WHITEPAPER

SECUREAUTH AND CAC – HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

WHITEPAPER 2

Executive Overview U.S. Federal mandates dictates that personal with defense related initiatives must prove access via a Common Access Card (CAC). It is the standard identification for Active-Duty Military Personnel, Selected Reserve, United States Department of Defense (DoD) civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems CAC cards are utilized for strong authentication and to permit access into applications – including those outside of the enterprise network – to guarantee security. This paper will discuss the needs of CAC card users, including utilization of the CAC credential for application authentication; access into network, and effective Single Sign On. Then, the solution provided by SecureAuth IdP will be examined. Not only will the unique, useful, and efficient functions of the IdP be illustrated; the ways in which those functions are most effective and suitable for CAC organizations will be made clear.

Table of Contents Introduction: What is a CAC Card?……………………………………………………………3 The Needs of CAC Card Holders………………………………………………………..3 The SecureAuth IdP Solution…………………………………………………………………..4 Versatile Authentication System…………………………………………………………5 VAS for External Devices………………………………………………………………………6 Access to ALL Applications with CAC Validation………………………………………7 Security Token Service (STS…………………………………………………………………..7 Single Sign On Portal to Web and SaaS Applications…………………………………8 Identity Access Management…………………………………………………………………..9 Conclusion…………………………………………………………………………………10

WHITEPAPER 3

Introduction: What is a CAC Card? Common Access Cards (CAC) are United States Department of Defense (DoD) “smart cards” issued to those in Active Duty, The Reserve, The National Guard, and to Eligible Contractor Personnel. They provide identification information of the holder as well as permit physical access into buildings and controlled spaces, and virtual access into DoD computer networks and systems. A CAC card contains a photograph of the holder, his/her federal identifier, affiliation, service or agency, pay grade, rank, blood type, date of birth, DoD identification number, and the DoD benefits number. Also, embedded within the card are:

• Integrated Circuit Chip (ICC) of 32k, 64k, or 128k of data • PDF417 Barcode • MAG Stripe • Code 39 Barcode

These cards are built to the Homeland Security Presidential Directive 12 (HSPD-12) standards, which qualify the identifications used to gain access to secure facilities where there is potential for terrorist attacks. CAC cards have been issued to over 18 million people, so it makes sense to utilize this item that is undoubtedly secure and always on-hand to enable complete access online.

The Needs of CAC Card Holders Users are in need of a secure solution that protects enterprise data, is easily deployable, and improves user experience. With their CAC cards, they are looking to achieve uncompromised protection without duplicating or altering their existing infrastructure and:

• Strong, multi-factor authentication • Access into all applications – network, web, and cloud • Single Sign On (SSO) to and between all applications

SaaS applications and resources create a far more efficient workflow and experience for the enterprise. Despite there being heightened security risks, conducting business outside of the network is not only more convenient, it is also necessary. Most web and network resources do NOT accept CAC credentials without modification, including Google, due to the very nature of physical-to-cloud authentication.

WHITEPAPER 4

This leaves government entities with a real dilemma. How do they meet the government imposed “Cloud First” initiative to move applications to the cloud but still comply to the HSPD-12 (CAC) mandate?

The SecureAuth IdP Solution SecureAuth IdP is a cost-efficient, single secure solution that provides versatile authentication, and identity assertion for web and SaaS applications that can be integrated into the pre-existing government infrastructure. Furthermore, SecureAuth IdP can accept identities and authenticate them with CAC cards. With SecureAuth IdP, users can be accurately authenticated, appropriately granted access, and properly directed through web, network, and SaaS applications by simply swiping their CAC card.

