The Defense Information Systems Agency has made it clear in the past that it wants to go beyond using CAC cards for multi-factor authentication. Christopher Barnhurst, deputy executive director of DISA, said the agency is actively experimenting with other forms of multi-factor authentication, which will eventually be linked to the DoD’s zero-trust building, Thunderdome.
âThe common access card is really two-factor authentication. â¦ It basically combines your digital identity with a PIN and gives you access to all kinds of DoD-specific applications, âBarnhurst said in a FedInsider webinar on November 15. âIn today’s DoD environment, DISA provides users with capabilities to take advantage of Apple and Android devices, among others, to access their DoD email, as well as DoD-approved applications. And in this email, some of the emails we send are encrypted. And we’ve created the ability through partnering with industry for people to read these encrypted emails on their government-issued cellphones. And this uses a form of multi-factor authentication that is outside of the CAC card. Likewise, we’ve created cloud-based identity services that leverage technology that allows us to perform multi-factor authentication. “
Barnhurst compared these cloud services to using a home banking app, where a security PIN is texted to the user and allows them to log into their account. The key, he said, is to combine multiple attributes in order to authenticate users. Other attributes of this type can be biometric; Barnhurst said DISA has experimented with using user-specific physical distinctions, such as the way they hold and look at their phones or the way they walk. All of these attributes combine to create a risk score for that user, which then determines access.
âThe technology is there to do something different than just the CAC card so that maybe safety can be improved in the future. From a Thunderdome perspective, we build these types of capabilities into what we call Credentials and Access Management, or ICAM. And that really underpins everything from a fundamental or zero trust point of view, âhe said. âA lot of zero trust relies on verifying a user’s identity and whether their device is a known good device, and it’s this ICAM solution that allows us to do that authentication and these checks. “
And that authentication and verification process is the first of the three pillars that Thunderdome rests on, Barnhurst said. The second pillar uses these verified identities to make access and privileges conditional. This means segmenting the data that users are allowed to access based on their privileges in order to thwart bad actors and insider threats. The third pillar is to verify the data and the applications themselves.
But Barnhurst said there was another equally important element, which he would even call the fourth pillar.
âWe want to implement technologies that will segment the network in a way that makes lateral movement very difficult. So in today’s environment, if an adversary enters that network, one of the first things we worry about is lateral movement, crossing domains, and mining different datasets. It is becoming more and more difficult to follow, âhe said. âThere are technologies out there today that the industry could provide that basically allow us to segment the network – add lanes to the highway, if you will – that makes that very, very difficult for us to do. an opponent even if he already gets past some of our initial defenses.
According to Barnhurst, one of the solutions DISA is considering to achieve this is software-defined networking, which he says enables rapid microsegmentation of the network. This is the kind of technology that DISA will be looking for for industry as part of Thunderdome.
Barnhurst said DISA is currently taking steps to work through the department’s internal processes to align resources behind Thunderdome.
âIn other words, it’s not just a concept, but it’s really a funded effort that is moving forward over the next three to five years,â he said. âAnd we’ve developed a roadmap for how we want to evolve the technologies towards this build over time. “