DameWare: Remote Support and FIPS Compliance
Written by Glenn Cray from DameWare
Due to the sensitive nature of the data housed in federal IT environments, government agencies are typically held to particularly stringent information security standards. For example, the Federal Information Processing Standards (FIPS) outline requirements for protecting data and computer systems. However, adhering to such provisions does not prevent all risks, and recent events have clearly showcased a need to go beyond established data protection frameworks.
The most recent and highly publicized data breach in the National Security Agency serves as a powerful reminder that even the strictest of security frameworks can be bypassed. Federal contractor Edward Snowden, who was acting as an NSA administrator, leaked data regarding the agency’s PRISM program – an initiative designed to collect information related to risks of national interest. Regardless of whether Snowden is seen more as a hero or a villain, the incident has revealed that information security gaps exist in highly regulated IT systems.
How does the government use FIPS?
FIPS includes numerous publications dealing with topics ranging from protecting cryptographic keys to processes for authenticating federal employees and contractors. In particular, FIPS 201 details the latter issue, with provisions for verifying identity for physical and digital access to government assets. For computer systems, FIPS touches on a number of verification methods, noting that the strength of each method varies and is heavily dependent on the security of the authentication mechanism used. These strategies include:
- Biometric scans
- Smart Card authentication
Smart Card technology is one of the most common identity verification methods used today. Employees are given a card with an embedded chip that is unique to each person. A card reader at each station can then be used to login to a workstation. This allows a higher degree of security than the traditional username/password combination and is less inconvenient than more cumbersome options. While the card itself stores personal information, this data is safely guarded – usually by requiring a PIN to gain access. More extensive measures such as biometric scanning can also be used to limit unauthorized access to Smart Card data.
“Smart cards are manufactured with security countermeasures that thwart cloning, counterfeiting, and tampering,” the Smart Card Alliance stated. “Built-in security features include metal layers, sensors that detect thermal and UV light attacks, and software and hardware circuitry to thwart differential power analysis.”
While security is a prominent concern, it is equally important to ensure that employees can still do their jobs effectively. This is why many cumbersome authentication practices have not been widely adopted, while relatively simple solutions such as Smart Cards have become popular.
Remote Support and Smart Cards
The main drawback with traditional Smart Card authentication is that it requires physical access to a workstation. This can make it more difficult for IT support staff to do their jobs effectively, since they would normally have to physically input their cards at each station’s reader. However, the U.S. Army contracted DameWare in 2006 to address such issues, making it the first company to offer a remote support solution that supports Smart Card authentication.
Since then DameWare has been deployed in many organizations that require Smart Card authentication for increased security. DameWare Remote Support (DRS) and Mini Remote Control (MRC) allow IT staff to authenticate via Smart Card from a remote location. This drastically cuts down on the amount of time required needed to troubleshoot end-users’ computers, especially in large organizations or those with multiple locations. By cutting down the need for direct contact with end-users’ computers, DRS and MRC can also save money for organizations that would otherwise have to hire IT staff for each location.