How can agencies quickly and cost-effectively achieve CJIS compliance?
In 1992, the FBI established its Criminal Justice Information Services (CJIS) division. It is the largest division of the FBI and it provides state, local, and federal law enforcement and criminal justice agencies with access to centralized information, such as fingerprint identification records, criminal histories and sex offender registrations. Due to the extreme sensitivity of this information, the agency has mandated enhanced security measures to protect access to it.
CJIS mandates that all organizations accessing CJIS data must have unique ID’s and strong passwords implemented by September 2010, and all organizations must comply with the CJIS Advanced Authentication requirement by 2013. Advanced Authentication requires organizations to have authentication beyond a user name and password, such as a two-factor authentication solution. This is necessary for daily situations, such as when a law enforcement officer accesses information from his or her police vehicle or when an agency employee is connecting remotely through a VPN. CJIS compliance is critical because if an organization is audited and found not to be in compliance, they could lose access to CJIS systems.
Continually evolving security threats require organizations in all areas to adopt a layered approach to fraud protection. For the public sector, protecting access to sensitive data is imperative, and also a requirement under the CJIS Advanced Authentication compliance. Two-factor authentication is a key element in a layered approach, which is commonly deployed to mitigate risk.
There are a variety of two-factor authentication solutions, including knowledge-based authentication (KBA), tokens, biometrics and phone authentication.
KBAs -- Knowledge-based authentication comes in two varieties: lexical knowledge, such as a passwords or answers to a challenge question, or graphical knowledge, such as picture or pattern recognition. Although these solutions are very low-cost to deploy, they are very low-assurance and weak methods of authentication. With KBAs, the responsibility is on of the public employee to maintain strong passwords, remember answers to questions they might have made up weeks or months before, or to recognize patterns in what could be critical situations.
Tokens -- Tokens come in a variety of forms that range from high assurance to medium assurance and whose costs can vary just as dramatically. Tokens have long been the poster child for out-of-band authentication, but they come with the inherent problem of provisioning an additional piece of hardware and managing support for lost tokens.
Although tokens provide end-point independence, they can be costly and offer a poor user experience because users are required to carry an additional piece of hardware. Standard tokens offer medium- to high-assurance. High-assurance tokens, such as X.509 tokens, are available, but they may require a middleware reader. High-assurance tokens can be the right solution if the user base adopts them and if the highest assurance is more important than the cost of provisioning, installation and maintenance.
Biometrics -- Biometric two-factor authentication takes two forms. True biometrics include fingerprints, vein structure or retinal scan. Behavioral biometrics can include voice and typing rhythm recognition. True biometric authentication can be high-assurance, but comes with a price tag to match. Behavioral biometrics are promising, but industry analysts warn that they are not yet proven. They offer medium- to high-assurance, but require specialized capture devices.
Phone-based authentication -- Phone-based authentication is an emerging technology that is fast becoming a favorite option for banks, enterprises and globally distributed online services. They are medium- to high-assurance and are very low-cost because users are already provisioned with a phone. Instead of carrying a token, users receive one-time PIN codes to their phone, via SMS or voice call. Many users are already comfortable with the process and prefer to use their phone instead of carrying an additional piece of hardware. Typically, the only cost associated with phone-based authentication is a per transaction fee or a per user fee to cover the cost of placing the call.
Choosing the right solution
In general, the market needs five things for an effective solution:
1. A good authentication solution;
2. Risk appropriate strength;
3. Low total cost of ownership;
4. Good user experience;
5. End-point independence.
It is very important to consider the following when choosing the type of authentication:
- Don’t assume that all solutions are created equal. Some two-factor authentication solutions are not strong enough alone. Are KBA’s enough for your workforce?
- Consider how it will be used in the field. What are the different implementations?
- Evaluate the delivery options and architecture, in light of current and future needs. Make sure your solution scales in practice and in terms of the financial commitment.
Balance of security and ease of use
Frequent employee interaction with CJIS data increases the importance of choosing an efficient authentication solution. Phone authentication leverages a technology that is already part of every user’s life -- the telephone. With no extra devices to carry, phone authentication is quick and seamless.
Another important factor to consider when choosing a CJIS-compliant solution is price. Adding an additional layer of security can be costly, so it is important to choose a cost effective solution. There’s a high cost associated with provisioning users with hardware or software, which results in increased operational costs. In addition, hardware tokens are often lost, and soft tokens may be difficult to install or maintain, which creates user friction and increases support staff costs. With phone authentication, organizations can keep costs low because it is easy to deploy and there’s no tokens to maintain.
Chris Jensen is Public Sector Specialist at TeleSign. He can be reached at: