A Bridge to HSPD-12 Secure Remote Access
First printed in Government Security News, July 2008
Federal agencies striving to comply with HSPD-12 must determine how they can continue to efficiently provide security today, meet compliance deadlines by October 2008 and deploy a security infrastructure that will eventually support the Federal Bridge. Besides this and similar Information and Access Management(IAM) mandates, agencies must also consider business operations issues such as telework programs, continuity of operations and worker retention goals.
Option 1 – Build and operate separate concurrent systems. One approach an agency might take would be to maintain their current OMB M-06-16 compliant solution and deploy an entirely new infrastructure for HSPD-12. Although meeting the HSPD-12 mandate, the cost of a duplicate 2-factor authentication system would be hard to justify, maintaining users and their credentials between two different systems would be a management nightmare as well as an increased security risk, and getting locked into a legacy solution for several more months or years just extends the time to full compliance.
Option 2- Build separate system then cutover. Agencies may also consider deploying completely new solutions, built from the ground up to support their “unique” requirements. Obviously these solutions would immediately be HSPD-12 compliant, however, the success rates of large scale projects are historically low, final costs are difficult to confirm and the resources required for ongoing management of these systems is greater than COTS solutions. In addition, the legacy access management solution must continue to be managed and maintained at some cost.
Option 3 – Deploy dual capability now. A more pragmatic approach is a bridge solution designed to support both the current 2-factor authentication requirements as well as HSPD-12 PIV smartcards. A bridge solution would enable agency employees to continue using tokens and PKI x.509 certificates while providing a seamless migration to PIV cards as they become available. This capability is implemented using an appliance that supports two PKI roots of trust and acts as a certificate authority for the tokens while providing path discovery to OCSP for PIV validation.
Architecturally, the bridge solution is less complex than alternatives as it eliminates the need for multiple intermediary proxy servers for access and application control. Rather than go through proxy servers, remote users get authentication and Active Directory integration through a single-sign-on process. This is a true Active Directory cryptographic logon with a Kerberos ticket received on the remote access client. Local control is maintained through the use of Green List for Active Directory access and Red List to override a valid user’s certificate if needed. In addition, all remote access users are logged.
From the user’s perspective, this solution is transparent and is location-independent. On Friday 2-factor authentication may be implemented with a token and on the following Monday a PIV smartcard. Nothing else changes for the user or the team managing the platform. They can securely connect from anywhere, at anytime, over any type of network, including wireless. The PIV card provides access both on and off the enterprise – one network, one access method. Beyond the technology advantages, agency management has the flexibility to implement any remote or telework programs that address COOP and other workforce issues.
Ultimately, the bridge approach provides Federal agencies with the greatest amount of flexibility in deployment with the minimum risk and cost, delivering OMB M-06-16 compliance today and seamless migration to HSPD-12 tomorrow.