Skip to main content
App management icon

This post is from the Apperian blog and has not been updated since the original publish date.

Last Updated Jan 12, 2016 — App Management expert Derived credentials: Enabling secure mobile access in the field

App Management

Public sector IT departments realize the value of enterprise mobility for their agencies, and the secure adoption of mobile technologies is a top priority. Personnel or agents in the field with mobile devices -- with secure access to systems and information -- are more effective, efficient and collaborative.

Emergency personnel or first responders, for example, need to access critical information from their mobile devices in high-stakes, time-sensitive situations. Agencies benefit and can react more quickly when agents can provide intelligence back in real time. Similarly, interagency collaboration has become increasingly important, with federal agencies frequently working with local law enforcement to jointly solve issues.

Often a mobile app is the best way to accomplish that type of communication. As a result, more agencies have mobile apps and information that they must deliver to a distributed and diverse group of personnel. Yet mobile security, particularly around access, is frequently cited as a stumbling block to mobility. The challenge is that agencies must ensure the proper level of security and user authentication is in place so that only the right people can access protected data, and that information does not get into the wrong hands.

A directive from the National Institute of Standards and Technology requires agencies use access cards that have personal identity verification (PIV) credentials stored on them to access a secure building or information. Traditionally, card readers were used to verify the credentials. A card is held against a reader to verify the identity of the person entering a building, or it is plugged into the keyword to authenticate access to a computer. This method works when the user is at a desk, but in a mobile environment it becomes much more difficult. When mobile, there often isn’t an available card reader, and credentials aren’t readily verifiable. To overcome this challenge, organizations have tried to use card readers that are plugged into mobile devices via a cable or Bluetooth, but oftentimes that solution is neither practical nor reliable. This is where derived credentials come into play. Derived credentials are the PIV credentials that are derived from government access cards and are stored as soft tokens on users’ mobile devices, allowing them to access critical apps and information. When accessing an information system, a PIN code that unlocks the soft token is entered and that soft token verifies the user’s identity. If the credentials are still valid, the system allows access; access is blocked if the user is unauthorized or has left the agency. Derived credentials are widely discussed, but so far have been implemented only rarely in government. 

That could soon change, however, as both mobile usage and data breach attempts continue to multiply. No agency wants to make headlines as the next security breach victim. One approach to leveraging derived credentials as a mobile identity verification tool is using a mobile application security and management platform that applies a dynamic security policy to individual apps. By focusing on the app layer, agencies can apply a number of security policies to individual apps to secure data at rest and in motion -- without requiring that the device itself is under management by the agency. A derived credentials policy could also be applied to specific apps that require a greater level of assurance that the person accessing these resources is actually who he or she claims to be. Mobile app security and management providers are working with agencies to understand the specific protocol and the use cases where derived credentials would be applied and to build specific policies that help agencies achieve security compliance. There is an urgent need for both mobile apps and information to be securely deployed in the public sector. Agencies are seeking improved outcomes by working better, smarter and more collaboratively, and many see mobile apps as the answer. Implementing derived credentials will remove the roadblock to adopting mobile technologies in the field.

This article originally appeared on on January 8, 2016.

Read The MAM® Blog and listen to the podcast on derived credentials.

More from the Blog

View more
Apr 30, 2020

Mobile Application Management: A Forward View

App Management
  IT Is Adapting in the Midst of the COVID-19 Pandemic The Coron ...
Read More
Nov 19, 2018

Breaking Down the New California IoT Law

Application Security
Recently California passed legislation regarding the security of all I ...
Read More
Nov 14, 2018

Securing mobile apps against reverse engineering and hacking [Podcast]

Application Security
Listen to Alissa Knight interview Ken Jochims about Arxan Technologies ...
Read More
Oct 25, 2018

Securing Connected Medical Device Apps [Infographic]

Application Security
Contact Us