International Security Journal: Don’t Let Your Identity Be Your Downfall

September 9, 2020

Article originally published in the September 2020 edition of International Security Journal. There has been a seismic shift in attitudes to remote working, driven primarily by the COVID-19 pandemic. For central and municipal government departments and security-mandated companies, identity management processes and procedures that have taken years to hone and perfect are suddenly having to be adapted rapidly to enable employees to work from home and with these changes, there are some key areas that government identity and compliance teams need to ensure are accounted for and maintained. The first step has already been taken in the majority of organizations through the initial deployment and requirement to use a CAC (Common Access Card) or a PIV (Personal Identity Verification) card to access secure materials, websites, and applications. At first glance, it would appear relatively simple to translate these requirements to remote working — give your employees mobile card readers and have them access via a VPN or over a secure Internet gateway. Unfortunately, it isn’t quite that easy, and this article takes a brief look at some of the challenges you may face in enabling those remote workers with secure access.

TAA Compliance Is Not Optional

Regardless of whether your employees are working in the office, at home, or in their vacation rental at the lake, identity and identity management is mandated for access to the systems that allow them to perform their tasks and job functions. Enforcement of the identity management compliance mandates has been sporadic in the past, given that less than 5% of all government employees worked remotely before the pandemic and we can only assume that it was felt that government perimeter and cybersecurity measures were deemed sufficient to mitigate the threat. Government attitudes are changing however, given that very few homes can afford the type of enterprise-grade cybersecurity a GSA location delivers and there is a heightened awareness of potential threats given the distributed nature of the employees and the variety of access methods they’re using to connect to government systems. Securing the communication channels themselves through the use of VPN technology, or secure internet gateways, will offer strong protection and can help prevent data being attacked via external sources or being re-directed away from the intended target. However, if the breach has already occurred inside of the connection, then the VPN/secure gateway method becomes largely ineffective. One of the primary methods of negating security measures in this fashion is to create alternate communication channels within a device that appears authorized, but will be sending data to unverified, or potentially unwelcome, destinations. Using software and devices that meet compliance and regulatory standards is an important step in preventing breaches of this nature from occurring.

The Role of Mobile Card Readers

 TAA compliance requirements extend to fully encompass ID card readers, a detail that is often overlooked when working in identity management. The Trade Agreement Act (TAA) (19 U.S.C. & 2501-2581) was created in 1979 and is intended to foster the growth and maintenance of a fair and open trading system. TAA compliance requires that the U.S. government (including GSA) acquires only United States-made or certain "designated country" end products. This means that all products must be either manufactured or "substantially transformed" in the U.S. or a TAA-compliant country in order to meet the compliance requirements. This was seldom an issue when employees were working in a large government facility; if a PIV or CAC reader was lost, a new reader could easily be requisitioned from stores, and most likely, the identity management team had stores of readers on-hand. Productivity was far less disrupted in this way and there was a strong degree of control over which card readers were purchased and distributed. Now that there is a shift to remote working, the control mechanisms over card reader deployment and model selection has loosened, with employees often purchasing card readers directly from the internet for simple expedience or through not wishing to go through the requisition process. This is where the majority of the problems start.

Solving the Problem of Employee Sourcing

While CAC and PIV card readers found on the internet may reference being compliant, there is very little information to what standards they are compliant to and what level of compliance they achieve. It is very easy to write a marketing description which sounds convincing, after all!  Typically, if a Chinese manufacturer uses “compliant” when referring to a card reader, it may be more accurate to interpret the statement as meaning “compatible” and that it will work with the PIV or CAC card and logical access control software that you are using. Employees are also likely to hunt out the cheapest option when it comes to card readers, as well, since they are likely to be spending their own money on replacing a card reader they lost and are unlikely to be educated on the compliance requirements their readers have to meet. These challenges can be solved by ensuring, based on the number of employees that you are managing, the typical number of lost reader incidents experienced and may range from holding a central stock that can be dispatched on a rapid ship service to minimize disruption, to working directly with a card reader manufacturer holding thousands of units that are known and guaranteed to be TAA compliant. Education is also vital for employees. Having them understand why they must purchase a specific type of card reader or follow a particular process to get replacement devices is a big first step in preventing non-compliance. Providing simple, non-punitive processes for those employees to obtain replacement devices is also important. An onerous process is the one avoided most quickly. It isn’t all dire warnings, doom and gloom, however. The steps to implement a TAA-compliant device policy aren’t complex and will ensure that productivity is maintained throughout the current crisis and employees can take advantage of the flexibility that comes from working remotely, keeping themselves, their families, and their colleagues safe.