As identity management takes a front seat in agencies’ zero trust security journeys, Federal and industry leaders agree that the government’s Identity, Credential, and Access Management (ICAM) framework is an essential element to the application of zero trust architectures, along with consolidating ICAM approaches within agencies.
Identity management isn’t just about people, but it’s also about devices and data, Ken Calabrese, program manager of the ICAM program in the Office of the CIO at the Department of Energy (DoE), explained during a Jan. 5 Federal News Network event.
“Originally, it was all about people. And now particularly with zero trust, we know it’s well beyond people, it’s devices, it’s data. So this is actually a fun time…a lot of us have built the foundation, if you will, and it’s kind of exciting now that we’re extending this past the traditional people-based ICAM programs,” Calabrese said.
Implementing the ICAM framework can pose a challenge to some agencies, however, especially when an agency’s individual bureaus are all procuring their own ICAM solutions.
André Mendes, CIO at the Department of Commerce, said this was the case at Commerce when he started about 18 months ago. Since then, Mendes launched a program that is consolidating 13 separate identity and access management systems across the agency, which has numerous subcomponents.
“I expect that within the next six months, we will have just about all of our applications, and all of our bureaus joined together with one system – a federated system of course – but one that is far more advanced than what we had just 18 months ago, with a common solution,” Mendes said.
Sean McIntyre, the director of solution delivery in the Office of the CIO at the Federal Aviation Administration, said his agency is also undergoing an ICAM consolidation effort.
“One of the things that we’re trying to rein in is the fact that one program might establish their own identity solution, and then another one will go out and establish another. And what we’ve gotten them to do is start to look at it holistically and adopt a single solution,” McIntyre said. “With that, we also plan to integrate our workforce into that same solution so that we can we can front-end any of our applications with that same solution.”
Consolidating ICAM solutions has helped Federal leaders on their zero trust journey, allowing them to more easily modernize identity and access management approaches.
“How do you get to zero trust without identity? I don’t know of a way that you get there,” said Aubrey Turner, an executive advisor at Ping Identity. “And if you’re saying how do you get to least privilege without identity, and least privilege is part of zero trust, there’s just no way to get there without identity.”