Cost-Effective Compliance
Full CJIS compliance to be enforced by 2013
- By Chris Jensen
- Aug 01, 2012
The FBI established the Criminal Justice
Information Services (CJIS) division in
1992, and it is now the bureau’s largest
division. CJIS provides state, local and
federal law enforcement and criminal justice
agencies with access to all sorts of
centralized information for investigations.
Secure records of fingerprint identification,
criminal histories and sex offender registrations
are just some of the records stored at CJIS. Because
this data is so critical for law enforcement, there are mandated
enhanced security measures that tightly control access.
As of September 2010, these measures require any organization
needing access to CJIS data to have unique IDs and strong
passwords in place. Additionally, these organizations must be in
full compliance with the rest of CJIS Advanced Authentication
requirements by 2013.
There aren’t any shortcuts, but there are fast and cost-effective
ways to achieve full CJIS compliance through advanced authentication
strategies.
Simply put, advanced authentication means that organizations
need security technology that’s more than a simple username
and password. Any two-factor authentication solution will
do, whether it’s a smartcard, biometrics, a USB token, a soft token
or a cellphone-based authentication method. When law enforcement
accesses information from a police vehicle or when an
agency employee is connecting remotely through a virtual private
network, they need a “what-you-have and what-you-know” way
to securely connect to the system remotely. Without CJIS compliance,
law enforcement agencies could lose access to CJIS systems,
thereby losing an effective crime-fighting tool.
For the public sector, protecting access to sensitive data is imperative
and also a requirement under the CJIS Advanced Authentication
compliance. Two-factor authentication is a key element
in a layered approach commonly deployed to mitigate risk
and protect against fraud.
KBA
Knowledge-based authentication (KBA) comes in two varieties—
lexical or graphical knowledge. Lexical knowledge employs
passwords, PINs or answers to a challenge question; graphical
knowledge uses a picture or pattern recognition for access. These
solutions are very cost-efficient but are also low-assurance, weaker
methods of authentication.
With KBA, the responsibility is on public employees to maintain
strong passwords, remember answers to questions they made
up weeks or months before or recognize patterns in what could be
critical situations. Oftentimes, employees write down their password
on a note and keep it under their keyboard. This defeats the
purpose of this type of security. Frequent calls to the help desk
regarding forgotten strong passwords also add to the cost of this
“low-cost” solution.
Tokens
Tokens come in a variety of forms that range from high assurance
to medium assurance, and their cost can vary just as dramatically.
Tokens provide excellent end-point independence but
also can be costly and offer a poor user experience because users
have to carry another piece of hardware for system access.
High-assurance tokens such as X.509 tokens are available, but
they may require a middleware reader. High-assurance tokens
can be the right solution if the user base adopts them and if the
highest assurance is more important than the cost of provisioning,
installation and maintenance.
Biometrics
Biometric two-factor authentication typically includes fingerprints,
vein structure, facial recognition or retinal scan. There
are even behavioral biometrics that use voice and typing rhythm
recognition. True biometric authentication can be high assurance
but comes with a price tag to match. Behavioral biometrics
are promising but are still in the more experimental phase, and
industry analysts warn that they are not yet proven. They offer
medium to high assurance but need specialized capture devices
to work correctly.
Phone-based Authentication
Phone-based authentication is an emerging technology that is
fast becoming a favorite option for banks, enterprises and globally
distributed online services. A number of vendors offering
phone-based authentication solutions have emerged in the past
few years.
These solutions provide medium- to high-assurance authentication
and are low-cost options because users are already provisioned
with a phone. Instead of carrying a token, users receive onetime PIN codes to their phone via SMS or voice call. Typically, the only
cost associated with phone-based authentication is a per-transaction
fee or a per-user fee to cover the cost of placing the call.
For those who lose their phone, many of these authentication
schemes can centrally manage the device to find it or easily replace
their authentication credentials for a new phone.
Choosing the Right Solution
For fast and cost-effective CJIS compliance, organizations need
five things:
- a good authentication solution;
- risk-appropriate strength;
- low total cost of ownership;
- good user experience; and
- end-point independence.
When choosing the type of authentication, remember:
- All solutions are not created equal. What two-factor authentication
solution is the right one for your workforce?
- Which solution is best used in the field, and what implementation
challenges exist?
- What might change on your network in the next few years, and
can your authentication solution scale for security, ease of use
and functionality as your company grows?
Balance of Security and Ease of Use
As more employees in your organization interact with CJIS data,
the importance of choosing an efficient authentication solution increases.
Phone authentication lets users take advantage of a technology
that is already part of their everyday life: the cellphone.
With no extra devices to carry, phone authentication is quick
and seamless. Consider the effort it takes to install and maintain
a token-based solution. Phone authentication can often help organizations
keep costs low and security compliance high because
it is easy to deploy and maintain.
This article originally appeared in the August 2012 issue of Security Today.