WHITEPAPER 5

Versatile Authentication System SecureAuth IdP provides a Versatile Authentication System (VAS) that not only authenticates users but also gives enterprises flexible and unlimited configuration options. Multi-factor authentication takes something that the user has and something that the user knows to validate their identities for a period of time. Administrators can decide to configure authentication duration for 1 session, 1 day, 30 days, 90 days, etc. For these federal employees that fall under HSPD-12, they have CAC cards and PINs, and they know usernames and passwords. SecureAuth IdP offers a variety of options from which to choose authentication methods. Along with CAC cards, validation can be achieved through:

• SMS OTP • Telephony OTP • Email OTP • Static PIN • KBA/KBQ • Yubikey (USB) • X.509 Native • X.509 Java • NFC Prox Card • Mobile OATH Token (TOTP) • Browser OATH Token (TOTP) • Windows Desktop OATH Token (TOTP) • Third-Party OATH token (TOTP) • PUSH Notification • Help Desk • Social IDs (Google, Facebook, Twitter, Linked) • Federated IDs (SAML, WS-Fed, OpenId) • Device Fingerprinting • Password

Cardholders can use their CAC cards that are always with them to confirm their identities alongside their enterprise credentials (username and password) through SecureAuth IdP. This eliminates the need for users to memorize several passwords, and instead secures everything with a single set of credentials.

WHITEPAPER 6

VAS for External Devices With SecureAuth IdP, mobile users can also achieve fully secured access into enterprise data. The devices may vary depending on what they allow, but users’ CAC cards can permit entrance from anywhere. Users with CAC cards can also utilize the convenient and secure mobile abilities if their devices support the cards. Certain laptops or smartphones will appropriately read CAC cards and users can accomplish 2-Factor Authentication (2FA) with them via SecureAuth IdP for Mobile. The federal agencies have issued these users CAC readers for their HSPD-12 credentials. This function grants CAC card users access into their company on virtually any device with the same powerful protection that SecureAuth IdP provides for internal users.

WHITEPAPER 7

Access to all Applications with CAC Validation Strong authentication with CAC cards meets the government mandates on user authentication, but the ability to achieve access into applications, especially SaaS apps, is still needed. Though other systems may not accept CAC cards as permits into applications, SecureAuth IdP does. Users can authenticate their CAC credentials via SecureAuth and then obtain access to the web, network, and SaaS applications. Among the many features on a CAC card is an X.509 v3 certificate. SecureAuth can pull the identity of the user from the CAC certificate and accept it into the IdP. SecureAuth is flexible and can then translate the identity into the context and format that the relying party application can accept. It does not make a difference how the applications are configured or where they are located (in the network or the cloud) because SecureAuth IdP can transpose the ID so that it is accepted by all programs without requiring additional coding from the enterprise. The SecureAuth solution for CAC card holders follows the guidelines of the Federal Cloud Computing Strategy as well as an Executive Strategy to protect confidential data while decreasing IT costs and expenditures. With the all-in-one system, everything remains secure and easily accessible, which significantly decreases the amount of IT help desk calls.

Security Token Service (STS) Built into SecureAuth IdP is a Security Token Service (STS) that translates the format of the user’s identity. The solution was designed to accept any ID and to translate those IDs into acceptable ones quickly and without hassle. This occurs with the integrated STS built-into SecureAuth IdP. When users insert their CAC cards and log in with their company credentials, their identity is transferred to SecureAuth IdP for authentication and consumption. Within the IdP, the ID is manipulated and formatted for acceptance by the relying applications. SecureAuth supports many application protocols, so as long as the desired program is upheld by one of them, the user’s ID can be aptly shaped for admittance. Though the user is transferred to the application in a SAML or similar format, SecureAuth solely does the authentication before entrance even occurs. The IdP’s extraction of the necessary information from the CAC card certificate and the enterprise directory performs

WHITEPAPER 8

the authentication. SecureAuth IdP does not store any of this information; it simply retains the approved ID, which can then be altered accordingly by the STS. Enterprises receive these functions “out of the box” as they are all built into SecureAuth IdP, so there is no additional coding required.

