Background
Starting with the definition: An air gap network “… is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. It means a computer or network has no network interface controllers connected to other networks …”.[i] Air gapped environments are typically built for government agencies and critical infrastructure organizations. A common perception is that the air gap alone provides all the security that’s needed. As in many situations in security, the reality is the opposite—strong authentication is required.There are many well-documented attacks specific to air gapped networks with more in the works. In fact, a recent article documents an attack that leverages a smart phone’s gyroscope to ‘exfiltrate sensitive information from air-gapped computers just “a few meters away.” ’ [ii] While a great many security considerations are eliminated, air gapped environments have different – and arguably heightened – authentication security needs.
Heightened Security Needs
As they cannot leverage cloud-based Identity products – such as Microsoft Entra ID or cloud-based Identity and Access Management (IAM) products – air gapped environments need heightened security versus the datacenter:
- Fully Air Gapped Operations: Must be installed, maintained, and run without a network connection. Since air gapped environments typically run 24x7x365, maintenance must be applied in the background without causing a service interruption.
- Passwordless Authentication: To provide passwordless phishing resistant authentication, support for dedicated physical (such as PIV card and USB Key) and platform (such as Virtual Smart Card) authenticators and credentials must be provided.
- Authenticator Options: A recent Gartner report indicates that many frontline environments (oil rigs, manufacturing, and even retail) prohibit the use of smart phones.[iii] To span a wide range of device readers, multiple authenticator form factors must be supported.
- Stringent Authentication Needs: To comply with security standards, need to authenticate to workstation as a first step. This is particularly important since the environment is typically installed and maintained with USBs. Since USB-based threats such as COTTONMOUTH-I (CM-I)[iv] can infect a machine simply by being plugged in when the machine is activated, it’s important to enforce strong authentication at the workstation level.
- Leverage On-premises Environment: An authentication management approach must leverage the current on-premises environment.
- Limited IT Support: The system must operate without reliance on on-site IT or extensive Help Desk support.
- End User Manageability: To make up for the lack of formal IT support, the system must provide high end user self-service capabilities.
Axiad’s Strong Authentication for Air Gapped Environments
OverviewIn response to the above needs and working with Microsoft, Axiad recently issued a formal press release announcing an on-premises package – Passwordless for Air Gapped and Critical Environments. An on-premises product, Axiad Unified Credential Management System (UCMS) provides unified, consistent, and efficient credential management for end users. A UCMS package, Passwordless for Air Gapped and Critical Environments, is deployed as an air gapped on-premises offering for critical infrastructure organizations, government agencies, defense contractors, and resellers.With support for strong authenticators and authentication credentials across the organization, the package handles the authentication management lifecycle at scale. The package helps organizations with very high security needs or very significant on-premises application investments to achieve passwordless authentication seamlessly.Passwordless for Air Gapped and Critical Environments is architected for air gapped on-premises environments. Initial installation and updates are performed from a thumb drive. The package enables passwordless authentication across the existing on-premises environment including Microsoft AD, Microsoft CA, and more.Addressing Air Gapped Environment NeedsThe heightened security needs discussed above are addressed by Passwordless for Air Gapped and Critical Environments:Heightened Security NeedsAuthentication ResponseFully Air Gapped OperationsPasswordless for Air Gapped and Critical Environments has proven success in running in air gapped environments. It does not require a public connection to operate. Onsite personnel can maintain the package at need by installing updates from a thumb drive.Passwordless AuthenticationThe package supports a full range of authenticators including dedicated physical (PIV card, Smart Card, and YubiKey) and platform (Virtual Smart Card) authenticators and credentials. Certificate-based approaches such as Certificate-Based Authentication (CBA) are also supported.Authenticator OptionsAs discussed above, many frontline environments prohibit the use of smart phones and not all machines are able to read each authenticator. As a result, authentication must support a fullrange of authenticators. Passwordless for Air Gapped and Critical Environments enables multiple authenticators, each with different credentials (one or more Certificates) to be assigned and managed per end user. That way, any mix of ongoing and temporary (project-based) authentication can be managed.Stringent Authentication NeedsMany existing authentication approaches do not encompass workstation authentication. A security gap is the result since the workstation is not secured with a passwordless, phishing-resistant authenticator. Passwordless for Air Gapped and Critical Environments includes an AirLock feature that ensures the end user has set up the authenticator prior to accessingapplications. Further, Axiad ensures that the end user authenticates to the workstation each time prior to being able to access applications either standalone or via SSO (via Microsoft AD).Leverage On-premises EnvironmentThe on-premises ecosystem is a different software stack from the cloud ecosystem and typically leverages the Microsoft ecosystem. Passwordless for Air Gapped and CriticalEnvironments fully leverages Microsoft AD, Microsoft CA, Windows Server, and other components of the on-premises environment to ensure authentication is highly secure and consistent, all without requiring upgrades.Limited IT SupportSince the system must be able to operate without reliance on on-site IT support, Axiad provides upgrades and maintenance via thumb drives that can be installed by local personnel. Axiadsupport provides real-time guidance for installing upgrades and maintenance.End User ManageabilitySince IT is typically not onsite in air gapped environments, end users must be able to self-service authentication management. Passwordless for Air Gapped and Critical Environments includesthe AirLock and MyCircle features. These features enable the entire Credential Enrollment and Account Recovery (CEAR) lifecycle to be self-serviced by the End User. The End User can select one or more authenticators and enroll the appropriate credentials (such as one or more Certificates) on each. Thereafter, AirLock provides reminders to renew credentials via the Axiad Unified Portal. Finally, MyCircle ensures account recovery can be performed by getting approval from a designated “circle of trust” rather than via a lengthy phone call to Help Desk.
Benefits
Passwordless for Air Gapped and Critical Environments provides strong benefits to Federal Agencies, Critical Infrastructure organizations, Defense Contractors, and Resellers:
- Maximize Security: Passwordless authentication eliminates passwords that can be compromised and used in attacks.
- End User Acceptance: By providing end user self-service and intuitive utilities, end user acceptance is maximized.
- Minimize Security Overhead: By streamlining effort for end users and IT, overall security and remediation is minimized.
Learn More About Passwordless Authentication in Air Gapped and Critical Environments
Based on our experience with Federal Agencies, Critical Infrastructure organizations, and Defense Contractors, Axiad created an on-premises package that delivers passwordless, phishing-resistant authentication in air gapped and critical environments without requiring upgrades. To learn more about how this package can work for your organization, visit our Passwordless for Air Gapped and Critical Environments page.[i] Wikipedia: Air gap (networking)[ii] TechCrunch: An experimental new attack can steal data from air-gapped computers using a phone’s gyroscope, August 24, 2022[iii] Gartner: How to Authenticate Frontline Workers, G00792741, June 2023[iv] Ars Technica: Playing NSA, hardware hackers build USB cable that can attack, January 20, 2015