State Government's Authentication VulnerabilitiesInsights and Tips from Brent Crossland of Entrust
"Over the years, as individual agencies were creating applications, every time they deployed a new one, they also created a new user repository to manage access to that application," Crossland says. "The result is that now we see data centers with several thousand applications running in virtualized server environments, and these applications are tied to literally hundreds of individual user repositories."
Trying to manage identity, access and authentication across those many repositories, Crossland says, is the primary challenge for states today.
In this interview, Crossland discusses:
- The current state of authentication at state government agencies;
- Where agencies are most vulnerable;
- Emerging solutions that can improve security and save money.
Crossland is the Senior Manager, State Government Initiatives at Entrust. He joined Entrust in January of 2003 from the Governor's Office of the State of Illinois. His primary role is to assist state and local governments in deployment of electronic government services through the use of certificate-based security and digital signatures. In addition, Crossland consults with various government entities throughout the nation on issues related to electronic identity policy, project design and implementation.
TOM FIELD: To get us started, why don't you tell us a little bit about yourself and your unique experience in state government please?
BRENT CROSSLAND: I was with the state for about 12 years, the last four as the Deputy of CTO in the governor's office. I guess in terms of geological time scale, my distinct government career starts with the ending of the age of dumb terminals. So I was around for Windows 3.1 deployments and all the pain associated with that. As Deputy CTO, I was involved in a number of very different initiatives, but in general those four years were dominated by finishing Y2K issues, the security issues and concerns of those out of 9/11 and the start of electronic government deployment in the state. The major part of that e-government deployment is now known as The Illinois Digital Signature Project, which issues a certificate to any individual who needs another access to state government. Today that CO issues digital certificates to users in all 50 states and about half-dozen or so foreign countries who use 45 or so applications around the state agencies and local government.
Authentication: State of the UnionFIELD: Brent, in terms of authentication, what would you say is the state of the union at state agencies today?
CROSSLAND: Tom, when we talk about authentication of any management at the state enterprise level, I think the biggest problem that we face is one that is entirely of our own making. We basically treated authentication and authorization as a single process. Let me explain what I mean by that. Over the years, as individual agencies were creating applications, every time they deployed a new application, they also created a new user repository to manage access to that application. Essentially, they created a new identity that is only in that one user repository and used solely for that single application. The result is that now we see data centers with several thousand applications running in virtualized server environments, and those applications are tied to literally hundreds of individual user repositories, hundreds of user name password databases and directories. Any attempt to do anything that resembles identity management spread across those hundreds of repositories, it's really pretty futile effort.
Key VulnerabilitiesFIELD: Given that landscape, Brent, where would you say that states are most vulnerable today?
CROSSLAND: Well, I think the first issue is simply limitation of passwords themselves, and the security issues that are caused by the ever growing list of user names and passwords that we all manage. A related issued to this proliferation of user names and passwords is our inability to manage identity and manage access to applications. I mean it's well documented that help-desk calls increase as you increase the number strong passwords that users have to manage. We simply can't remember them all. The other side of that coin occurs when employees leave or when their eligibility or status changes. Not only are we paying for redundant efforts to verify identity and grant access to all these applications, but now when the user status changes we have to go to each individual application to revoke access. Having said that, even then one of the biggest impacts is probably how difficult and expensive it's going to be to strengthen authentication options for those applications. All the states are actively looking for stronger means of authenticating benefit recipients, for example. They're also looking for more authentication to protect online repository of personal health information, law enforcement data, student information, you know the list goes on and on, agency by agency. Because every one of these applications has its own individual user repository, each one of them requires its own individual solution for multi-factor authentication. So the redundant effort has become immense.
Market TrendsFIELD: Brent, I know there are a number of initiatives that are going on at the federal and the local levels. What are some of the authentication trends that you see that states really have to consider now?
CROSSLAND: Anything states do, they have to focus on what the federal government is doing as well. The first thing that comes to mind there is the authentication or credential effort in the federal government issuing smart card credentials to every federal employee and contractor. I think that is a model you've got to look at in the future in states, and it will probably be pressed down to the states from federal initiatives as well.
The next big thing that is out there is the National Strategy for Trusted Identities in Cyberspace. This is an initiative that the Obama administration announced, and it's really right now just a call to create a framework for reusable online identity that can be trusted from application to application. They talk a lot about a ecosystem of reusable authentication, which I think is a great model, but there is not a lot of answers yet about how to get there.
The National Association of State CIOs has a state digital identity working group that has been meeting and working on some solutions from the states' perspective. That's another thing that people need to be aware of and need to track.
And of course the last thing we need to keep in mind is all those local governments in every state are already up there creating their own online identities as well, and some how we have to factor that in and be aware of what will we do to support those efforts as well.
SolutionsFIELD: Brent, let's talk a bit about your product suite. How are some of your authentication solutions helping your customers tackle the challenges that we've discussed?
CROSSLAND: If you look at the documentation that NIST has provided to federal agencies, you can see that the only way to issue credentials at higher levels of insurance is with digital certificates. We can help our customers issue those strong credentials with infrastructure running in their data center or by setting them up in a hosting server. Second, using Entrust Identity, our customers can create a standardized authentication service, an authentication layer if you want to call it that, but it takes authentication out of their individual applications and lets the customer establish a single centrally managed identity for citizens, partners and employees. Third, our customers can configure individual applications to require their specific methods of authentication and identity guard. This means that the agency who actually owns the application can select the authentication method, including multi-factor authentication based on their security policies. . To support those agency security requirements, the customer can establish a single user account, an Identity Guard, for each citizen or employee that needs access and then register that individual for a variety of authentication methods based on the application that they need to get into. In practice, this means that Identity Guard might allow a user logging in from within the state network to log on with only user name and password, but turn around and require user name and password and, say, a grid card as a second factor if that same user is logging in from outside of the state network. On the other hand, another application with higher security requirements might require that very same user to log in with a smart card regardless of the location they are already in from.
Where to BeginFIELD: A last question for you, Brent. You've given a lot of information here. If you could boil it down for state agencies that are trying to get a handle around their authentication challenges, where should they begin?
CROSSLAND: I think in order to understand identity and authentication discussion in state governments, you have to first recognize the role states play with any national discussion of identity. And this is different for customers in Europe or Asia, but the bottom line is here in the United States, the states are the source of identity. Simply put, Tom, you know the US state department may have issued my passport, but the information that they use to verify my identity came from a state motor vehicle database, and a state vital record system. So I really can't imagine how you establish an online identity that can be trusted nationally ... without the active participation in state government.
Now, having said that, I also recognize that the first goal of any state government project is to solve the problems that they are facing in-state. Along those lines, I think we did three things with the project in Illinois that I still think are excellent guidelines for any state identity project.
First, we totally separated identity and authentication issues from authorization issues. Our rational then and I think it is still valid now is that we can best manage identity centrally, but those access applications need to be made by the agency that has statutory responsibility for the program.
Second, we established the State of Illinois certification authority as an identity service separate from any agency or program or application. It is governed by a multi-agency policy authority, so that all of the agencies using the service, including local government, have input into the government of the service.
The third thing is for the purpose of the project, we defined enterprise a little differently. We defined it in that case as all government entities in the state of Illinois, and not just the state entities. The result of that was it made the service available to all the local governments, higher-ed, K-12 education players in the state as well, which provided a lot broader use and uptake of the service.
I think we are past the time for piecemeal projects that only solved problems in one corner of our enterprise. This is a problem that calls for broad vision, and to be successful at that, you have to promote the vision both to individual agencies and to the appropriate elected officials.