As anywhere, anytime computing takes hold within government, providing secure access for users — from home, from a conference center or even from the cafeteria — has never been more critical. And now, agencies are upping the ante with "bring your own technology" efforts, letting workers use personal devices to tap into federal networks.
Identity management is key, particuÂlarly as agencies move to virtualized environments and cloud computing to serve end users.
Can agencies verify that users seeking access to their networks — and, more critical, to their data — are who they say they are? Can the IT security team monitor those users' network travels and the data that they touch after they're inside the firewall?
On the Move
Technology to validate users at the gateway exists in any number of products, from full-blown identity management systems to network scanning tools and gateway appliances that run health checks on systems before granting access. Plus, through the use of personal identity verification (PIV) cards, many agencies have proliferated IDs to validate logical access.
Yet, the idea of managing access for moving targets — device-wielding users — takes the cybersecurity dynamic within government to an entirely new level. It's simply not enough to check IDs at the door, as if your network were a nightclub. Once inside, the fact that a user has cleared firewalls and the demilitarized zone with a PIV card does nothing to protect against any insider attack that could be launched.
"The key to data portability and internal auditing is identity management," says Brig. Gen. Steven Spano, director of communications for the Air Combat Command at Langley Air Force Base, Va.
Once a user is inside a network, there's a definite need to extend the use of role-based authorization — for content, authentication, auditing and enterprise administration of identity management, Spano explains in a video shot at a FedScoop conference. And enterprise, in this sense, does not mean a single military service or agency, but the entire federal government.
The reason role-based authorization is essential when it comes to accessing content anywhere in the enterprise is because it can provide an audit trail. By analyzing where people roam in the infrastructure and the data they access, an agency's IT security team can conduct forensic audits should a problem arise. Perhaps even more important, the team can correlate information in audit reports to predict the items inside the agency's networks that are most susceptible to tampering — whether from outside or from within.
Dollars and Data
Essentially, it all comes back to risk management. With this type of data analysis in hand, an agency can make informed decisions about data exposure risks, security measures and where best to spend precious dollars to reduce intolerable risk levels.
As Spano puts it: "How much protection is enough, and what do you protect?"
Without a perimeter, risk management cannot be an all-or-nothing proposition.
Agencies have made amazing leaps forward with both network access control and encryption. They've also spent extensive time refocusing the cyberÂsecurity debate on data. Now's the time to take identity management beyond the gateway and down the network stack — to where the government's data assets reside.