The Perils of Mobile and Cloud Security: An Argument for Centralized Smartcards

By: Bill Becker

Blogs

Jul 25, 2016 | 11:31 am

Government agencies have moved more into the app- and cloud-centric culture that is increasingly common in most enterprises. Now, privileged rights previously reserved for an administrative user are undergoing a transition where those rights are being segregated among a number of administrators for role separation requirements. That makes user authentication more important than ever when accessing mission-critical information.

Federal mandates such as OMB’s 30-day Cybersecurity Sprint and the Cybersecurity Strategy and Implementation Plan (CISP), along with technology trends like the Internet of Things and Bring Your Own Device, put greater emphasis on identity and authentication technologies. The CSIP in particular requires derived credentials solutions and other strong authentication solutions for mobile devices, to improve mobile device management on a broader scale.

Of course, mature applications and workflows still require public key infrastructure (PKI) credentials. Smartcards work well for authentication at traditional endpoints. Smartcard-based encryption and authentication is also effective for end users’ laptop and desktop computers, and for applications such as secure email, virtual private network access, PKI-enabled Web servers, and network smartcard logon.

For mobile devices, however, smartcard-based authentication is more complicated. PKI credentials on smartcards do not translate efficiently to the mobile environment.

As endpoints increasingly address multiple mobile devices–laptops, desktops, thin clients, smartphones, tablets, and more–smartcards with PKI credentials are no longer the best solution. Smartcard readers can be cumbersome, microSD cards can be easily lost, and embedded PKI only works on specific smartphones. Software-based credentials must be replicated onto each one of a user’s devices.

What’s more, these approaches typically require their own management solution, which can be an administrative and security nightmare.

Securing PKI Credentials in Mobile and Virtual Environments
Because smartcards such as the Common Access Cards (CAC) and Personal Identity Verification (PIV) cards are not easily used with a mobile device, many agencies are looking to move to a “derived credential” model. In derived credentials, user identity credentials are presented in alternate form factors that are more mobile device friendly. The typical form factors proposed as solutions are external hardware and embedded hardware or software security modules.

Unfortunately, external hardware such as microSD cards and USB tokens often have inconsistent mobile device support, and are susceptible to being lost or stolen. Embedded security modules can be simpler to use, but they present credential management issues–every end user devices requires a separate credential to be provisioned, audited, and maintained.

Virtual desktop environments improve security for many agencies, but they also make smartcard-based PKI operations complicated. Each thin-client endpoint (including mobile devices) may need custom driver software to connect between the attached smartcard and the applications running within the virtualized environment.

This is all made more complex still when a single endpoint is used to simultaneously access multiple virtual environments by having to share a single physical smartcard. If each virtual environment issues its own identity credentials, users may have to swap smartcards in and out of their local smartcard reader, accessing only one virtual environment at a time.

Some enterprises try to avoid smartcard usage simply by deploying software-based PKI credentials. This can solve some problems, but they still face the security risks of software-based keys, with multiple user credentials sent to each user’s various endpoints.

The case for “centralized smartcards”
A more appropriate and more easily managed approach to security would be what might be called “centralized smartcards.” This type of security management allows administrators to issue users a single identity, accessible from a range of devices. Users’ PKI credentials are maintained in a secure, centralized server, with crypto operations handled from that hardware.
When an end user needs to perform a smartcard operation, the application on the endpoint would connect to a virtual smartcard reader. This would redirect crypto operations to the appropriate virtual smartcard in the centralized smartcard server. An additional security layer between the endpoint and the smartcard server provides secure transport and permits use of a variety of authentication methods for selection of an end user’s virtual smartcard.

A centralized smartcard approach would need no changes made to endpoint virtual smartcard or the PKI-enabled applications that require smartcard authentication or digital signatures. By centrally maintaining each user’s PKI credentials, users can use their same PKI keys and certificates from any endpoint.

With this approach, all PKI credentials are housed in a central location, greatly simplifying security infrastructure audit and reporting needs. User credentials (including derived credentials called for in the CISP) are never at risk of theft or loss of a separate hardware credential or the mobile device itself. A single user credential can be accessed from any and all end user devices.

In virtual environments, a centralized smartcard would considerably improve smartcard management realm. End user PKI credentials would be centrally located in a secure environment, just like the virtual desktop infrastructure model. And without the requirement to use a physical smartcard reader, the end user is free to access multiple virtual environments using a different credential, or derived credential, for each environment.

As the endpoint continues to evolve, agencies must provide a simple way for users to access everything from external cloud applications to internal secure networks from a wide variety of devices while meeting security requirements and compliance mandates. A centralized smartcard approach could greatly simplify authentication, providing users with secure access to the many networks and applications being used in our increasingly mobile and cloud-centric world.

Bill Becker is the technical director for SafeNet Assured Technologies. He can be reached at Bill.becker@safenetat.com

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.

Archives