Recently, the US Office of Management and Budget (OMB) released Memorandum M-22-09 which requires agencies to achieve specific zero-trust security goals by the end of Fiscal Year 2024. Advancing toward zero trust is one of the main modernization goals for government cybersecurity as outlined in The 2021 Executive Order on Improving the Nation’s Cybersecurity.
As described in the Department of Defense Zero Trust Reference Architecture, “The foundational tenet of the zero-trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.” Instead, anything and everything attempting to establish access must be verified.
The move to zero trust emphasizes “stronger enterprise identity and access controls, including multi-factor authentication (MFA)” because without “secure, enterprise-managed identity systems, adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks.” The authentication processes must be able to “detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.” The memorandum also states that MFA should be integrated at the application layer, such as through an enterprise identity service, rather than through network authentication, such as a virtual private network (VPN).
RSA supports the move to a zero-trust model. We are helping organizations and agencies around the globe meet this new challenge through a complete and modern approach to identity and access management (IAM). RSA offers a range of multi-factor authentication (MFA) methods to meet the needs of different users and use cases. RSA re-establishes trusted user identities while simultaneously employing machine learning and risk-based analytics to detect anomalous activity including potential phishing attacks. We also offer intelligent governance and lifecycle capabilities that are designed to reduce an organization’s attack surface. To protect the organization from both external and internal threats, our products eliminate over-entitlements that may be exploited by threat actors.
As we’ve helped our government agencies move toward zero trust and prepare for M-22-09 and the Executive Order, we’ve helped our customers answer a variety of questions about how to respond to these new requirements:
What do the requirements mean for RSA’s federal customers?
RSA provides a broad range of strong MFA options to help Federal agencies securely authenticate users from anywhere to anything, including both next-generation and legacy agency systems. The move to the cloud, remote work and digital initiatives have changed networks, and the perimeter that has historically protected resources continues to dissolve. Now people from every agency need to connect from many different locations; some even need to log-in without internet access. This diversity of environments and users present a range of authentication challenges, yet government agencies need to be able to reliably deliver secure, convenient authentication no matter where people or devices may be located.
RSA solutions connect any user, from anywhere, to anything. We offer multiple authenticator choices to meet different agency requirements and user preferences, including support for FIDO. As a board member of the FIDO Alliance and co-chair of the Enterprise working group, we’ve been pushing to remove passwords long before it was trendy, and we’re glad some other platforms are now taking similar steps. Our identity platform supports passwordless authentication with 99.95% availability, including a no-fail capability that enables authentication without a network connection, so users can authenticate securely even if connectivity is interrupted, or if they’re without internet service.
RSA offers a variety of IAM capabilities to support the Federal requirements related to zero trust, cloud security and authentication, and we are FedRAMP-authorized and trusted by the most sensitive government agencies. At this point, some agencies may have applications that don’t support FIDO, and we are working to help customers as solutions and companies transition their infrastructure and applications to support FIDO. In the meantime, agencies may continue to need one-time password (OTP) solutions, but it’s important to realize that not all OTP solutions are created equal.
The securely implemented SecurID OTP employs multiple controls to prevent an attacker from gaining access to a time-based OTP (TOTP). It also prevents the use of the TOTP in the rare instance an attacker does gain access. Unlike SMS TOTP, which has a time window that is typically 10-15 minutes, our time window is only 60 seconds. Additionally, SMS OTP is transmitted over an insecure channel that is regularly a target of fraud abuse—TOTP isn’t.
By limiting the life of an OTP to just a minute, RSA prevents bad actors from storing authentication factors for later use. And even when a bad actor tries to reuse the OTP within that 60-second window, our authentication server will not accept an OTP it has already seen. This rejection creates an auditable event because the real user then must authenticate a second time to gain access, or the user is simply denied access. Only being able to use an OTP once to authenticate keeps a phisher from mirroring or storing a legitimate user’s authentication attempt. SecurID OTPs can only be used once, and their lifespan is immensely brief.
Our machine-learning-based risk engine also detects behavioral anomalies. RSA risk-based authentication uses techniques and technologies to assess the risk an access request poses to the organization. Using machine-learning, the risk-based authentication learns from its assessments and applies that knowledge to future requests.
RSA not only secures authentication, but the entire identity lifecycle with self-service password management, easy access certification and automated joiner, mover, leaver (JML) processes, which ensure appropriate, compliant access throughout the user lifecycle. RSA manages the provisioning and deprovisioning of authenticators and provides help-desk tools to help handle situations like lost tokens and emergency access.
RSA also uses standards-based cryptographic methods to protect all the communication required to process an authentication attempt. We employ end-to-end encryption of both the PIN and OTP, which goes above and beyond transport layer encryption, so OTPs cannot be decrypted by a proxy. These methods not only protect the OTP and PIN as they are transported in, out, and across networks but also ensure that the various software components can authenticate themselves.
People need to be part of the solution
Phishing is a problem that’s not going away, but it’s important to remember that technology doesn’t operate in isolation. The success of a phishing attack can be as much about human psychology as technology. An educated workforce should be your first line of defense. Employees who are on the lookout for phishing emails won’t click suspicious links that give attackers a foothold.
By providing a choice of authentication options and building behavioral models, government agencies can achieve a phishing-resistant authentication solution that provides in-depth defense that goes beyond any particular authentication factor.
It’s also important to remember that any technology is only as good as its implementation. A good authentication solution needs to do more than deal with potential phishing threats. Proper provisioning and credential life-cycle management must be holistic parts of the authentication solution. RSA has pioneered and established industry standard practices for achieving these goals for OTP based authentication.
RSA has been offering innovations and practical authentication solutions for decades. Our proven technology is trusted by the most security-sensitive government and commercial customers around the world. Our IAM delivers the capabilities your organization needs to achieve critical national cybersecurity goals. Our authentication solutions are time-tested, and we continue to innovate and refine our implementations as the threat landscape evolves.