaders worry about data leaks and the ramifications of security breaches.
“A big legal issue for us is spillages,” said James Craft, deputy director of information enterprise management at the Defense Department’s Joint Improvised Explosive Device Defeat Organization. “If we get a certain kind of information spilled on a piece of equipment, the way it’s usually cleaned up for us is usually with a blowtorch, or with a sledgehammer, then a blowtorch, depending on the information. So how you handle that when it’s people’s personal devices, especially if they’re not a government employee, becomes very complicated.”
Craft, who says his IT budget declined by 62 percent this year, is not alone. The search for savings is on across the federal government, and it’s fueling a growing body of research and policy regarding ways to securely allow employees to connect their own smartphones, tablets and other devices to their office networks and tools.
An important recent development is the release of draft guidelines from the National Institute of Standards and Technologies. NIST Special Publication 800-52 outlines practices for using derived credentials, a way of securing phones and authenticating user identity without the use of external personal identification verification (PIV) cards, such as DoD’s Common Access Card, required under 2005’s Federal Information Processing Standard 201.
“At the time that FIPS 201 was first published, logical access was geared toward traditional computing devices [such as desktop and laptop computers], where the PIV card provides common authentication mechanisms through integrated readers across the federal government,” the authors of NIST’s SP 800-52 wrote. “With the emergence of a newer generation of computing devices, and in particular with mobile devices, the use of PIV cards has proved challenging.”
Today, the required two-factor authentication, combined with the lack of an integrated smart card reader found on traditional computers, means that DoD users must have a separate CAC “sled,” or card reader — an additional cost that bulks up the device and can drain battery life, among other drawbacks. The guidelines under SP 800-52 provide for derived credentials that allow for both pieces of the two-factor identification to be stored on the phone — either internally or through something that connects to the device, such as an approved USB — and secured separately.
The goal is that the recommendations build on previous standards from NIST and are flexible enough to still apply as technology, and the resulting policies quickly move ahead, according to one NIST official.
“As technology evolves, these controls are still applicable,” said Ron Ross, an NIST fellow and computer scientist specializing in information security and risk management. “Sometimes, you have to tweak them a little bit, but the important thing is that you can go through the list to make sure that you are well-protected. Our controls are policy- and technology-neutral.”
Derived credentials present a promising option for secure mobility. But those in the thick of BYOD efforts note that much more is needed if the government is serious about a future that fully capitalizes on mobility. Before BYOD can ever become a reality inside the government, requirement processes and supply-chain management must be addressed. Smart policies that govern use and combat high-tech adversaries also must be created.
“The problem with technology now is they’re switching out the devices so fast that we do not have the throw weight and systems engineering to assess and integrate the device securely,” Craft said.
“It isn’t just the operating system, it’s the hardware — what is the supply chain for the hardware? And that’s an issue the country has backed off,” he said. “We’ve offshored so much of our engineering and so much of our industrial base that we don’t necessarily have a clear window into the systems engineering that went into it, and we’ve seen for the last five years there is immense research and development being done [in foreign countries] to exploit devices they manufacture.”
Another NIST publication due out in July, SP 800-160, will address best practices in security throughout the life cycle, including systems engineering, Ross said.
“We’ve worked with NSA and industry to take an engineering standard and infuse security into every stage of process development. Everything from operations to sustainment,” he said. “The strength of mechanisms we need to have and the resiliency that we need to have, that doesn’t come from putting up a firewall. We know how to do this; we just have to have the will to do it.”
But also lacking is the strong leadership that many feel is necessary to reach a BYOD security standard across both the public and private sectors. By comparison, Ross pointed out that at one point, airbags were features offered on cars for an additional cost, but today they are standard; security is no longer considered an “extra” when it comes to vehicle safety. He hopes the same will become true when it comes to the security needed for government mobility.
One option that DoD officials are considering is the use of mobile carriers to manage devices to help achieve that security standard in a way that is cost-efficient.
“I think there’s a policy ecosystem that has to be put in place that doesn’t exist yet, at least not in execution,” Craft said. “Who has the engineering throw weight to actually pull it all together? I think the answer is the mobile carriers.
“There are a limited number of mobile carriers; they’re large organizations; there would be a market incentive for them,” he said. “They would make money if they could sell phones or a type of mobile service that is secure … and they have enough interaction and power to deal with the federal government.”
There are BYOD pilot programs, such as in the Marine Corps, that are testing out new approaches to an adaptive mobility option that yields the kind of flexibility today’s government workers expect from employers. But it is probable broader policy discussions will need to take place before there is a large-scale adoption of BYOD, officials noted.
“We are moving down the road with technology so rapidly, and I’m wondering if we actually have internalized yet what it means, how much exposure we’re bringing into our organizations with these devices,” Ross said.
“These are very powerful end points. I think we have to have a national dialogue; maybe the [recently released NIST] cyber framework is going to be the organizing construct to have a dialogue,” he said. “We have to ask ourselves as a society, how much are we willing to risk before we’re going to engage with this problem?”