Guidelines for Choosing an Advanced Authentication Solution for Accessing Criminal Justice Information System (CJIS) Services

Transcription

1 Guidelines for Choosing an Advanced Authentication Solution for Accessing Criminal Justice Information System (CJIS) Services whitepaper Contents Introduction... 2 Advanced Authentication in CJIS Security Policy... 2 An In-depth View on Authentication Methods... 3 Hardware-based Solutions... 3 Software-based Authentication Solutions... 3 Out-of-Band Solutions... 3 Pattern Matching... 3 Choosing the Right Authentication Method... 4 Security Aspects of Advanced Authentication... 4 The User Experience Aspect... 5 Choosing an Authentication Method... 5 Self Service Portals... 5 Users Credential Automation... 5 The Path for Growth... 5 Using SafeNet Authentication Service as a CJIS Advanced Authentication Infrastructure... 7 Meeting Security Requirements for Advanced Authentication... 7 Easy to Use and Manage Advanced Authentication Solution... 7 Versatile Authentication Solution... 8 Appendix A REFERENCES... 8 Guidelines for Choosing an Advanced Authentication Solution for Accessing CJIS Services Whitepaper 1

2 Introduction Information and data sharing is crucial for achieving organizational goals in so many industries and verticals. When it comes to law enforcement, timely information sharing is critical for stopping and reducing crime, and can sometimes even be a life-or-death issue. Criminal Justice Information (CJI) is shared at all levels starting at the federal level through state and even municipal local agencies. With the crucial need to share CJI comes the need to protect this sensitive information, the leakage of which can affect the effectiveness of ongoing crime fighting operations. As CJI items contain personal information of offenders, suspects, and witnesses, leakage of such information can violate individual privacy rights. The Criminal Justice Information Services (CJIS) Security Policy defines the requirements of timely availability of shared information on one hand and data confidentiality on the other. This security policy contains a set of controls, requirements, and best practices, and it must be adhered to by any organization that exchanges criminal records. This applies to all local, state, and federal agencies that access and handle Criminal Justice Information through its lifecycle - from creation through dissemination, whether at rest or in transit. One of the most demanding requirements in the CJIS Security Policy is the requirement for advanced authentication mechanisms (see [CJIS-SP] section ). In this white paper, we try to assist Information Security Officers (ISOs), Terminal Agency Coordinators (TACs), and CJIS System Officers (CSOs) in building a user authentication system that will comply with CJIS Security Policy requirements, while maintaining efficient, easy-to use, and costeffective deployment. Advanced Authentication in CJIS Security Policy Policy Area 6 in [CJIS-SP] discusses Identification and Authentication. The document differentiates between two risk levels when accessing Criminal Justice Information. In cases where risk is relatively low, the policy allows the use of user-name/password (also referred to as standard authentication) as the authentication method. Passwords used for standard authentication need to comply with the requirements discussed in [CJIS-SP] section , Standard Authentication. For cases where the risk of unauthorized access is high, [CJIS-SP] requires the use of Advanced Authentication, a set of multi-factor authentication methods. [CJIS-SP] defines a variety of authentication methods, including public key infrastructure (PKI), both in hardware-based authenticators (e.g., smart cards) or software certificates, hardware and software One-Time-Password (OTP) tokens, risk-based authentication, and other methods. The long list of advanced authentication methods listed in the security policy looks, at first read, like a great opportunity to choose the correct authentication method for each agency based on its specific use cases, the associated risk level, and agency budget. But with this freedom comes liability. With no clear guidelines, many agencies discover that they fail to pass the triennial compliance and security audits by the FBI CJIS Division and are being excluded from the CJIS information network. Compliance area 11 in the security policy discusses compliance and security audits and gives the following example: A local police department implemented a replacement CAD system that integrated to their state s CSA and was authorized to process CJI. Shortly after the implementation, their state s CSA conducted an audit of their policies, procedures, and systems that process CJI. The police department supplied all architectural and policy documentation, including detailed network diagrams, to the auditors in order to assist them in the evaluation. The auditors discovered a deficiency in the police department s systems and marked them out in this aspect of the FBI CJIS Security Policy. The police department quickly addressed the deficiency and took corrective action, notifying the auditors of their actions. Agencies, such as the local police department mentioned in the above quote, learn quickly that in order to get back to full CJI accessibility they need to re-invest in their systems. Guidelines for Choosing an Advanced Authentication Solution for Accessing CJIS Services Whitepaper 2

