A recent Defense Department IG audit found that the Army, Navy and Missile Defense Agency aren’t taking basic cybersecurity steps to protect networks and systems from unauthorized use and access. Some facilities even failed to use common access card, and single-factor authentication was a common practice. Additionally, a recent audit of the Navy’s stance on cyber readiness found that the organization does not have the resources it needs to detect and protect threats to its data.
The DoD needs to find a way to bolster authentication methods. Government agencies typically use two-factor authentication, sometimes referred to as multifactor authentication, to validate users. Generally, this comprises something you know (like a password) and something you have (like an ID badge or token). Two-factor authentication is a crucial starting point for security.
However, even these techniques are too static in a threat landscape that is incredibly dynamic — and today’s technology can often support a stronger approach.
Beyond the CAC
The CAC is going to remain the principal authenticator for the DoD, and while it is solid, allowing users to access networks using single-factor authentication increases the potential for cyberattackers to exploit passwords and gain access to critical data. However, there are effective ways the DoD can tighten multifactor authentication and enhance their overall cyber posture.
Agency leaders first need to consider how to secure the identities of government workers and manage access among privileged users by putting tighter identity access management and security measures in place to enhance the CAC. While its assurance level is considered the gold standard of IT security, the CAC only utilizes two aspects of multifactor authentication — what you have and what you know. The third aspect, who you are, can strengthen the CAC. The DoD should look to emerging technologies to begin bolstering the traditional approach.
Technology like behavioral biometrics or attribute-based controls can capture anomalies in real time, which helps stop breaches before they can progress and cause damage. What makes behavioral biometrics technology so beneficial to its users is that data is collected without disrupting the user, so authentication is continuous and doesn’t impact overall productivity.
Don’t trust, always verify
Breaches too frequently involve compromised privileged credentials and bad actors gaining unfettered access to critical systems and data. Administrators that operate across an enterprise, with unlimited access to quantities of sensitive data, often share passwords without auditing. Threats from the inside, whether intentional or accidental, can be prevented before they happen, as opposed to logged and reviewed after the damage has been done.
By adopting a zero-trust model, organizations can address careless behaviors and malicious intent by granting trust to only those who have proven their identity. A zero-trust model enforces strict user controls to limit access no matter the user. To effectively implement this, agencies should look to implement measures that visualize and log all network traffic, and immediately act on anomalies flagged across the network.
In continuous multifactor authentication, sensor data constantly monitors factors such as GPS location, physical gait, and voice and facial recognition. If the CAC of a system administrator is being used in a brand-new environment at odd hours of the night, this data is captured, and can halt privileged access immediately.
As the DoD works to secure large volumes of sensitive data, they must continuously improve and adapt their security postures and programs to keep up with the evolving threat landscape and regulatory environment. Next-generation technologies paired with a zero-trust model can reinforce the CAC and ultimately enhance cyber readiness across the DoD. Agency leaders should look to leverage industry innovations that can meet their specific needs in providing adequate protection of classified data and preventing breaches — whether they come from the outside or inside.
Dan Conrad is the federal chief technology officer at access management company One Identity.