This post is from the Apperian blog and has not been updated since the original publish date.
GCN.com: Derived credentials: Enabling secure mobile access in the field
Public sector IT departments realize the value of enterprise mobility for their agencies, and the secure adoption of mobile technologies is a top priority. Personnel or agents in the field with mobile devices -- with secure access to systems and information -- are more effective, efficient and collaborative.
Emergency personnel or first responders, for example, need to access critical information from their mobile devices in high-stakes, time-sensitive situations. Agencies benefit and can react more quickly when agents can provide intelligence back in real time. Similarly, interagency collaboration has become increasingly important, with federal agencies frequently working with local law enforcement to jointly solve issues.
Often a mobile app is the best way to accomplish that type of communication. As a result, more agencies have mobile apps and information that they must deliver to a distributed and diverse group of personnel. Yet mobile security, particularly around access, is frequently cited as a stumbling block to mobility. The challenge is that agencies must ensure the proper level of security and user authentication is in place so that only the right people can access protected data, and that information does not get into the wrong hands.
A directive from the National Institute of Standards and Technology requires agencies use access cards that have personal identity verification (PIV) credentials stored on them to access a secure building or information. Traditionally, card readers were used to verify the credentials. A card is held against a reader to verify the identity of the person entering a building, or it is plugged into the keyword to authenticate access to a computer. This method works when the user is at a desk, but in a mobile environment it becomes much more difficult. When mobile, there often isn’t an available card reader, and credentials aren’t readily verifiable. To overcome this challenge, organizations have tried to use card readers that are plugged into mobile devices via a cable or Bluetooth, but oftentimes that solution is neither practical nor reliable. This is where derived credentials come into play. Derived credentials are the PIV credentials that are derived from government access cards and are stored as soft tokens on users’ mobile devices, allowing them to access critical apps and information. When accessing an information system, a PIN code that unlocks the soft token is entered and that soft token verifies the user’s identity. If the credentials are still valid, the system allows access; access is blocked if the user is unauthorized or has left the agency. Derived credentials are widely discussed, but so far have been implemented only rarely in government.
That could soon change, however, as both mobile usage and data breach attempts continue to multiply. No agency wants to make headlines as the next security breach victim. One approach to leveraging derived credentials as a mobile identity verification tool is using a mobile application security and management platform that applies a dynamic security policy to individual apps. By focusing on the app layer, agencies can apply a number of security policies to individual apps to secure data at rest and in motion -- without requiring that the device itself is under management by the agency. A derived credentials policy could also be applied to specific apps that require a greater level of assurance that the person accessing these resources is actually who he or she claims to be. Mobile app security and management providers are working with agencies to understand the specific protocol and the use cases where derived credentials would be applied and to build specific policies that help agencies achieve security compliance. There is an urgent need for both mobile apps and information to be securely deployed in the public sector. Agencies are seeking improved outcomes by working better, smarter and more collaboratively, and many see mobile apps as the answer. Implementing derived credentials will remove the roadblock to adopting mobile technologies in the field.