3 An In-depth View on Authentication Methods Hardware-based Solutions Hardware-based authentication solutions include smart cards that, in most cases, can be bundled with identification badges or badges that allow physical access to the workplace. Another popular form factor is a key-fob USB or OTP token. Hardware-based authentication solutions are considered to be the most secure, to the extent that vendors that specialize in these solutions provide them with validation (such as FIPS provided by the National Institute of Standards and Technology) that they are adequately secure. However, hardware-based solutions force the end user (the law officer or agency employee) to carry an extra smart card, badge, or key-fob token. From the management side, agencies should develop policies that will ensure Advanced Authentication to agency employees that lose or forget their hardware token. Agencies that are spread across a state or a large geographic area need to take into their budget s calculation the cost of distributing tokens to remote employees. Software-based Authentication Solutions Software-based authentication solutions provide the same functionality of hardware-based solutions but runs as a software application, usually on a mobile device. Software-based authenticators are available on all popular mobile devices, including ios, Android, Mobile Windows, and Blackberry. The popular perception is that software-based authentication is less secure than hardwarebased authenticators but, in reality, the robustness level of the solution depends on the risks this solution tries to mitigate and the threats it faces. Software-based authentication is considered to be a more convenient authentication method as it does not require the user to carry another piece of hardware. Moreover, recovery in the event of lost tokens, as well as distribution of tokens, is more cost-effective and provides a better user experience. Out-of-Band Solutions Out-of-band solutions (OOB) include text messaging (SMS) or a phone call to a pre-registered number associated with the employee that tries to authenticate. The main security premise is that it will be hard for intruders to create an attack on two different channels (a CJIS portal and the phone number of the legitimate user). As remote access to the CJIS service, requiring Advanced Authentication, can be performed at places with low or no cellular reception, it is recommended to not choose an Advanced Authentication method, even though it is relatively cost-effective and easy to use. Pattern Matching Pattern matching is a relatively popular method based on an nxn grid filled with random numbers, where the user is authenticated by writing the current numbers that appear in a preregistered pattern. This method presents a relatively low assurance level and should rarely be considered as an Advanced Authentication method, as in cases where the required assurance level is much higher. Guidelines for Choosing an Advanced Authentication Solution for Accessing CJIS Services Whitepaper 3

4 Choosing the Right Authentication Method While the CJIS Security Policy does not provide clear guidance as to which Advanced Authentication method an agency wishing to access CJIS services should use, this document tries to build a framework that will enable agencies to choose an Advanced Authentication method suitable for their needs. When selecting a multi-factor authentication solution, agencies should consider four different decision factors and find a balance between these four factors to achieve the solution that best meets their requirements: Security and risk mitigation User authentication systems are fundamental information security systems, and the CJIS authentication solution (including the requirements for Advanced Authentication) are not different. For an information security system, the first decision factor is risk mitigation capabilities against the threats that the organization is facing. These threats and proposed mitigation methods will be discussed next. Ease of use Most of the law officers and agency employees accessing CJI are not information security experts; and most of them are not even technology savvy. Ease of use and ease of management of the system are key factors to authentication system acceptance and adoption. Budget As with any IT infrastructure solution, budget is always a key consideration. Designed for growth Recent changes in the information security market, new computing platforms, and cloud-based delivery models all affect the information security landscape. These changes come in addition to the increase of overall information security threats and APTs. All have changed the user authentication market dramatically. We expect to see the same rapid rate of change in technologies and delivery models in the upcoming years. An Advanced Authentication solution that is designed for growth and the challenges of ever-changing markets is a key factor in ensuring that organizations will not have to migrate their user authentication solution every few years. Security Aspects of Advanced Authentication While [CJIS-SP] does not provide specific guidelines as to which Advanced Authentication method to choose, the security policy refers to another document that gives additional guidelines on the risk level and mitigation methods when accessing CJI. In December 2003, the Office of Management and Budget published guidelines for authenticating to federal agencies. [OMB M-04-04] defines the appropriate assurance levels needed by authentication processes in different use cases. The document associates the use case of accessing CJIS with Assurance Level 4 (see [OMB-4-4], page 11, Examples for Assurance Level 4 ). In Level 4 use cases, the data that needs to be accessed or the transactions that need to be executed are very sensitive. Assurance Level 4 ensures very high confidence in the asserted identity s validity. Assurance Level 4 may require true multi-factor authentication such as one-time passwords or PKI/certificate-based authentication. Other less secure means, such as text Messages/ SMS or pattern matching, may be suitable for a limited number of use cases. While software-based authentication methods are considered to be more user-friendly and cost-effective, agencies should verify with their CJIS auditors that software-based authentication methods are sufficient, and that the auditors do not expect to use hardwarebased methods for some (or all) of the CJIS services that the agency tries to access. Based on this pre-ruling, agencies should select the authentication method that complies with the Advanced Authentication requirement in [CJIS-SP] See [OMB-4-4] Section 2.1, Description of Assurance Level, page 5. Guidelines for Choosing an Advanced Authentication Solution for Accessing CJIS Services Whitepaper 4

