Ten years after the Homeland Security Information Network (HSIN) was designated as DHS’ official information sharing platform, department leaders say they’re turning a page with the system’s identity management program.
HSIN now has the ability to determine a user’s access to the network based on his or her attributes and job function, not merely a name or other common identifying factors, said Donna Roy, executive director of the Information Sharing Environment Office at DHS, said during AFCEA Bethesda’s Law Enforcement and Public Safety Technology Forum in Washington May 10.
“We have identity services and what we’re calling trusted identity exchanges or capabilities for a definition of Donna Roy as a human being who works in the Department of Homeland Security at the unclassified level, replicated up at the secret level, replicated up at the top-secret level,” she said. “My identity is the same on all networks. What’s even cooler, identity exchange at the classified level also provides identity out to the definition of me as I inter-operate with my other federal partners.”
Essentially, that means that HSIN — at the department level — recognizes the full spectrum of the user’s job, and it only connects that user to the data that person needs to do his or her job. In Roy’s case, HSIN considers all of her job functions — from developing IT capabilities to hiring personnel and paying bills — when it grants her access to the network.
Luke McCormack, the department’s chief information officer, said the new identity management strategy is all a part of DHS’ goal to provide a “deeper experience” on HSIN. Users with the proper credentials will gain access to their individual community but can also tap into other capabilities as well, he said.
“You’ll be able to log on with your credentials through HSIN and get access to not only capability within HSIN but some of the capability within DOJ, etc.,” McCormack said. “That’s what one of the things that our user community has discussed with us and asked for — a deeper, more thorough experience. We’re going to continue to go broader into these different sectors because we think that’s important. There’s a lot of unmet demand out there.”
The department is also beginning to move HSIN to the cloud, McCormack said.
“As we lower our costs moving into this new technology, we can re-deploy those dollars into more functionality and capability and it allows us to scale, just from a volume standpoint [and] from a usage standpoint,” he said “That’s a win-win for us. You’ll see some of that in the not-too distant future.”
Members of Roy’s office are sitting down with law enforcement agencies across the country to get their feedback on new capabilities they’d like to see in HSIN, McCormack said.
HSIN now connects more than 18,000 law enforcement departments, 60,000 first responding agencies and 78 fusion centers.
Installing two-factor authentication at all 18,000 of those local police departments and law agencies has been a challenge, said Jeremy Wiltz, deputy assistant director for FBI’s Criminal Justice Information Services Division. It’s an expensive undertaking, and technology at the state and local level often can’t yet handle personal identity verification (PIV) cards.
DHS had already been working on boosting its two-factor authentication standards for privileged and unprivileged users well before the two major cyber breaches at the Office of Personnel Management, Roy said. But the administration’s 30-day cybersecurity sprint forced DHS, like many other federal agencies, to make it a bigger priority.
But for local law enforcement agencies, the focus for now is on strong authentication, Roy and Wiltz both said.
Human behavior is also beginning to play a bigger role in identity management, Wiltz said.
“If your user account has never logged into a router before, why are you now logging in?” he said. “And why are doing things in a system admin-like way that you’ve never done before?”
DHS is deploying a similar identity management strategy to its data framework, Roy said. The department is putting some of its most sensitive data in a platform and controlling access based on the user’s job function, not the user’s name.
“Donna Roy does not have an account on this thing called the data framework,” she said when describing an example. “Donna Roy does have an identity stored somewhere in the department, and their attributes of my identity, none of which are my name, are used to get access to that big data platform. What is being used are attributes about me, attributes about my job and my authorized purpose and function and then information about the data itself and how we protect and how much I can have, given I am Donna Roy and what I’m doing.”
The dream now, she said, is to make some of that technology mobile. She compared the scenario to downloading music — users who download an mP3 onto a laptop but can also access it from an iPhone or a tablet.
“That’s where I want the government data to be,” she said. “We can pass information around and across jurisdictions in an event. You don’t have to understand that if you need access to that data, the data should start coming to you when you need it, and only the data you need for that decision point. We’re getting really, really close at some of the higher-level things that we’re doing on the classified side, and those technologies are propagating down into more common approaches.”