Advertisement

Identity and Enterprise Level Security

  • William R. SimpsonEmail author
  • Kevin E. Foltz
Conference paper

Abstract

Intrusions to enterprise computing systems have led to a formulation that put in place steel gates to prevent hostile entities from entering the enterprise domain. The current complexity level has made the fortress approach to security implemented throughout the defense, banking, and other high-trust industries unworkable. The alternative security approach, called Enterprise Level Security (ELS), is the result of a concentrated 15-year program of pilots and research. The primary identity credential for ELS is the PKI certificate, issued to the individual who is provided with a Personal Identity Verification (PIV) card with a hardware chip for storing the private key. This process provides a high enough identity assurance to proceed. However, in some instances the PIV card is not available or in a compromised position and a compatible approach at a higher level of assurance is needed. This chapter discusses a multi-level authentication approach designed to satisfy the level of identity assurance specified by the data owner, add assurance to derived credentials, and to be compatible with the ELS approach for security.

Keywords

Assurance Authentication Enterprise level security Identity Multi-factor authentication Personal identification verification 

Notes

Acknowledgements

This work was supported in part by the U.S. Secretary of the Air Force and The Institute for Defense Analyses (IDA). The publication of this chapter does not indicate endorsement by any organization in the Department of Defense or IDA, nor should the contents be construed as reflecting the official position of these organizations.

