Civilian vs. military approach to identity & access management
Brig. Gen. Gregory Touhill (USAF Ret.), former federal chief information security officer and president at Cyxtera Federal Group, discusses problems with current government network authentication methods, and how identity-centric strategies may be the future of securing information.
Confirming identity is a key part of any risk management strategy. In both the public and private sectors, it’s vital to make sure that people accessing buildings, information and networks are allowed to be there. However, the standard HSPD-12 ID card used in the federal government is starting to show its age, compared to private sector access management systems.
“It’s still effective against most hostile actors. However, [if] we take a look at the sophistication of nation-state actors, as well as some criminal groups, that type of elderly technology is quickly becoming aged out,” Brig. Gen. Gregory Touhill (USAF Ret.), former federal chief information security officer and president at Cyxtera Federal Group. “I like the fact that the federal government is now taking an identity-centric approach, as opposed to a network-centric approach to managing information.”
Touhill says that HSPD-12 and its Department of Defense counterpart, the Common Access Card, have had security gaps for several years. The issues originate in Transmission Control Protocol and Internet Protocol (TCP/IP); The computer handshakes that form the backbone of most networks.
“The way TCP/IP works is you connect first, then you authenticate, that’s how it was designed. DARPA when the Cyber Genome Project was launched back in 2004 recognized that was a problem,” Touhill told Government Matters. “As a result of the research that DARPA kickstarted, a whole new category of identity-centric approaches have emerged, because you don’t want to connect and then authenticate, you want to authenticate first.”