5 The User Experience Aspect The adaption of any user-authentication system relies heavily on its ease of use. As opposed to many other IT solutions, user-authentication systems are being used mostly by the organization s employees and not just by IT professionals. This is why it is crucial that the Advanced Authentication solution used to access the CJIS network by agencies will be easy to operate and simple to use even by non-technical-savvy law officers. Choosing an Authentication Method With the variety of authentication methods, mentioned above, it is important to learn carefully the pros and cons of each method. While we understand the ease of use and management and the cost-effectiveness that are associated with software based authentication, we believe that law-enforcement agencies should choose hardware based authenticators. This pro-hardware opinion is also backed up by guidelines documents published by Federal agencies and being referenced in [CJIS-SP] and also earlier in this document. Self Service Portals Whether end-users are using hardware or software based authenticators, it is likely that they will have to report a lost authenticator, ask for temporary replacement (in case they forgot the authentication device at home), enroll to the system and reset their authenticators. Some vendors offer self-service Web portals in which end-users perform some or all of activities listed above. Choosing an authentication solution with such capabilities, can ensure that agency employees that forgot or lost their authenticator or locked their account can get replacement authenticator or unlock their account instantly without involving the helpdesk and spending more resources. Users Credential Automation Many of the local and state agencies that require access to CJIS are too small to have their own full-time IT employee that will handle Advanced Authentication issues. An automated credential life-cycle management capability eliminates the administrative overhead the userauthentication system that is needed to support Advanced Authentication need. An automated user credentials lifecycle management process can provision the correct credential based on the user s role in the organization, renew credentials when they expire, and, using the self-service portal (see previous sub-section), handle locked accounts, lost and damaged tokens and even issue replacement authentication. All of these activities are done without IT management involvement and with no overhead. The Path for Growth The user authentication market has undergone major changes in the last few years. An increase in mobile computing has enabled end users to access organizational networks from new types of endpoint platforms. In addition, new delivery models of software (including cloud-based models) and, most importantly, the increasing threats landscape have dramatically changed the user authentication market. As the market continues to evolve, and, as CJIS Security Policy does not provide firm guidelines for Advanced Authentication solutions, agencies may discover that during the triennial audits, the auditors are asking them to change their authentication solution or make their current authentication system more robust. It is vital that agencies choose a versatile authentication solution that will allow them to evolve their authentication methods as the market evolves. A versatile authentication solution consists of a single product or service that supports a variety of authentication methods in multi-platform environments. Guidelines for Choosing an Advanced Authentication Solution for Accessing CJIS Services Whitepaper 5

6 It is recommended that agencies implement a versatile authentication solution, even if initially adopting only one type of authentication method. This approach will provide the agency with the flexibility to change its authentication methods as the market evolves or as auditors force it to change authentication methods. Using SafeNet Authentication Service as a CJIS Advanced Authentication Infrastructure SafeNet Authentication Service delivers a fully automated, versatile, strong authenticationas-a-service, multi-factor authentication solution. Supporting a large variety of authentication methods, SafeNet Authentication Service is ideal to serve as the authentication platform for law enforcement agencies trying to access CJIS services. Meeting Security Requirements for Advanced Authentication SafeNet Authentication Service supports a wide range of authenticators, including hardwarebased One-Time Password (OTP) tokens, software-based tokens, text/sms messages, and pattern matching (using GrIDSure Technology). All of these authentication methods are supported as valid Advanced Authentication methods as defined by [CJIS-SP]. Note: For agencies seeking a PKI-based authentication solution, SafeNet offers a variety of PKI-based (certificate-based) authenticators including smart card and USB tokens (both hardware-based authenticators) or software-based certificates. These authenticators are managed today by SafeNet Authentication Manager and are expected to be supported by SafeNet Authentication Service in Multi-Tenant and Multi-Tier Structures SafeNet Authentication Service is structured in a secure, multi-tenant environment, where the information of each account is separated from the other. The service uses a hierarchy of parent-child relationships for all accounts, whereby there is a central root account from which all sub-accounts are derived, up to an infinite level. That being said, privacy is protected in the chain, as an account can only be viewed and managed by its parent unless the account has explicitly delegated control to its grandparent, or has explicitly invited an external operator to manage its operation. Figure 1 illustrates this multi-tier environment. Administrators have access only to the users that belong to their account. The sensitive information related to each account is stored with an AES-256 encryption key. Any attempt to access information in the service database requires an encryption key. These encryption keys are needed not only for reading the data but also for copying, moving, deleting, or restoring items (rows) in the database. Note that SafeNet also offers on-premise versatile authentication solutions for agencies that are required to have the user authentication solution on-premise. Guidelines for Choosing an Advanced Authentication Solution for Accessing CJIS Services Whitepaper 6

