Achieving ‘bold changes’ in authentication from EO on cybersecurity
June 3, 20214:07 pm
4 min read
This content is provided by Yubico.
One week after the Colonial Pipeline was hacked, leading to gas shortages up and down the East Coast, President Joe Biden is achieving ‘bold changes’ in authentication from EO on cybersecurity.
White House released an executive order detailing a number of steps intended to improve both federal agency and governmentwide cyber hygiene. Among the short- and long-term goals prescribed in the document, agencies were given 180 days to institute multi-factor authentication for access to data.
“Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the executive order stated.
But multi-factor authentication isn’t exactly a “bold change.” It’s a tried and true, well-established cyber hygiene practice. And it’s one federal agencies should already be familiar with.
“Feds have been ahead of the marketplace using PIV and CAC cards,” said Jeff Phillips, vice president for Public Sector at Yubico. “But they realized as the pandemic came that they needed to shift to a work from anywhere environment for their employees. The issuance of that crypto technology is identity proofing, which is face to face. So how do we offset that?”
That’s why hardware security keys like the YubiKey from Yubico, one of three Defense Department approved alternate authenticators, and referenced in the NSA’s guidance on selecting secure multi-factor authentication solutions, that provides derived credentialing through any number of devices, from cell phones to laptops, can be used as a supplement to PIV and CAC cards. This fills an important gap for government, because even as the pandemic begins to wind down, workforces won’t be returning to the office in droves. The federal workforce will begin exploring a hybrid model regarding telework, and some agencies are even exploring options to consolidate their real estate assets.
That gap is important to fill quickly. The remote workforce is making it significantly more difficult to secure agency networks and data. Geographically distributed employees working outside the traditional security perimeter means a huge increase in the attack surface. That’s going to make getting to the Biden Administration’s zero trust goals more difficult.
“Zero trust is a constant authentication, a constant verifying of who you are,” Phillips said. “And it can’t be just a six digit code sent to you from another system as it relates to authentication. It has to be more than just username and password. Multi-factor authentication will be the key authentication mechanism throughout a whole zero trust architecture. Since you’ll now have authentication into VPN, you’re going to have authentication into your applications and therefore into your cloud services.”
But multi-factor authentication solutions such as mobile-based authenticators are increasingly vulnerable to phishing and AI driven brute force attacks. That vulnerability only increases with the size of an organization, because every user is a vulnerability, and once bad actors are in the system, they’re able to navigate through lateral movement, ultimately compromising more data.
But modern, alternate forms of authentication like the YubiKey are not vulnerable to phishing or algorithms because they require physical touch to plug in and authenticate. That’s why it’s the perfect fit for a zero trust framework.
“We are in a very niche crowd of technology that is U.S. manufactured and has an established chain of custody that meets all the current government requirements, including the Cybersecurity Maturity Model Certification and FedRAMP,” Phillips said.
That’s one reason the usage of YubiKeys is starting to see adoption in the federal space.
“We’re seeing an increase in adoption of YubiKeys amongst Air National Guard units,” Phillips said. “One example is the New York Air National Guard who were faced with a number of folks with regular day jobs that have to do guard duty once a month, or that get called up in a time of emergency. These people need to access certain systems that require the highest security level. They turned to us to support their natural disaster first response system with the highest level of authentication.”
“We’re trying to augment the PIV and the CAC, so that they can have more modern ways to hit mobile computing and cloud computing,” Phillips said. “In the coming years, the new perimeter that the government is going to figure out is how do we protect citizens from the cyber world? They protect us from invasion on a physical level. They respond to natural disasters. Well, we have a new domain now where they need to protect us: cyber. And it can be very disruptive to large masses if not done right.”