New network authentication protocols set to take effect for law enforcement
Many information security officers within the law enforcement community have recently had many discussions with regards to security and which elements of identification and authentication constitutes compliance as acceptable forms to access sensitive law enforcement data within the Criminal Justice Information System (CJIS).
According to standard security principles, authentication is the process of verifying a claimed identity, determining if the subject is really who he/she claims to be. It is based on at least one of the following three factors: something a person has (smart card, token, key, swipe card, badge), something a person knows (password, passphrase, PIN), or a biometric identifier (fingerprint, voice, retina/iris characteristics). Strong, two-factor authentication contains two out of these three methods. A single form of authentication (standard authentication = password) is not a very secure means of authentication.
Therefore, many organizations have introduced policies that require a second means or form of authenticating a person's identity. Additionally, for the purpose of the CJIS Security Policy (CSP), the process of requiring more than a single factor of authentication is most often referred to as Advanced Authentication or AA. The requirement to use AA is dependent upon the physical, personnel and technical security controls associated with the user's location.
It was determined that AA shall not be required for users requesting access to CJIS from within a physically secure location and when the technical security controls have been met. However, AA is required when it can't be determined from where a user is originating, e.g. utilizing wireless or web. This extends beyond traditional workstations or laptops, but includes smartphones, tablet computers, and other Internet protocol-connected devices.
The future requirements mandate that in place systems be brought into compliance prior to the end of this year, at which point it will be required to be in compliance for the new set of authentication protocols supporting AA.
What this means for us is that we need to prepare now for the next wave of strong authentication requirements, which I believe means that we all should get ready (despite the recent data loss, breach, hacking, and clandestine monitoring activities we have recently seen in the news). Without the use of stronger authentication, we actually open ourselves up to more risks than without them to prove our identity, and protect ourselves from those that want to capture and use our information illegally.
Darnell Washington, CISSP
Darnell Washington is the president and chief executive officer of SecureXperts, Inc. With over 25 years of professional information technology experience, Darnell is actively involved in the design of secure network information technology architectures. He maintains technical certifications in Microsoft, Novell, and Citrix operating systems, and is a Certified Information Systems Security Professional (CISSP).
He specializes in high assurance secure network architecture design and deployment, and data encryption using advanced public key infrastructure technologies. Darnell is also the inventor of patented device encryption technologies used in federal and military cloud hosted video surveillance platforms, as well commercial and enterprise public and private environments.
He has served as a subject matter expert on the information assurance forum with the National Security Agency, and as a contract instructor for the U.S. Department of Homeland Security Federal Law Enforcement Training Center.
