by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : March 2015
For example, military and intelligence agencies will have different requirements from the National Oceanic and Atmo- spheric Administration. The idea of what identity actually means within an agency may also change over time, said Jill Canetta, public sector vice president for Experian, a global data analytics company. “It’s no longer just about being able to prove the identity of an individual, but also what attributes are needed for that,” she said. “We are also seeing an evolution from identity proofing to identity rela- tionship management, as there is more of a need to see how a particular identity and the relationships its had with vari- ous devices and other things that are also assigned identities on a network have changed.” Mobile is proving to be a particularly thorny ID management challenge, given the explosion of smartphones and other mobile devices in government. It’s also not an easy one to fix, according to mobile security experts. The way government employees and contractors use their personal identity verification (PIV) cards to log on to desk- top systems, for example, is not readily transferable to the mobile arena. Desk- top users normally put their cards into a reader on the computer and leave it there, so having to take it out for use with mo- bile card readers is an ongoing ergonomic challenge. NIST’s release of special publication 800-157 in December of last year, which describes technical details by which PIV credentials can be provisioned on mobile devices in lieu of a physical smart card, could go a long way to solving the prob- lem. While it may take a while for the de- rived PIV credentials to make their way into products, they are already prompting changes. “The guidance has helped move some projects from pilot to development,” said Paul Nelson, chief technology officer for Thursby Software Systems, a government IT integrator. “The trick is how to provi- sion devices with necessary certificates,” he said. “The [National Security Agency] thinks it can make it work, and the DOD supposedly has an aggressive schedule where they want to get something out by July of this year.” In fact, this could be the year when the government smart card reader market dries up, according to Nelson. “If the government is not willing to commit to readers as its credential au- thentication solution in significant num- bers, “then there’s going to be no reason for us to continue making them,” he said. Mobile authentication will, by default, then become a software-based solution. Meanwhile, other identity-based secu- rity problems that must be grappled with are piling up across the government secu- rity community. So-called insider threats, where data and systems are compromised – by willful theft or employee error – are becoming a major problem, for which the Edward Snowden and Wikileaks breaches are just the most notorious examples. Inside attackers are becoming much more sophisticated in how they do their work, increasingly targeting the theft of security credentials themselves. And despite such measures as SP 800- 157 and NSTIC, there are still “funda- mental questions about whether we have the technologies we need, and whether they will work on the scale we intend, to be able to do such things as identity- driven encryption,” said Mark Cohn, chief technology officer of Unisys Federal Sys- tems, who contributed to the technical basis for NSTIC. “I would hope that, by the end of this decade, we will wrestle these issues to the ground, but I’m not optimistic that we know yet exactly how we are going to do that,” he said. That hasn’t stopped federal and industry efforts to develop solutions to at least some of these problems, however. The programs and products listed here represent some of the more far-thinking attempts to address the pressing identity issues, and the resulting security concerns, associated with weak pass- words, the proliferation of mobile devices connecting to networks and the dangers posed by employee data handling errors and theft. Meanwhile, government agencies will have to rely on existing technology solu- tions – like those highlighted below – to help manage their ongoing and embry- onic security threats. The following is set of solutions – a best of breed of sorts – of what’s in the government’s identity man- agement arsenal for attacking some of its most pressing security threats. CONNECT.GOV A government federated identity man- agement hub, overseen by the General Services Administration, started life sev- eral years ago as the Federal Cloud Cre- dential Exchange, but became Connect. gov in late 2014. It allows personnel veri- fied through the hub’s sign-in partners – including Verizon, ID.me, Google, Pay- pal and Yahoo – to use one set of digital credentials for accessing a range of both commercial and public sector sites. The exchange itself doesn’t validate identities, leaving that up to its various partners. IDENTITY CRISIS 24 GCN MARCH 2015 • GCN.COM Following a rash of high-profile data breaches in the both the public and private sector in 2014, the Obama administration has raised the pressure even more. 0315gcn_022-025.indd 24 3/5/15 12:43 PM