How context could kill the password for feds

Federal IT officials are drowning in a sea of passwords, leading them to find workarounds that defeat the purpose of strong security measures, according to a new report.

A survey of federal IT professionals released Wednesday by Dell found that 97 percent of federal workers are dealing with multiple passwords, 34 percent use six to 10 different passwords, and 16 percent use more than 10 passwords during the course of their work.

“Security has become so onerous that it’s impeding productivity and as our survey shows, the federal worker will find a way around onerous security if it impedes their mission. That’s not good,” Paul Christman, vice president of federal for Dell, told FedScoop.

In lieu of more passwords, the vast majority (97 percent) of the 150 federal officials surveyed emphasized the need for “context-aware security,” where either machines or humans use factors like a user’s location to determine access.

Think of context-aware security like this: Many popular home security systems have a feature where an alarm beeps when someone exits through a main door. During a large portion of the day, family members ignore the beep because people will be coming and going as part of their daily routine. However, if someone hears that beep at 4 a.m., it suddenly becomes a cause for concern.

“Adding context makes the simple event more appropriate for investigation,” Christman said. Security “can’t be binary. I’m not going to bar the door at 4 a.m. so no one can ever get in. But I am going to investigate that alarm.”

That sort of thinking needs to applied to access management, according to Christman.

“Say I’m normally in the East Coast time zone — but, all of a sudden, I am operating in a time zone that matches up to North Korea, or a location like Eastern Europe. If I don’t operate from those locations or those times, that’s worthy of investigation,” he said.

But Christman doesn’t believe that means employees should be totally locked out. It’s up to IT professionals to set up a system requiring a user working from an untraditional location to go through additional security.

“The idea of saying, ‘I’m going to allow you to log in from an Eastern European country,’ and allow a second level of credentialing, but I’m not going to allow you without some intervention in real time,” Christman said.

The idea of context-aware security is coming at a time where anything other than strong security for all users isn’t going to attract much attention. In the survey, 68 percent of federal respondents said the challenge with context-aware security is the difficulty to address quickly changing security needs.

However, Christman said the current way agencies are handling privileged users is a recipe for disaster.

“If we apply one-size-fits-all security to everyone based on the poor controls that we have put on privileged users, we’re going to die trying,” Christman said. “Privileged users need to be strongly authenticated with two-factor authentication, if not three. They should also be subject to scrutiny, as well as monitoring and logging in real time when they perform system administration functions, that is not in question. But to apply that level of rigor and inspection to average users is overkill.”

The federal survey was part of a wider one that asked 450 IT professionals from the public and private sectors about context-aware security. The overall results mirrored a good portion of the federal findings: Ninety-seven percent said they see the benefits in context-aware security while 70 percent said employee workarounds post the greatest risk to the organization.

“IT thinks it has only two options for security — turn the dial to 1 (open) or 11 (super secure),” said John Milburn, vice president and general manager of Identity and Access Management for Dell Security, in a release. “Context-aware security gives IT the ability to adjust the dial in real-time, giving users the convenience they desire without resorting to risky workarounds, and giving the security team the confidence they need to keep the organization both safe and productive.”