This blog is an excerpt from GovLoop’s recent industry perspective, How A Layered Approach Improves Security. Download the full perspective here.
As government relies more heavily on information technology to store, manage and access critical data, it also creates greater potential for that information to be misused or exposed. Data clearly shows that internal threats and external hackers are taking advantage of those vulnerabilities. According to one Government Accountability Office report, the number of cyber incidents in the federal space rose from just 5,503 in 2006 to 67,168 in 2014 – and the number will only continue to exponentially increase.
To help safeguard this ever-expanding attack surface, public key infrastructures, or PKI, have become a standard security measure for most federal government organizations. PKI is a system of digital keys that are assigned to individuals in order to give them access to protected content and IT systems. By creating and verifying digital keys, the federal PKI ensures that only privileged, internal users are able to access government data.
But even as more agencies adopt the infrastructure, some cybersecurity professionals question whether PKI is enough to protect sensitive and confidential information.
According to Niko Agnos, Federal Software Security Specialist, and Darren Rivey, Federal Software Security Technologist at Brocade, the binary functionality of PKI cannot solely eliminate internal vulnerabilities or prevent external hacks. While PKI adds a necessary first level of security, it nevertheless can still leave agencies vulnerable to credential misuse and application-layer attacks.
Today, nearly every valid user of federal government IT systems is required to have a digital key to unlock the kingdom of sensitive information and public sector data. Those keys are all part of the federally mandated PKI, which provides baseline security to agencies’ IT infrastructures by assigning roles, policies and procedures to digital certificates, providing blanket encryption to applications and preventing users without keys from accessing application data.
Agnos described PKI as “the ability to provide the checks and balances between the utilization of digital certificates to identify and authenticate users.” However, he said, while PKI does provide some degree of authentication, most organizations will need to add more layers to their cybersecurity protocols in order to truly safeguard their information from malicious users.
“PKI is a binary solution, meaning it gives you a yes or no solution,” Agnos explained. While PKI prevents users without digital keys from accessing protected information, those who do have a key gain nearly universal access to what lies within the infrastructure. More often than not, that results in users having unnecessary or even inappropriate access to information.
In addition to potentially providing excessive access to users, PKI also leaves agencies vulnerable to illegitimate users via falsified credentials. Agnos referenced a previous breach at an intelligence agency, where an insider fabricated digital keys to gain access to sensitive information. This tactic is not uncommon, given its relative ease: A malicious user only has to replicate the infrastructure key to gain nearly unlimited access to information and applications when PKI is the only layer of defense.
Moreover, while PKI authenticates digital certificates, it doesn’t dive into the details or credentials of individual users.
“An insider threat isn’t necessarily always an employee or a contractor who compromises your information,” Rivey said. “It could be someone who has stolen your identity or who has executed a phishing attack on an employee or contractor and inserted malicious software into the infrastructure. You can address that sort of insider threat by adding more layers of defense.”
Especially in government, further segmentation of access is necessary to reduce the risk of data overexposure and ensure that only the appropriate users can access sensitive or classified information. Adding additional attribute checks to sign-on protocols, as well as applying security directly to applications, can provide better information protection guarantees.
Download the full perspective here.