Ivanti Derived Credentials: A Zero Sign-On Solution for Smart Card-Enabled Organizations
What is a smart card?
Government agencies and some regulated industries have adopted standards (such as NIST SP 800-157) for issuing smart cards, based on the user’s validated and confirmed identity. The smart cards have digital certificates such as an authentication certification, a signing certificate, and an encryption private key (certificate). Often the smart cards also act as human recognizable identity validation cards and contain the user’s picture (for a guard to validate at a door or gate). The cards also may have a proximity chip for entrance to a facility, and they may contain biometrics as well.
The smart cards are then used for access to secure buildings and to log in to traditional enterprise workstations like laptops, desktops, and enterprise web services. Typically, an employee inserts their smart card into a reader on a workstation and enters a pin to access the authentication certificate, allowing the user to log in to the device or enterprise applications including cloud-based and web applications. This authentication method replaces usernames and passwords and provides two-factor authentication. That’s because the smart card is a physical entity that the user has, and the pin is something only they know – so neither the card nor the pin are sufficient, individually. These rules are described in the FIPS 201-2 definition of multifactor authentication and NIST SP 800-63-3.
What is a derived credential?
The difficulty of requiring smart cards for two-factor authentication is that as workers move from traditional workstations to more modern and mobile devices, smartcard readers are not practical. Therefore, a process is defined to securely create and provision digital certificates on mobile devices directly, based on the smart card. These certificates are derived from the initially assigned certificates and therefore are referred to as derived certificates or credentials. Derived credentials allow organizations that are using smart cards for authentication to easily extend this technology to mobile devices, providing strong, passwordless authentication to the most sensitive of resources. The end user securely authenticates to a portal using their physical smart card on an enterprise workstation. Then, using the information on the smart card, a mobile-friendly soft token is created and stored in a secure enclave on the mobile device as a digital certificate. The derived digital certificate is tied to a certificate on the smart card for revocation and validity. These certificates can be used for secure authentication to enterprise and web applications and resources, to sign emails and documents, and to encrypt messages on mobile devices.
What kinds of smart cards are out there?
U.S. civilian government agencies have standardized on smart cards called Personal Identity Verification (PIV) (based on a Homeland Security Presidential Directive HSPD-12), while the U.S. Military and Defense agencies have standardized on the Common Access Card (CAC). These smart cards and underlying technologies differ slightly, but both can be used for derived credentials.
Ivanti’s solution
The Ivanti team recognized the challenge our customers faced when complying with smart card and derived credential regulations in a mobile environment and have a solution to make the deployment of derived credentials easy. Working with trusted certificate and smartcard solutions like Entrust, DISA Purebred, Xtec and Intercede, we leverage derived credentials to enable organizations to extend their existing security investments in smart cards to their mobile infrastructure.
The Ivanti PIV-D manager solution integrates with Public Key Infrastructure (PKI) systems to seamlessly deploy derived credentials and manage the lifecycle of the credentials in any mobile enterprise or government organization. Ivanti PIV-D Manager stores the derived credentials securely in our encrypted Ivanti AppConnect framework, which is FIPS 140-2 enabled. The credentials can then be seamlessly shared with other secure AppConnect apps such as Email+, Docs@Work, Web@Work and native mobile OS apps for secure single sign-on, and S/MIME use on iOS and Android devices.
Prior to its acquisition by Ivanti, MobileIron assisted government agencies such as the Federal Emergency Management Agency (FEMA) and the DoD’s Defense Information Systems Agency (DISA) to deploy derived credentials seamlessly. These agencies now have tens of thousands of devices leveraging derived credentials, enabling their end users to access enterprise resources securely from mobile devices using their device.
The next level: Zero Sign-On
While derived credentials provide a strong authentication mechanism backed by PKI, Zero Sign-On enables derived credentials in conjunction with a comprehensive set of attributes, to be validated before granting access to enterprise resources. Ivanti’s approach to end-to-end, zero trust security significantly reduces risk by giving organizations complete control over enterprise data as it flows across devices, apps, networks and cloud services. This is essential as the world adjusts to a permanent shift to the Everywhere Workplace.
If you want to learn more about Ivanti’s world-class derived credential solution, please contact us.