The Department of the Navy has about 126 separate networks on ships and within various Navy enclaves. Each of these enclaves has historically maintained its own user identity store, with each store serving a specific, local purpose.

Now, the Naval Identity Services is working to centralize all these silos into a “single source of truth,” making it available at the enterprise level.

“Further, that is going to be federated up and that type of information is going to be shared with the [Defense Information Systems Agency] and the other system components so that we could enforce those zero trust types of policies across the entire DoD,” Curt Parker, lead engineer for NIS, told Federal News Network.

After several years of development and testing, the Navy launched NIS as an enterprise-wide service in May, creating a scalable foundation for identity, credentialing and access management that includes capabilities such as a privileged access management system, a universal directory of identity information, an identity provider and a self-service portal where users can manage various aspects of their identity and access.

Limitations of DMDC and Navy-specific needs

The Defense Manpower Data Center (DMDC), the Defense Department’s sole authoritative source for identity, manages the identities of nearly 3.5 million employees and 7 million beneficiaries.  DMDC, however, maintains basic identity data, which is why the Navy supplements it with its own universal directory.

The directory serves as a one-stop shop that allows anyone in the Navy to access identity services and tailor them to their specific needs rather than sharing resources with other military services.

But the main reason the service maintains its own universal directory is because the Navy operates in disconnected, degraded, intermittent and latent environments more than any other component across the DoD.

“Whenever you think about disconnected situations inside some of the other system components, we are usually talking about hours or days. But in the Navy, we are talking about a ship that may go disconnected, or a submarine that goes underneath the water, for months,” said Parker. “With a lot of the identity technologies out there, they run the risk of their data being considered stale. Whenever you’re disconnected for an extended amount of time, the information that is located in that disconnected copy may be considered not authoritative. Whenever you’re gone this long, things change. People change their work duties. They may get promotions. Those directories still need to have the ability for changes to be made to them in order to enforce the ICAM.”

Access request processes

Curt said a lot of the Navy systems have their own processes for handling access requests that are tailored to meet the specific needs of stakeholders. There are instances where different user access request processes exist within the same application, with one command requiring three levels of approval for access while another requires only one.

“It’s not that they’ve done anything wrong, but they don’t match usually,” said Parker.

The service has introduced a standardized enterprise workflow, but the challenge is getting commands to embrace a centralized approach and let go of some level of autonomy.

“They want it to be more customized to the way they are, the way they’ve always been able to do it. This is kind of an ingrained mindset where they’re taking care of everything themselves. They want to be responsible for it. They don’t want to cede the control, especially whenever it comes to access. But with zero trust, we’re going to have to change that, and we’ll get there,” said Parker

Exploring authentication options

While the ubiquitous common access card remains the standard identity credential across the Defense Department, it’s expensive to maintain and manage. Parker said the Navy is exploring multi-factor authentication (MFA) options along with YubiKeys, although it faces similar logistical challenges as the CAC.

“Probably the most exciting and the most benefit to our enterprise would be whenever we’re allowed to start using general use authenticators, like the Microsoft authenticator, as a secondary factor for two-factor authentication,” said Parker. “Being able to use these softwares allows a user who wants to make use of this multi-factor technology, they can put it on their phone. We can control the way that that behaves on the phone based on, let’s say, the Microsoft Azure environment so that we can actually make a device-bound pass key for Microsoft authenticator that allows authentication. And that’s really exciting because it’s cheap, it’s fast, and you only have to do your authentication and sign up really once for the enterprise.”