IT Modernization is a Road Trip - Don’t Forget to Pack Your Security
“Life moves pretty fast, if you don’t stop and look around once in awhile, you could miss it.” - Ferris Bueller
On February 27th, the Office of Management and Budget (OMB) released its final memo outlining the implementation of the MGT (Modernizing Government Technology) Act. And now, poof! Everything is modernized, right?
Washington, D.C. has been buzzing with “IT modernization” talk and it feels like this time it might actually happen. It kinda feels like Christmas. Agencies have never stood still, but they’ve always been hampered by the legacy boogie man. “How does this technology do that?” and, “how does that technology do this,” or “how do I shoehorn this into my legacy infrastructure?” and, as usual, agencies are struggling to keep up even when most folks who are talking about IT modernization are themselves not so sure how all these things will work out.
One thing is clear, things are moving faster than they have in a while, and while this is certainly exciting, it also brings up a concern. In all this swirling wind of modernization goodness, we have to stay vigilant to the fact that the old security models don’t fit this new model.
I think I’ve seen this movie before.
Way back in the mid 90s, I was working at this little company based in Mountain View, CA, called Netscape. It was right around the dawn of the internet age and this time feels a lot like that, and I do not say that lightly. Back then, we were moving at lightspeed to disrupt everything and anything. The web was going to redefine everything we did as employees, as citizens, and as people.
And it did. Collaboration, commerce, governments; you name it. The internet age gave way to the cloud, and, along the way, proved out some amazing things. For example, to do transactions over the internet, you needed security.
Naturally, a thing like SSL (Secure Socket Layer, aka TLS - Transport Security Layer), a little thing that was invented at Netscape, had to be built. We started out with non-secure HTTP, which worked well for early academics sharing esoteric thoughts or home cooks sharing pie recipes, but it didn’t work so well for banking transactions. It turns out, people wanted to protect those things, so security had to evolve.
SSL, I should point out, is, was, and always will be the most successful implementation of PKI (public key infrastructure) in the world. For those who have not been exposed to PKI, first, consider yourself lucky; second, it’s the key sharing mechanism that allows you to only share the public part of that key while keeping the private part, well, private. SSL/TLS is the encryption technology that is protecting “the pipe.” When you see that little padlock and you’ve used HTTPS to get to a website - that’s SSL. Strong in its protection and elegant in its simplicity.
The next evolution of PKI, however, was not for the faint of heart. This was defining and implementing the user side of the equation. It was so hard that only our brave colleagues in the public sector and people with enough grit (and bags of money) were able to implement it. As well as a few private sector companies … but very, very few. The reason for this? It is/was hard, really hard, and really expensive.
For many years, we've been working on the user side of the equation in our respective public sector agencies for good reasons. It started in the early 2000s with the Department of Defense (DoD) moving folks to the CAC (Common Access Card), away from passwords and small-use-case Fortezza cards. In 2004, after several high-profile civilian agency breaches, President Bush (the 2nd one) issued HSPD12 (Homeland Security Presidential Directive 12) to move civilian agencies in the same direction by adopting and deploying PIV (Personal Identity Verification) cards. This was a noble pursuit and was working pretty well for physical access things like “can I get into this building” and even for some logical access things, provided the laptop had a smartcard reader.
But this all changed when……..
The iPhone broke the world. In the best possible way.
When mobile came on the scene, all the rules changed. We all now have computers in our pocket. We use these computers to access all kinds of things, and it even forced a change on the desktop/laptop/tablet side of the spectrum, forcing those endpoints to be more mobile in their usage and security models.
"Mobile and cloud are like peas and carrots.” - Forrest Gump
The other thing that changed everything was the “where” with regards to your data domicile. Turns out mobile devices are very cloud-centric in their data storage. You can test this out by putting your phone in airplane mode and see what you can get done. Mobile and cloud changed everything. The things we were used to doing for security don’t work as well. Things like virtual private networks (VPNs) and CAC/PIV cards.
So just like back when we had nothing, we have to reinvent this thing. We tried to reinvent the identity piece with Derived PIV Credentials (DPC) or PIV-D, but this isn’t working very well. PIV-D is just PKI 2.0 and is still a heavy lift for where we’re headed, and while I think we have the credential creation and enrollment pieces figured out, the credential usage workflows are far from working.
What about VPNs and network security? Mobile and cloud have forced us to rethink that too. Google did a great public service when it fully outlined and documented its journey to a “zero-trust network” security model. You can read a great run-down of this model, written by our own resident security genius, Wendy Nather, HERE. She gives it more justice than I ever could, but the gist is, the perimeter as we know it can’t be the only place where security decisions are made and become less relevant the more data and users exist outside your network. You know, mobile and cloud.
With all of this going on, it’s lucky for us folks like NIST are paying attention, especially on the user identity, access and authorization side. The guidance is really coming into focus to promote easy and effective security for the public sector. Thu Pham, our resident blog goddess, did a much better job than me in boiling this down when she wrote a few observations at the end of 2017 that are starting to enter our conversations today:
- Key Updates to NIST’s Digital Identity Guidelines: SP 800-63-3
- Authentication/Identity Management Updates to NIST Roadmap for Improving Critical Infrastructure Cybersecurity
The fact that NIST is providing guidance in SP-800-63-3 to give agencies more modern choices will help them with this journey. Allowing for things like biometric identity authentication on a trusted device, and the use of a FIPS-validated hardware token like the Yubico Yubikey for replacement of a CAC or PIV card. This will make agency life a lot easier as they move forward in the IT modernization journey. IT modernization is about using COTS (commercial off-the-shelf) technologies and services to give agencies the ability to be more agile in deploying and managing their environment and get better security in the bargain.
We all have computers in our pocket, why can’t we have strong authenticators in our pocket? The answer is, we already do. And that leveraging of existing, strong, “good enough for commercial market” technology is what this journey is all about.