I spend my days working with and for Federal Government agencies helping solve identity management challenges. Always (now) with an eye toward security, I feel their pain in balancing the functionality needs of their enterprises with the security that must be absolute. Of course, it would be great if we could jump in our DeLorean, accelerate to 88 miles per hour and decide to only implement solutions that had integrated security, but even then we would still probably choose incorrectly.
Can we really know what security we will need in the future?
Since we can’t go back in time and decide to choose differently and this “PIV thing” (or “CAC thing” for my DoD friends) is real, decision makers are forced to either shut down the applications that don’t support it or start the long list of exceptions to the rule. Will we end up with the majority of users now exempt from the security policy?
Even though there’s some debate over how much security the PIV really provides, there’s really no question that Public-Key Infrastructure (PKI) enabled PIV does add a layer of security over the old-school username and password. If you take it back to the intent of the initiative, PKI provides the capability to revoke access from a single point, the certificate. This should remove access from everything, including all applications. If you’ve created a workaround you have bypassed the intent of the initiative.
Applications that are still using usernames and passwords are the workaround. If you need to terminate a person’s access, how do you ensure all the access is removed?
A workaround or a solution?
In my mind I’ve broken this down to a couple of ideas.
- Rewrite the applications to support PIV authentication.
- Put a PIV “front door” on all my applications.
Since rewriting the applications is usually an impossibility for many reasons, let’s focus on the “PIV front door”. I like to relate this to a house where applications are rooms of the house. Each application has a door and the front door is controlled by PIV access. You don’t need to worry about the security of the inside door as long as you control who can access the front door.
When you start to consider this process you realize it doesn’t matter how the applications authenticate as long as you have a very secure PIV front door. You could break it down a bit further into web applications and all others (thick client, terminal emulators, etc). Of course, putting a “front door” on these applications seems difficult at best but solutions from One Identity can make it much easier than it seems.
Please feel free to share your ideas on PIV enabling the enterprise. The challenge is not just at the desktop.