7 Figure 1: SAS in Multi-Tier Environment Service Provider Managed Subscriber Subscriber A Virtual Service Provider Subscriber B Delegated Enterprise Subscriber Region 1 Region 2 Region 3 OTP Seed Protection One-Time Password (OTP) solutions use a secret that is shared between the user s authenticator and the authentication server, which serves as a root of trust from which a publicly known mechanism creates the random One-Time Password. These shared secrets are called OTP Seeds. SafeNet Authentication Service encrypts the OTP Seed database using a FIPS Level 3-designed hardware security module (HSM). HSMs are secure cryptographic processing appliances used for managing and protecting encryption keys and accelerating cryptographic processes for high-performance environments. The FIPS Level 3-designed HSM is tamper-resistant and is protected from physical or logical attempts to break into the device and gain access to the keys. The use of HSMs ensures that OTP Seed records and authentication secrets never exist in a decrypted form in the host memory, and cannot be copied or stolen, providing a unique level of security, and ensuring robust and secure service delivery. Easy to Use and Manage Advanced Authentication Solution SafeNet Authentication Service provides fully automated user authentication lifecycle management. As such, it is ideal for local law enforcement agencies that usually have very limited IT resources. SafeNet Authentication Service is synchronized with the organization user store (e.g., ActiveDirectory or LDAP-based user directory) and distributed software-based authenticators. Authenticators can be renewed and revoked based on adding/removing users to/from the user store in a transparent way and without human intervention, based on pre-defined rules. Guidelines for Choosing an Advanced Authentication Solution for Accessing CJIS Services Whitepaper 7

8 SafeNet Authentication Service offers a comprehensive self-service user portal that allows users to unlock a locked authenticator, and to request replacement, or temporary tokens. The self-service portal also allows quick turnaround and automated reply for user support requests that would otherwise be dealt with by the helpdesk, enabling agencies to cut their ongoing authentication management costs. Versatile Authentication Solution SafeNet Authentication Service is a versatile authentication solution, supporting a wide variety of authentication methods allowing agencies to choose the method that best fits their requirements. Additional authentication methods, such as context-based authentication and PKI-based authentication are planned to be supported in future service updates. SafeNet also offers a number of versatile authentication solutions, such as SafeNet Authentication Manager, an on-premise authentication solution that supports both OTP, context-based authentication, and PKI-based authentication in both hardware and software form factors. As the threat landscape evolves, agencies may be forced to change their authentication method. With SafeNet authentication solutions, agencies will only need to re-distribute authenticators that match up to the new threats, without changing their infrastructure. This makes SafeNet solutions future-proof. Appendix A REFERENCES [CJIS-SP] Criminal Justice Information Services (CJIS) Security Policy, Version 5.1, Prepared by CJIS Information Security Officer 7/13/2012 [OMB M-04-04] E-Authentication Guidance for Federal Agencies, Written by Joshua B. Bolten. Director at the Executive Office of the President, 12/16/2003 Join the Conversation Sentinel Online safenet-inc.com/sentinel Twitter twitter.com/licensinglive LinkedIn linkedin.com/groups?hom e=&gid= &trk=an et_ug_hm Sentinel Video Cloud sentinelvideos.safenetinc.com/ LicensingLive licensinglive.com BrightTalk brighttalk.com Contact Us: For all office locations and contact information, please visit Follow Us: SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN) Guidelines for Choosing an Advanced Authentication Solution for Accessing CJIS Services Whitepaper 8