As the federal government steers toward more modern IT architectures, or trust architecture, the power and the “criticality of identity” grows. At the Education Department, Chief Information Security Officer Steven Hernandez said people’s concept of identity will need to evolve.
“As we go forward, we have to get comfortable with the idea that the identity system becomes decoupled at the authentication layer, kind of the next layer, and then it actually becomes federated with a multitude of different approaches for authentication,” he said on Federal Monthly Insights — Cybersecurity Awareness Month: Secure Identity and Access Management. “So I think through the zero trust strategy, and where we’re headed in the federal space, identity is going to continue to be a core conversation.”
His office at the Education Department is “basically 100% cloud,” with 39 of the major providers represented in the environment and several dozen smaller, boutique providers, he said. The organization wants to reach a point where a single identity can represent a bot and be federated across all the cloud environments. Hernandez said this presents more of a coordination and integration challenge than a data problem.
Humans can use Personal Identity Verification or other strong authenticator tokens as part of their login processes, but for a nonhuman entity measures such as X.509 certificates and certificate-based assertions are needed to confirm identity. Going forward, Hernandez said, understanding how the technologies plug in and ensuring that, from an anti-fraud perspective, they cannot be abused by a bot with access to a certain amount of data will be key. That’s especially important if said data is public facing because the bot should not be tricked into giving out information for sale.
For example, asking “I understand you’re a digital worker or virtual worker coming in — what platform are you coming from? What amount of hardware interrogation or device interrogation can I get as part of that assertion, and then how do I start to factor that into the authentication?” he demonstrated on Federal Drive with Tom Temin.
Continuous authentication is a part of zero trust architecture wherein administrators are constantly evaluating the relationship between the subject and the object, which traditionally has involved either identity and data, or spotting an identity which is “snooping” around the network, Hernandez said. In terms of the threat landscape and threat modeling, a major conversation emerges around the possibility of bots being taken over by unauthorized persons and given behaviors or permissions it should not have.
Last March the National Security Agency published a paper talking about the Russian Main Intelligence Directorate (known as GRU) deploying highly sophisticated botnets, leveraging the Kubernetes open source system for managing containerized applications, and leveraging both cloud capability and captured data from the dark web to attack platforms around the world, Hernandez noted.
“And when we see our attackers leveraging this type of capability, orchestration, automation, robotic process automation, it’s terrifying because … if they can get a foothold inside the organization, and then get a hold of our own bots and turn them against us, that would be catastrophic for those who have that type of capability deployed,” he said. “Most of the folks who are a little more forward-thinking in this space are basically treating every bot or every virtual worker, as it were, almost as its own authorization case.”
Before a bot gets deployed it goes through a full assessment process and authorization to confirm the organization understands the bot’s security, what it could access, monitoring, and its boundaries.
“We know kind of where the thresholds are if things go south, and most importantly, we understand how to deny that authorization. We know how to pull the plug in and stop something or sever it and contain it if we need to,” he said.