CJIS Advanced Authentication Requirements and Microsoft Active Directory
Access Management , Advanced Authentication , CJIS , Identity Management , Microsoft , Security Add commentsMany local, state, and federal law enforcement and criminal justice agencies are adhering to the Criminal Justice Information System (CJIS) Security Policy for using Advanced Authentication when accessing the CJIS database from a remote location. There are many solutions available to these agencies to help them comply with the Security Policy and almost all integrate well with Microsoft’s Active Directory. I came across a customer (small operation, only 80 users) who did not want to use Active Directory because they thought it would be too hard to manage. It took some convincing but they agreed to using AD after I explained the benefits using a centralized directory to authenciate against.
CJIS Requirements
CJIS is the largest division of the Federal Bureau of Investigations (FBI). This system provides criminal justice agencies with access to centralized information such as fingerprint records, criminal histories, and sex offender registrations. In June of 2008, the CJIS Security Policy version 4.5 was approved, outlining the minimum security requirements that all agencies must follow to protect the data being accessed within the CJIS system. Part of these requirements stated that access to CJIS would require additional authentication, beyond a user name and password, something physical like a Proximity Badge and something “you know” such as a PIN or password. This type of authentication would be needed for anyone accessing the CJIS database from a remote location, like a police officer performing a background check during a traffic stop using their Mobile Data Terminal (MDT), or VPN access by agency employees, and a number of other use cases. The first deadline for agencies to comply with the Security Policy was set for September 30, 2010, but has been extended to 2013. The CJIS Audit Unit will perform routine audits to ensure compliance. Penalties include administrative sanctions, individual criminal penalties, and termination of service.
Microsoft Active Directory
Products and services that help provide Advanced Authentication, integrate well with systems already using Microsoft’s Active Directory (AD). AD provides a secure, structured, hierarchical data storage for objects in a network domain such as users, computers, printers, and other services. This directory is a special-purpose database designed to handle a large number of read and search operations and a significantly smaller number of changes and updates with little hassle. Data stored in AD is replicated and extensible. Because it is replicated, you do not want to store dynamic data, such as corporate stock prices or CPU performance. Normal directory data includes printer queue data, user contact data, and network/computer configuration data. Administrators can utilize User Manager to add and delete users, an entirely different type of network object. AD is responsible for authenticating and authorizing all users and computers within a network of Windows domain type, assigning and enforcing security policies within to all computers in a network and installing or updating software or updating software on network computers. AD verifies his or her password and specifies whether he or she is a system administrator or a normal user. It is built on top of an authentication technology called Kerberos 5, which uses encrypted communication to avoid transmitting passwords in the clear. Machines within a domain both have restrictions as well as certain privileges like accessing Intranet specific sites.
I hope you have enjoyed learning about Microsoft Active Directory and the FBI CJIS Security Policy. For more information, please visit our website and our friends at CJISMandate.com In addition, please view our demonstration of how Action Identity can outfit your organization with advanced authentication compliant technology on our YouTube channel.
If you have questions or comments, feel free to leave a comment below, or contact us.
To learn more about CJIS Security Policy and IDM:
http://www.actionidentity.com/blog/post.cfm/becoming-compliant-with-the-cjis-security-policy
http://www.actionidentity.com/blog/post.cfm/what-is-idm
http://www.actionidentity.com/blog/post.cfm/which-version-of-novell-identity-manager-is-right-for-me
http://www.actionidentity.com/blog/
Nov 25, 2011 at 7:58 PM The mission of CJIS is to reduce terrorist and criminal activities. It is done through maximizing the ability to provide timely and relevant criminal justice information to the FBI and to qualified law enforcement, criminal justice, civilian, academic, employment, and licensing agencies concerning individuals, stolen property, criminal organizations and activities, and other law enforcement related data.