Single Sign On Portal to Web and SaaS Applications The STS enables Single Sign On (SSO) to any and all applications. SSO secures data and relieves the user of complicated and tedious procedures like signing into each application individually or having to memorize numerous, unique passwords. Through the utilization of the CAC card, users can navigate to and between all SaaS and network applications after their initial sign-on. SecureAuth IdP creates a portal for SaaS and web applications that comes prepackaged in the system. In this one location, all admission is negotiated. It is a secure point of access to applications for all users who can only reach it after authentication. The STS continues to consume the user’s identity and translates it appropriately to assert it to specific applications through the Portal. This way, it does not matter what type of identity the application accepts because the IdP will relay it correctly and safely. How it works:

• Users open an application and supply their CAC cards for authentication into the company directory through SecureAuth IdP.

• The IdP approves the identity after receiving necessary credentials and the second factor information, and holds that ID for the duration of their session.

• The STS in SecureAuth IdP converts the ID into acceptable SAML or other federated artifacts.

• The application into which the user originally attempted to enter is then available for the recoded ID.

From there, the user can navigate throughout any applications without login prompts. This all ensues within the IdP where the STS continually transforms the user’s identity into app-suitable IDs. All post-authentication events occur securely and effectively without requiring any work, and are 100% configurable in the administration console.

WHITEPAPER 9

Identity Access Management SecureAuth IdP offers many great functions for government enterprises looking to protect their data but one of the best is its flexible, configurable, and integrated Identity Access Management (IAM) tools. Admins are in full control of managing the permissions of users, groups, devices, and applications. SecureAuth provides to companies the necessary tools to become their own Identity Provider while it simply enforces their policies. In a completely browser-based GUI admin console, all actions can be logged and audited, and each preference can be set through drop-downs and single clicks. All options are available for immediate deployment and require zero coding. Admins are able to adjust settings for individual users by utilizing the same directories that they already have in place. Allocations and restrictions can be applied so that users can access only the applications and information pertinent to their roles. Companies can also quickly and effectively remove the user profiles that are no longer connected to the organization to ensure a complete denial of future admission. Applications can be modified for both 2FA and SSO. Admins can specify that 2FA is required for the initial program and full SSO will allow users into all additional applications; or they can choose to require 2FA for all applications and deny SSO completely. The options are truly limitless. SecureAuth IdP can also enforce 3-Factor Authentication (3FA) if needed. This can be ordered for all users and all programs, or only for individual profiles and specific applications. For user profiles and applications, 1-Touch Revocation is available as well. Admins can swiftly and easily remove permissions for access and/or SSO from their console.

WHITEPAPER 10

User Self-Management is another useful tool that comes with SecureAuth IdP. This enables the users themselves to take some control of their profiles. Users are able to reset their own passwords and revoke their own or their device’s access without any assistance from the IT help desk. All configurations can be made easily and quickly without any coding, third party tools, or expensive overhead costs. SecureAuth IdP makes the lives of all users easier and the profits of companies higher.

Conclusion A CAC credential is a necessary accessory for federal employees and associates. It encompasses high confidence and is an item that holders always possess. It only makes sense to apply this level of trust to all resources. SecureAuth provides that option with the IdP solution that accepts CAC cards for strong authentication and SSO capabilities into all network, web, and SaaS applications. SecureAuth IdP was built to be flexible and accommodating. It accepts the CAC identification credentials and can then translate it into a format that is accepted by millions of applications, all while confidently securing data.

WHITEPAPER 11

The IdP and all of its functions come prepackaged together in a single solution that does not require hardware, installations, or coding; and it integrates seamlessly into your existing infrastructure. With SecureAuth IdP, users only require one set of credentials and one second factor item to gain access into all facets of the enterprise. CAC cardholders already meet these criteria in an undoubtedly safe form. SecureAuth IdP conducts the difficult task of translating the identity that has been provisioned to the CAC credential and extends this identity to other IT resources, namely web, network, and cloud applications. SecureAuth executes this through an extensive library of data manipulation routines and application SSO mechanisms. All of these facilities are made easy for the government admin via an intuitive GUI interface. SecureAuth IdP enables government enterprises to provide secure HSPD-12 mandated access to web, network, and SaaS resources in a single solution package.

8965 Research Drive, Irvine, CA 92618 p: 1-949-777-6959 f: 1-949-743-5833 secureauth.com