Air Force aims to make secure mobile identity management the norm

The coronavirus pandemic and maximum telework orders have stressed the Defense Department's networks, and also exposed the need for mobile device security.

Jason Howe, the Air Force's CTO and chief cloud architect for manpower, personnel and services (A1) said the current reality has exposed DOD's need to loosen its view on mobile security. 

"That concept of mobility is so important," Howe said at a May 11 virtual event on identity management hosted by GovExec. "Unfortunately, what we've had to go through has exposed the need in the DOD to work outside of the [Non-classified Internet Protocol Router Network], outside of the DOD network proper and opened capabilities through these use cases."

A result, Howe said, the response to COVID-19 and the push for social distancing measures mean secure commercial identity authentication solutions "will be more readily accepted at such a speed that I've ever seen before."

And it's an area where the Air Force is hoping to take lead. The service's A1 directorate, which handles manpower, personnel and services for about 5 million users, is in the midst of transforming its identity, credentialing and access management, using cloud-based solution from Okta and CDO Technologies with the Air Force's public key infrastructure system.

The move, Howe said, was to unify the user experience to one cloud platform -- consolidating down from 42 disparate ICAM systems that each required unique passwords and usernames per airman.

Howe said that while the Air Force is authenticating users today, he hopes to scale the effort to mobile capabilities with multi-factor authentication in the next year. He predicted that approach could be the norm for service members and civilians across DOD in the next three years.

Such a shift, however, comes with an increased need for insider threat detection, an area that Howe said needs to be improved. A1 is currently working with the 16th Air Force to implement a log analysis system and gather insight on how to identify fundamental threat activity to become "more granular."

"I think we're still at the definition stage," Howe said. "So we're trying to say. Some of it's easy: if you see traffic coming from an untrusted IP [address], that's kind of a no-brainer."

"But it's much more difficult when you see authenticated traffic to know where's the threat," he said. "It really requires a level of [artificial intelligence] and [machine learning] configuration that maybe we're not at today."

However to do that will require balancing cybersecurity and civil liberties, especially as the capabilities are expanded to populations and privacy needs increase.

"The more data you have, the more information you have about a person, the better the authentication decision you can make about authentication," Howe said. "But quite often, that data that we want to make the best decision is privacy-related data. I want to know about you, and your family, and where you are and what you're doing and personal attributes of your life. And all of that, I'm in charge of [protecting]."

This article first appeared on FCW, a partner site of Defense Systems.