Air Force banking on role-based authentication system to lock down data

Agencies continue to struggle to have a good model to ensure their employees have access to only the information they are supposed to have access to. But at least one agency is close to answering this long-standing challenge.

The Air Force is launching a pilot to test role-based authentication. The idea is to have an enterprise security approach that approves access to data based on the employees’ roles and responsibilities.



Agencies continue to struggle to have a good model to ensure their employees have access to only the information they are supposed to have access to. But at least one agency is close to answering this long-standing challenge.

The Air Force is launching a pilot to test role-based authentication. The idea is to have an enterprise security approach that approves access to data based on the employees’ roles and responsibilities.

Frank Konieczny, the Air Force’s chief technology officer, said as agencies move to a Web services approach to networks — where applications place a call to a database and pulls data back to the user — the need to authenticate the user is growing.

“The pilot we started about a year ago. We have a system integrator actually doing it. We are in testing right now in a MilCloud environment that we are trying to actually connect a real app to it to validate it,” Konieczny said Wednesday at the Federal Forum conference sponsored by Brocade in Washington. “It’s based on attributes for each individual in a sense that as soon as the person’s attributes change, their role changes, and we automatically authenticate for particular access to data or particular systems.”

Once the Air Force validates the technology with the initial application, Konieczny said the service will require all new software to implement this role-based authentication capability.

“We need to get to the point where we actually are defending the data,” he said. “That’s one of the big rocks in the Joint Information Environment — identity management. We want to make sure that that’s one of the ones we are working on right now. We’ve actually pushed this into the JIE framework as one of the frameworks they should consider for identity management in the JIE.”

A new threat vector

The JIE is an umbrella term to address standards, consolidation and information sharing across all military services and agencies. The Defense Department is requiring services and agencies to take part in the JIE, in part, by modernizing their networks to meet the program’s goals.

The Air Force’s implementation of role-based authentication is both part of the JIE and part of the increased protection against insider or outside threats to its data.

“It’s really a change to data security. We’ve seen network security work, and we still have network security. But we are trying to guard the data now more than anything, because that’s what the bad guys actually want to get after. They want to exfiltrate it or change it,” Konieczny said. “That’s the real threat vector we are up against right now.”

Konieczny said the technology is in addition to DoD’s requirement for military and civilian employees to use their Common Access Card to log onto the network.

Konieczny said every agency understands more and more that the need to protect data is paramount. To that end, agencies will apply this type of role-based authentication to more and more systems.

“We’ve been sharing the pilot with everybody. Actually, we are trying to test it in MilCloud, which is DISA’s JIE offering, and also we probably will test it in the test core data center that DISA is establishing,” he said. “We’ve gotten inputs from all of the services and will continue to do so.”

Full production in 2015

The feedback is important because DoD faces challenges many agencies do not. Konieczny said one big challenge is using this technology in the tactical environment.

“You really can’t connect to a centralized location for information, so there has to be a way of moving it out, keeping it updated in the tactical environment via satellite communications or something, or actually having them run by themselves and have some administrative rights at that point in time,” he said.

Konieczny said he thinks the role-based authentication technology is about six months away from going into full production. He said the Air Force is looking at application compatibility to work with it when it goes into full production.

He said part of the reason for bigger focus on data security comes from how computer networks are morphing to include airplanes, satellites and even drones. The Air Force wants to get to a single unified network that needs to be managed as an entity.

Konieczny said under the JIE framework, network management comes back to applications, because that’s where the mission gets done.

“At the base, you can have mission essential applications only, and they are connected via network to the base so that if the major communication goes out to the JIE wide-area network, if you will, the base can still operate,” he said. “The base operations for the Air Force is like the air operations center where they communicate accordingly with the airplanes and everything else. So this network is much larger than you think it is, even though we say it’s sitting on the base. It’s an extension of the base into the real atmosphere out there and to whatever it does. Also, you have to think of it as the drones sending information back. We have lots of intelligence, surveillance and reconnaissance videos coming in, petabytes of data per second. So that’s part of the network and how is that going to be affected by anything we do?”

This expansion of the network requires the Air Force to also consider both cyber and kinetic attacks against its data centers and what that would do to its IT capabilities.

The Air Force isn’t alone when it comes to the changing view of its network.

VDI gets a workout

The Federal Communications Commission has received a growing amount of data and comments over the last few years.

John Skudlarek, the deputy CIO at the FCC, said the commission recently implemented a virtual desktop initiative (VDI), and it was put to the test during the recent Africa summit in Washington.

“The leadership made a decision that if people wanted to take leave on Tuesday or telework, that would be a really good time to do it,” he said. “Our volume coming into the network from the outside from our internal customers quintupled from what we normally see. I can tell you how well the network was performing, and I was actually at work that day because I’m a glutton for punishment. The truth is, the network held up. We were monitoring very carefully. Utilization rates, which are normally considerably lower, were much higher up on the continuum.”

Skudlarek said the FCC received more than 1 million comments on the open Internet or net neutrality proposed rule recently, and the network held up well from that influx of data.

The Postal Service, like the Air Force, also is trying to get a huge network under better control.

John Edgar, the vice president of IT for the Postal Service, said USPS has 35,000 physical end points across the country, making it a hybrid environment.

Edgar said moving the network to the cloud creates both opportunities and challenges.

“The whole pattern of how you allow people to access those applications in the different environment changes, and the networking requirements that go along with that change,” Edgar said. “It initially makes it more complex, but the goal is try to simplify it and make things easier for everybody to use and get the services they need.”

USPS is currently implementing cloud systems using SalesForce and ServiceNow.

Edgar said the Postal Service’s focus is expanding to meet changing business needs.

“One of our major focuses right now is to try to move toward much more real-time usage of the data that we have in the organization and driving that down out to our supervisor levels and people out in the field through broader access to mobile devices and things like that,” he said. “We are trying to get out of ‘how did I do yesterday’ mode and move into more of a predictive and perspective analytics model. This is where we are able to use the data in the background, identify mail flow bottlenecks, transportation delays and things like that. Our goal is to push real-time alerting or real-time performance measurement dashboards and systems out to our supervisors and our plant tour managers.”


DoD to test commercial cloud for some sensitive data

FCC’s Bray empowering business owners through technology, choices

PM-ISE shepherds secure data sharing tool from validation to expansion