Air Force banking on role-based authentication system to lock down data

Friday - 8/15/2014, 7:16am EDT

Agencies continue to struggle to have a good model to ensure their employees have access to only the information they are supposed to have access to. But at least one agency is close to answering this long-standing challenge.

The Air Force is launching a pilot to test role-based authentication. The idea is to have an enterprise security approach that approves access to data based on the employees' roles and responsibilities.

Frank Konieczny, the Air Force's chief technology officer, said as agencies move to a Web services approach to networks — where applications place a call to a database and pulls data back to the user — the need to authenticate the user is growing.

"The pilot we started about a year ago. We have a system integrator actually doing it. We are in testing right now in a MilCloud environment that we are trying to actually connect a real app to it to validate it," Konieczny said Wednesday at the Federal Forum conference sponsored by Brocade in Washington. "It's based on attributes for each individual in a sense that as soon as the person's attributes change, their role changes, and we automatically authenticate for particular access to data or particular systems."

Once the Air Force validates the technology with the initial application, Konieczny said the service will require all new software to implement this role-based authentication capability.

"We need to get to the point where we actually are defending the data," he said. "That's one of the big rocks in the Joint Information Environment — identity management. We want to make sure that that's one of the ones we are working on right now. We've actually pushed this into the JIE framework as one of the frameworks they should consider for identity management in the JIE."

A new threat vector

The JIE is an umbrella term to address standards, consolidation and information sharing across all military services and agencies. The Defense Department is requiring services and agencies to take part in the JIE, in part, by modernizing their networks to meet the program's goals.

The Air Force's implementation of role-based authentication is both part of the JIE and part of the increased protection against insider or outside threats to its data.

"It's really a change to data security. We've seen network security work, and we still have network security. But we are trying to guard the data now more than anything, because that's what the bad guys actually want to get after. They want to exfiltrate it or change it," Konieczny said. "That's the real threat vector we are up against right now."

Konieczny said the technology is in addition to DoD's requirement for military and civilian employees to use their Common Access Card to log onto the network.

Konieczny said every agency understands more and more that the need to protect data is paramount. To that end, agencies will apply this type of role-based authentication to more and more systems.

"We've been sharing the pilot with everybody. Actually, we are trying to test it in MilCloud, which is DISA's JIE offering, and also we probably will test it in the test core data center that DISA is establishing," he said. "We've gotten inputs from all of the services and will continue to do so."

Full production in 2015

The feedback is important because DoD faces challenges many agencies do not. Konieczny said one big challenge is using this technology in the tactical environment.

"You really can't connect to a centralized location for information, so there has to be a way of moving it out, keeping it updated in the tactical environment via satellite communications or something, or actually having them run by themselves and have some administrative rights at that point in time," he said.

Konieczny said he thinks the role-based authentication technology is about six months away from going into full production. He said the Air Force is looking at application compatibility to work with it when it goes into full production.

He said part of the reason for bigger focus on data security comes from how computer networks are morphing to include airplanes, satellites and even drones. The Air Force wants to get to a single unified network that needs to be managed as an entity.

Konieczny said under the JIE framework, network management comes back to applications, because that's where the mission gets done.

"At the base, you can have mission essential applications only, and they are connected via network to the base so that if the major communication goes out to the JIE wide-area network, if you will, the base can still operate," he said. "The base operations for the Air Force is like the air operations center where they communicate accordingly with the airplanes and everything else. So this network is much larger than you think it is, even though we say it's sitting on the base. It's an extension of the base into the real atmosphere out there and to whatever it does. Also, you have to think of it as the drones sending information back. We have lots of intelligence, surveillance and reconnaissance videos coming in, petabytes of data per second. So that's part of the network and how is that going to be affected by anything we do?"