Federal agencies must build “identity-aware” infrastructures to effectively monitor and manage user access to information and information systems across their enterprise for more secure and efficient operations, according to cybersecurity experts.
“Agencies should be looking at solutions that are easily implemented and maintained, and that also provide a robust and extensive integration framework,” according to Frank Briguglio, public sector identity governance strategist with SailPoint, a provider of identity management solutions.
Agencies should deploy a framework that includes connectors, plug-ins, application programming interfaces, software development kits, and integration modules that will let them connect all their information technology and security investments. These components form the basis for a platform that will let agencies manage identities across applications, systems, and data stored in files residing across a hybrid environment of cloud and on-premises resources.
“This creates an identity-aware infrastructure,” Briguglio said.
The spotlight was turned on efforts to improve identity management back in April when the Office of Management and Budget (OMB) issued a draft policy to strengthen the cybersecurity of Federal agencies through improved Identity, Credential, and Access Management (ICAM).
The draft policy focuses on three areas: implementation of effective ICAM governance, modernization of agency ICAM capabilities, and agency adoption of ICAM shared solutions and services. The Office of the Federal CIO is now working to review public comments and will follow up with submissions if necessary, according to the OMB.
OMB officials want agencies to reduce ICAM solution overlap and deploy capabilities that are interchangeable and developed based on application programming interfaces (APIs) or other commercial standards to promote interoperability.
Projects to strengthen ICAM “vary from agency to agency. Some agencies are taking efforts to refresh their identity management solutions and reduce the complexity of their environments,” Briguglio said. “Some are taking advantage of the CDM [Continuous Diagnostics and Mitigation] program to replace or extend their existing environments that were based on legacy technologies with a modern platform that enables ease of integration and use,” Briguglio said.
In fact, OMB states that agencies should leverage the Department of Homeland Security’s CDM program to accelerate their procurement and deployment of tools aligned to ICAM capabilities. CDM enhances the security posture of Federal agencies, helping agencies deploy technology on their networks that provide enterprise-wide visibility of assets, users, and activities on their networks. This information allows agencies to monitor, defend, and rapidly respond to cyber incidents.
Deltek analyst John Slye wrote in April that the policy (depending on the rate at which OMB finalizes it), “will likely drive some demand for ICAM tools and related solutions and services that can be acquired via the CDM program as well as technology management and information architecture consulting services to assist agencies in evolving their ICAM security posture.”
ICAM governance is important for continual efforts to promote robust cybersecurity, according to OMB. To that end, the agency wants other agencies to leverage the approaches and principles detailed in the National Institute of Standards and Technology’s Special Publication (SP) 800-63, Digital Identity Guidelines. Moreover, agencies should follow Homeland Security Presidential Directive 12 (HSPD-12) requirements pertaining to the identity verification and credentialing of Federal employees and contractors.
“Some agencies have heavily relied on their HSPD-12 (Personal Identity Verification) solution and Active Directory as a complete identity management solution,” Briguglio noted. “While the PIV [Personal Identification Verification] card provides access to resources, it does not ensure the user is suitable for that access,” he said.
Therefore, agencies must integrate the full lifecycle process of user management, credential management, and access management with an identity governance solution that provides the enforcement of the necessary controls, process, and audit capabilities required by government directives and standards, he explained
“Agencies have also been faced with budget and resource cuts and are relying on their legacy systems that are not capable of meeting their demanding needs. The inability to implement a modern solution will proliferate the problem of overlapping solutions and complex custom developed identity management platforms,” Briguglio said.
The bottom line is agency managers will need a comprehensive identity management program that can manage access to all users, all applications, and all data to protect their agencies from cyberattacks in today’s increasingly complex, hybrid IT environments. Extending identity management solutions to other security solutions can provide the necessary identity context to further secure government organizations.