While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Hackers don't have to force their way into systems anymore — employees increasingly give them access via successful social engineering attacks.
To defend against the threats, some agencies are moving away from department-based, stove-piped systems toward identity and access management (IAM), a security discipline that combines identification, authentication and authorization to give IT staff consolidated control over how resources are protected.
The General Services Administration, for example, employs two-factor authentication to identify users, says Steve Sill, director of the GSA’s USAccess program; nearly all employees and contractors require both a one-time code and a personal identity verification (PIV) card to access the system.
“Strong two-factor authentication, besides being mandated for use in federal systems and facilities, also gives a higher level of assurance for users that their credentials can’t be compromised when in use,” Sill says.
Additional benefits of IAM include:
As agencies continue adopting cloud applications to save money and gain efficiencies, users are often left struggling to remember multiple usernames and passwords. Single sign-on (SSO) functionality solves that problem by making multiple systems available through a single login process.
The State Department, which uses Microsoft Identity Manager to provision accounts, offers SSO capabilities through Active Directory integration. Gerald Caron, acting director of enterprise network management, says the setup lets State Department employees access Microsoft Office 365 applications through a portal.
“I go to the site and it recognizes me because I’ve already authenticated with a known, trusted system on a trusted network, and it allows access seamlessly,” he says.
Because IAM solutions can streamline and automate security processes such as user provisioning, agencies that adopt the technology can save valuable time.
“If you can automate requests for things that might not need management approval — for example, everyone gets access to email systems that are a lower risk — administrators are no longer needed to do those kind of manual tasks,” says Ant Allan, research vice president at Gartner.
That sort of efficiency gain can be a strong lure for government agencies. The Small Business Administration, for instance, is considering moving to a centralized, automated system to cut down on the amount of time IT spends patching and maintaining third-party systems, says Guy Cavallo, the SBA’s deputy CIO.
“That ties up a lot of resources on the IT back-end side,” Cavallo says about the maintenance efforts. “We’d rather direct them to do other things to help our program offices.”
Besides freeing up staff resources, IAM automation can help reduce mistakes — like duplicated accounts and database inconsistences — that arise when administrators have to provision users manually.
“Humans are prone to error,” Caron says. “The more people you invite into a process, the more likely it is to break down at some point.”