Duration: 1 hour
Cost: No Fee
As the United States armed services and national security apparatus in general pursue network modernization, the need to update identity, credential and access management (ICAM) has emerged as a major requirement. Projects such as the Joint All Domain Command and Control (JADC2) require a federated approach to ICAM. Each service will have its own JADC2 iteration, yet the systems must all interoperate. Also making ICAM critical is how many non-human entities – for example, satellite feeds, weapons platforms, and sensors – will also need access to JADC2 and enterprise networks like it.
For a look at Defense and national security efforts in ICAM, Federal News Network assembled a panel of government and industry practitioners.
Air Force Chief Technology Officer Jay Bonci described a future state in which the Common Access Card credential, which he described as a “tremendous baseline,” will serve as a standardized, federated store of attributes, leading to a flat and consistent directory of users authorized across joint systems.
“What we need to provide, as a service, is really a consistent baseline of identity stores,” Bonci said, “and be able to take that to any mission set whether it’s joint, whether it’s international, or whether we’re interacting with state or justice or other types of partners.”
Marine Corps Colonel Ray Gerber, assistant chief of staff G6/G39 for Pacific Marine Forces, added that such identities give people “this persistent persona throughout your tenure that adds or detracts from what your accesses are across classifications.” That is, as people’s job functions and roles change, their identity-derived accesses automatically change in tandem. But, Gerber noted, “we’re sitting in the middle of that paradigm shift.”
The Coast Guard provides an example about the need for extensibility in a federated ICAM system. As part of Homeland Security, it regularly works with civilian-side mission partners, noted Commander Jonathan White, cloud and data branch chief. “We have to interoperate both with our DoD mission partners, and also our DHS mission partners at the same time,” White said, adding that the Coast Guard networks are “100% secured and connected to our DOD infrastructure, and all of our ICAM systems fall into the DoD systems.”
As the DOD’s enterprise services provider, the Defense Information Systems Agency offers global directory support for some 150 applications. Scaling up ICAM, though, brings a challenge, according to Drew Malloy, the technical director of DISA’s Cybersecurity and Analytics Technical Directorate. Namely, “When we talk about service-specific and tactical edge [applications], that’s where we need to explore the federated use case.”
Specifically, Malloy said, “How do we federate from an attribute perspective, because there’s only a limited amount of attributes that we have as a department at the enterprise level.” It would simply be impractical to incorporate, at a DOD enterprise level, all of the attributes related to a given individual, their place of employment, each job change they have. “We need to get that information from local systems and then federate that, so that we can provide the best identity solution possible.”
For Dr. John Sahlin, the director of Cyber Solutions for Defense at GDIT, said getting to a universal, extensible, and configurable ICAM solution is essentially a data issue.
“The challenge isn’t so much to establish a universal identity,” Sahlin said, “but really to have more like a universal translator. So I can translate my identity to whomever I need when it’s tactically relevant.” He added, “That challenge of constantly moving back and forth from the enterprise environment to the tactical environment, causes some organizational friction.”
The solution, Sahlin said, consists of a solid data management strategy, a logical understanding of attributes needed at the enterprise level. A third element, what he called an extensible data fabric. “That allows the tactical commanders, when they have to operate independently, to be able to say, ‘These five attributes make sense at the global level. But I need these three other attributes to associate with identity in order to make my mission make sense.’”
Data-driven approaches also hold the most promise for extending ICAM solutions to non-person entities needing authorized access to networks, and for keeping out unauthorized ones, panelists said.
Especially in tactical situations, commanders might need to make decisions informed by sensor data. Therefore they need trust in the provenance of the data. Sahlin said, “That boils down to the kinds of attributes that we can assign to it.”
Bonci put the non-person challenge this way: “How do we make a risk decision around the way in which the patterns of your non-person entity works?” Such risk apportionment, he said, extends to sensor data, application programming interfaces, scripts, and activities of autonomous systems.
Risk decisions based on known norms of behavior, Bonci added, takes an eventual ICAM system away from reliance on traditional user repositories such as Active Directory.
“A lot of the challenge that we have in moving towards this future,” Bonci said, “is moving away from some of the legacy limitations of traditional, very large Active Directory deployments.”
Gerber said a comprehensive ICAM and its data fabric should be able to incorporate what the Marine Corps main contribution to a joint force network: machine-to-machine data from forward sensors on low bandwidth feeder subnetworks. Machine-to-machine, he said, is inherently more reliable, “puts you back into a larger data environment where you can make an assessment about whether or not and how much you trust” the data. Such assessments, he said, now require a great deal of human intervention. Over time, Gerber said, “eventual algorithms will allow you to determine if I don’t trust this data anymore.” For example, abnormal data or data out of expended norms might trigger flags.
The Coast Guard’s White emphasized the need to have ICAM trust systems extend to software.
“As you cede more and more control of your enterprise to automation, and to scripting, and to tools that are out there,” White said, “those scripts really need to identify themselves and be able to be controlled from a cybersecurity standpoint.” He added, “It’s very important that as we go down this road, we really treat these entities as not necessarily non-person entities, but as a critical component of your infrastructure.”
The non-person ICAM challenge might ultimately be the biggest as enterprise networks become software-defined.
“The non-person entity use cases really ubiquitous from the enterprise all the way down to the tactical scenario,” DISA’s Malloy said. “If you want to develop towards an API-based infrastructure, and you want to rely on the integrity of those machine to machine communications, we really have to think about how we are doing non-person entities within our credentialing program and how we get to more automation.”
Sahlin underscored the need for automation as well as transparency into how automated systems work. And of moving the inclusion of ICAM attributes earlier into the software development cycle.
“The automation should have some degree of explainability,” he said. “It’s critical for this automation to roll into the DevSecOps process. If we understand algorithmically, how the automation is expecting to use those attributes, we can better inject those attributes … as far left as possible.
Please register using the form on this page or call (202) 895-5023.
Please register using the form on this page.
Have questions or need help? Visit our Q&A page for answers to common questions or to reach a member of our team.
Chief Technology Officer
Cmdr. Jonathan White
Cloud and Data Branch Chief
Col. Ray Gerber
Assistant Chief of Staff
G-6/G-39, Marine Corps Forces Pacific
Cybersecurity and Analytics Directorate, Defense Information Systems Agency
Director of Cyber Solutions
Host, The Federal Drive
Federal News Network