Assured Identity for Enterprise Level Security

July, 2017
IDA document: D-8286
FFRDC: Systems and Analyses Center
Type: Documents
Division: Information Technology and Systems Division
William R. Simpson, Kevin E. Foltz See more authors
Increasing threat intrusions to enterprise computing systems have led to a formulation of guarded enterprise systems. The approach was to put in place steel gates and prevent hostile entities from entering the enterprise domain. The current complexity level has made the fortress approach to security implemented throughout the defense, banking, and other high-trust industries unworkable. The alternative security approach, called Enterprise Level Security (ELS), is the result of a concentrated 14-year program of pilots and research. The primary identity credential for ELS is the PKI certificate, issued to the individual who is provided with a Personal Identity Verification (PIV) card with a hardware chip for storing the private key. All sessions are preceded by a PKI mutual authentication, and a TLS 1.2 communication pipeline is established. This process was deemed to provide a high enough identity assurance to proceed. However, in some instances the PIV card is not available and a compatible approach is needed. This paper discusses a multi-level authentication approach designed to satisfy the level of identity assurance specified by the data owner and to be compatible with the ELS approach for security.