Identity authentication tools agencies can use to move towards zero trust

With the push to move services to mobile and cloud, government agencies will find themselves adopting a zero-trust security model. A key element in the process will be how they use identity authentication tools that go beyond physical identity cards, say security experts from Duo Security in a new podcast.

The use of personal identity verification (PIV) and common access card (CAC) systems no longer meets all the needs agencies face as they get further into cloud and mobile technologies, says Sean Frazier, Duo Security’s advisory chief information security officer. In many cases, the card systems have been in use since the mid-2000s, following the issue of Homeland Security Presidential Directive 12.

“While [HSPD 12] was great 15 years ago, it doesn’t fit today. People cannot use the smart card for everything they need to do,” says Frazier in the podcast interview, produced by FedScoop and underwritten by Duo Security, a division of Cisco.

With the rise of phishing and other identity-related attacks, agencies need to evolve toward a zero-trust approach, he says, and consider adopting smart card alternatives to streamline identity access controls and address security gaps in authentication.

“If you can’t use a smart card, and you have to use a password” to access a mobile service or cloud feature, he explains, agencies should at least focus on alternative approaches to multifactor authentication and make smarter use of password managers.

At the end of the day, Frazier says, it is important to not present password fatigue on users. Users have to be able to do their work and it is unrealistic to tell them they need a complicated password that needs to be changed every 10 days.

“The question we get most from customers today is how do we get from HSPD-12 to zero trust, step by step,” adds Dean Scontras, Duo Security’s vice president of public sector, on the podcast.

“When you talk about zero trust, identity security is a core tenet of zero trust. You can’t have zero trust without strong identity proofing and identity security,” Scrontas argues.

Vulnerabilities related to poor security and identity practices were recently brought to light in the Mueller report, he says. Those instances showed that breaches around the election occurred due to poor password practices from government employees that allowed an attacker to breach the system.

Scontras and Frazier cite recent examples of how government agencies have been able to more quickly to integrate integrating authenticator technology into their systems to help deter cybersecurity attacks, using Duo Security solutions.  In one case, Duo Security was able to support Apple face recognition technology within 10 days of it being released as a form of authentication for one its customers.

Learn more about security solutions that help government agencies mitigate risks of data breaches and meet NIST compliance.

This podcast was produced by FedScoop and underwritten by Duo Security.