Digital identities are becoming increasingly important elements of today’s connected infrastructure across the public sector. Boosted by the growth in remote working over the past year, protecting their integrity is key to securing critical IT systems and confidential government information.
But as the recent SolarWinds breach demonstrated, compromised identities and the manipulation of privileged access offer a pathway for cybercriminals to gain access to infrastructure and data, with wide ranging and serious consequences.
With the SolarWinds incident widely described as a “watershed” for cybersecurity threats to the United States, it’s clear that many existing approaches to digital identity security are severely lacking. Indeed, Microsoft described the events of last December as a “moment of reckoning” requiring a “strong and global cybersecurity response.”
As a result, attention is now firmly focused on how government organizations can more effectively deliver secure and reliable Identity and Access Management (IAM). However, as the public sector accelerates efforts to digitally transform both internal and external infrastructure, services and access, digital identities are exposed to even further risk.
But what is IAM and why is it important? IAM is the discipline that enables the right individuals or non-human entities (machine identities) to access the right resources at the right times for the right reasons. In doing so, it addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments and meet increasingly rigorous compliance requirements.
With these key issues in play, momentum is already gathering in Washington for major legal and regulatory change to better protect government organizations and constituents alike. If passed, for example, the Improving Digital Identity Act of 2020 will direct the National Institute of Standards and Technology (NIST) to create new standards for digital identity verification services across government agencies.
While a proactive approach from government and those responsible for designing and policing standards are key to a more secure future for digital identities, what’s also required are more rigorous, multi-layered cybersecurity strategies that don’t rely on a single solution for protection.
Specifically, as traditional network perimeters dissolve across government departments and beyond, the old model of “trust but verify” – which relies on well-defined boundaries – must be discarded. Instead, the default approach must focus on zero trust, or in other words, the “never trust, always verify, enforce least privilege” view of privileged access, from inside or outside the network.
In doing so, Privileged Access Management (PAM), a key component of IAM, can secure networks and prevent the kinds of identity-based cyber-attacks we read about so much in the headlines. Forrester Research estimates that 80 percent of data breaches involve privileged credential abuse. If 2021 is eventually seen as the watershed moment for public sector cybersecurity in general and the protection of digital identities in particular, organizations should grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.
But how does the application of PAM in government work in practice? The experiences of an agency within the Department of Defense (DoD) offers some interesting insight.
Using Privileged Access Management in DoD
In the late 90s, DoD adopted a standard identification Common Access Card (CAC) outfitted with a computer chip that supported public key infrastructure (PKI) credentials as its standard identification credential. In 2005, DoD mandated the use of the CAC for initial user workstation authentication across the entire network, as well as for web-based applications. While the use of a token dramatically increased the security of initial logins, privilege elevation by administrators was still accomplished with plain text usernames and passwords.
When an agency within DoD audited its process and found that privileged user authentication and privilege elevation were still being done with usernames and passwords – creating privilege sprawl across the department – alarm bells went off. U.S. Cyber Command issued a communications tasking order that identified the issue, described the actions required to address it, gave a deadline for completion, and began the process of implementing a reporting structure to ensure compliance.
One of the most critical requirements was to centralize all the account information associated with authentication. The team performed a survey of the market to identify potential vendors and solutions. After an evaluation of the few solutions that could meet their requirements – which included extensive functional and security testing both in the lab and the infrastructure – Centrify was selected based on functionality, maturity, and existing familiarity with the product.
Prior to its implementation, the agency had dozens of disparate identity repositories as well as local account stores in many systems, and an entirely separate infrastructure designed to support Linux servers. When someone wanted privilege on any one of those systems, a new account, username, and password were created.
Because administrators need access across multiple systems, the result was identity sprawl. Today, the department has made significant upgrades to its entire infrastructure, including an online, automated approach to privilege.
Agency employees are now provisioned into Active Directory once. If they require elevated privileges, they’re provisioned and deprovisioned quickly and easily with minimal human intervention. While the main driver was security, automating PAM has resulted in considerable cost savings. It has replaced multiple accounts, usernames, and passwords with a single account and a single authentication methodology. Tasks can now be performed without the complexity, risk, and waiting time. That has simplified day-to-day operations and made access to the system much more transparent.
To protect the often confidential information housed by government entities and their mission-critical systems, digital identity security must be prioritized. While there have been credential-driven government agency breaches reported in the last year, it is positive to see key agencies within DoD taking action to combat the associated risks through a centralized identity and least privilege approach. Between this example and the NIST standards moving forward, hopefully more and more agencies will follow suit.