References

  1. 1.
    F. Konieczny, E. Trias, N. Taylor, SEADE: countering the futility of network security. Air Space Power J. 29(5), 4 (2015)Google Scholar
  2. 2.
    Technical Profiles for the Consolidated Enterprise IT Baseline, release 3.0. Available at (CAC required) (currently working 4.0): https://intelshare.intelink.gov/sites/afceit/TB
  3. 3.
    Email from Rudy Rihani, Project Manager, Accenture Corporation, dated 6 Mar 2016, Subject: “manpower savings with ELS.”Google Scholar
  4. 4.
    W.R. Simpson, K.E. Foltz, Assured identity for enterprise level security, in Proceedings of the World Congress on Engineering 2017, 5–7 July 2017, London, U.K. Lecture Notes in Engineering and Computer Science, pp. 440–445Google Scholar
  5. 5.
    Email from Michael Leonard, MITRE Organization on behalf of USAF AFMC ESC/HNCDDD, dated 10 May 2012, Subject: “Performance/Scalability.”Google Scholar
  6. 6.
    TechRepublic, McAfee, Understanding and selecting authentication methods, https://www.techrepublic.com/article/understanding-and-selecting-authentication-methods/. Accessed 27 Nov 2017
  7. 7.
    Verizon Communications, Verizon 2016 Data Breach Investigations Report, http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf. Accessed 22 Nov 2017
  8. 8.
    Open Web Application Security Project (OWASP) Foundation, https://www.owasp.org/index.php/Password_special_characters, Apr 2013. Accessed 23 Nov 2017
  9. 9.
    Learn Cryptography, Password salting, https://learncryptography.com/hash-functions/password-salting, copyright 2017. Accessed 23 Nov 2017
  10. 10.
    StackExchange, Information Security, 2-Factor Authentication vs Security Questions, https://security.stackexchange.com/questions/96884/2-factor-authentication-vs-security-questions. Accessed 23 Nov 2017
  11. 11.
    House, Margaret, TechTarget, CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), http://searchsecurity.techtarget.com/definition/CAPTCHA, August 2017. Accessed 23 Nov 2017
  12. 12.
  13. 13.
    K. Hickey, GCN Magazine, Biometric authentication growing for mobile devices, but security needs work, https://gcn.com/articles/2016/12/07/biometrics-maturity.aspx?admgarea=TC_Mobile, Dec 2016. Accessed 23 Nov 2017
  14. 14.
    L.M. Mayron, Arizona State University, Biometric authentication on mobile devices. IEEE Secur. Priv. 13(3) (2015)Google Scholar
  15. 15.
    IBM Corporation, Upgrade Your Security with Mobile Multi-Factor Authentication, https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=WGW03242USEN&. Accessed 23 Nov 2017
  16. 16.
    Gemalto, One Time Password (OTP), https://www.gemalto.com/companyinfo/digital-security/techno/otp. Accessed 23 Nov 2017
  17. 17.
    D. Goodin, Security Editor at Ars Technica, RSA SecurID software token cloning, https://arstechnica.com/information-technology/2012/05/rsa-securid-software-token-cloning-attack/, May 2012. Accessed 23 Nov 2017
  18. 18.
    National Institute of Technology and Standards, Computer Security Division, Applied Cybersecurity Division, Best Practices for Privileged User PIV Authentication, 21 Apr 2016, https://csrc.nist.gov/publications/detail/white-paper/2016/04/21/best-practices-for-privileged-user-piv-authentication/final. Accessed 22 Nov 2017
  19. 19.
    W.R. Simpson, CRC Press, Enterprise Level Security—Securing Information Systems in an Uncertain World (Auerbach Publications), ISBN 9781498764452, May 2016, 397 pp.Google Scholar
  20. 20.
    A.P. Sabzevar, A. Stavrou, Universal multi-factor authentication using graphical passwords, in IEEE International Conference on Signal Image Technology and Internet Based Systems, 2008. SITIS ’08. (IEEE, 2008)Google Scholar
  21. 21.
    W. Gordon, Two-Factor Authentication: The Big List Of Everywhere You Should Enable It Right Now (3 Sept 2012), LifeHacker, Australia. Retrieved 1 Nov 2012Google Scholar
  22. 22.
    L. Lamport, Password authentication with insecure communication. Commun. ACM 24(11), 770–772 (1981)CrossRefGoogle Scholar
  23. 23.
    D.T. Bauckman, N.P. Johnson, D.J. Robertson, Multi-Factor Authentication, U.S. Patent No. 20, 130, 055, 368, 28 Feb 2013Google Scholar
  24. 24.
    A. Bhargav-Spantzel et al., Privacy preserving multifactor authentication with biometrics. J. Comput. Secur. 15(5), 529–560 (2007)Google Scholar
  25. 25.
    F. Aloul, S. Zahidi, W. El-Hajj, Two factor authentication using mobile phones, in AICCSA 2009, IEEE/ACS International Conference on Computer Systems and Applications, 2009 (IEEE, 2009)Google Scholar
  26. 26.
    S. Bruce, The Failure of Two-Factor Authentication, Mar 2005. https://www.schneier.com/blog/archives/2012/02/the_failure_of_2.html
  27. 27.
    M. Alzomai, B. AlFayyadh, A. Josang, Display security for online transactions: SMS-based authentication scheme, in 2010 International Conference on Internet Technology and Secured Transactions (ICITST)Google Scholar
  28. 28.
    J.-C. Liou, S. Bhashyam, A feasible and cost effective two-factor authentication for online transactions, in 2010 2nd International Conference on Software Engineering and Data Mining (SEDM) (IEEE, 2010)Google Scholar
  29. 29.
    Multi-factor authentication—Wikipedia, the free encyclopedia, https://en.wikipedia.org/wiki/Multi-factor_authentication
  30. 30.
    W.R. Simpson, C. Chandersekaran, A. Trice, A persona-based framework for flexible delegation and least privilege, in Electronic Digest of the 2008 System and Software Technology Conference, Las Vegas, Nevada, May 2008Google Scholar
  31. 31.
    W.R. Simpson, C. Chandersekaran, A. Trice, Cross-domain solutions in an era of information sharing, in The 1st International Multi-Conference on Engineering and Technological Innovation: IMET2008, vol I, Orlando, FL, June 2008, pp. 313–318Google Scholar
  32. 32.
    C. Chandersekaran, W.R. Simpson, The case for bi-lateral end-to-end strong authentication, in World Wide Web Consortium (W3C) Workshop on Security Models for Device APIs, 4 pp., London, England, Dec 2008Google Scholar
  33. 33.
    W.R. Simpson, C. Chandersekaran, Information sharing and federation, in The 2nd International Multi-Conference on Engineering and Technological Innovation: IMETI2009, vol. I, Orlando, FL, July 2009, pp. 300–305Google Scholar
  34. 34.
    C. Chandersekaran, W.R. Simpson, A SAML framework for delegation, attribution and least privilege, in The 3rd International Multi-Conference on Engineering and Technological Innovation: IMETI2010, vol. 2, Orlando, FL, July 2010, pp. 303–308Google Scholar
  35. 35.
    W.R. Simpson, C. Chandersekaran, Use case based access control, in The 3rd International Multi-Conference on Engineering and Technological Innovation: IMETI2010, vol. 2, Orlando, FL, July 2010, pp. 297–302Google Scholar
  36. 36.
    C. Chandersekaran, W.R. Simpson, A model for delegation based on authentication and authorization, in The First International Conference on Computer Science and Information Technology (CCSIT-2011). Lecture Notes in Computer Science (Springer, Berlin, Heidelberg), 20 pp.Google Scholar
  37. 37.
    W.R. Simpson, C. Chandersekaran, An agent based monitoring system for web services, in The 16th International Command and Control Research and Technology Symposium: CCT2011, vol. II, Orlando, FL, Apr 2011, pp. 84–89Google Scholar
  38. 38.
    W.R. Simpson, C. Chandersekaran, An agent-based web-services monitoring system. Int. J. Comput. Technol. Appl. (IJCTA) 2(9), 675–685 (2011)Google Scholar
  39. 39.
    W.R. Simpson, C. Chandersekaran, R. Wagner, High assurance challenges for cloud computing, in Proceedings World Congress on Engineering and Computer Science 2011, WCECS 2011, San Francisco, USA, 19–21 Oct 2011. Lecture Notes in Engineering and Computer Science, pp. 61–66Google Scholar
  40. 40.
    C. Chandersekaran, W.R. Simpson, Claims-based enterprise-wide access control, in Proceedings World Congress on Engineering 2012, WCE 2012, London, U. K., 4–6 July 2012. Lecture Notes in Engineering and Computer Science, pp. 524–529Google Scholar
  41. 41.
    W.R. Simpson, C. Chandersekaran, Assured content delivery in the enterprise, in Proceedings World Congress on Engineering 2012, WCE 2012, London, U. K., 4–6 July 2012. Lecture Notes in Engineering and Computer Science, pp. 555–560Google Scholar
  42. 42.
    W.R. Simpson, C. Chandersekaran, Enterprise high assurance scale-up, in Proceedings World Congress on Engineering and Computer Science 2012, WCECS 2012, San Francisco, USA, 24–26 Oct 2012. Lecture Notes in Engineering and Computer Science, pp. 54–59Google Scholar
  43. 43.
    C. Chandersekaran, W.R. Simpson, A uniform claims-based access control for the enterprise. Int. J. Sci. Comput. 6(2), 1–23 (2012). ISSN: 0973-578XGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.Institute for Defense AnalysesAlexandriaUSA

Personalised recommendations