Employees across the federal government who want access to the health data and systems maintained by the Centers for Medicare and Medicaid Services first must put their memory through an intensive workout as part of the login process.
CMS oversees key health programs for seniors and children and stores valuable data on medical providers, program enrollment and prescriptions. But the thousands of state, federal and business users who need that information must remember multiple passwords and login IDs to find what they’re looking for.
IT leaders want to make this process smoother, so the agency has kicked off a pilot program that manages identity through the cloud.
CMS does not have a single method for logging on to its services today. But, in an effort to reduce user burden, the agency is moving toward single sign-on. Leaders believe that will make it easier for users to access CMS data and systems, while ensuring data security, and ultimately improve healthcare delivery.
In recent years, a growing number of agencies have enlisted a third-party provider to handle user authentication. This approach, known as Identity as a Service, enables IT leaders to grant users access to specific applications, files and other items.
"They're looking for stronger authentication, and IDaaS has become more popular,” says Frank Dickson, research director at IDC. “You're talking about authentication and trying to replace passwords with something stronger."
Because physical tokens, biometrics or other methods can verify their identity, users can then access data securely from a variety of devices and locations with a single username and password. This is helpful as the popularity of devices soars.
By outsourcing authentication, agencies can focus on programs other than identity management, says Mike Garcia, former director of the National Institute of Standards and Technology's trusted identities group.
“Building and providing identity services is not part of an agency’s mission,” Garcia says. “A lot of organizations, including federal agencies, are determining, yes, we need this as part of our organization, but it’s not something that we have to own or build ourselves.”
IDaaS Streamlines identity Management and IT Costs
Currently, the Justice Department, the Federal Communications Commission and the Surface Transportation Board all rely on Okta’s IDaaS offering, which has been approved by the government’s Federal Risk and Authorization Management Program.
Several other agencies have expressed an interest in the IDaaS technology, says Ashley Mahan, FedRAMP agency evangelist.
“ID as a Service is a newer technology in the federal space,” Mahan says. “IDaaS opens doors to agencies by making it possible to centrally manage access to cloud environments in a more efficient and automated manner, with the opportunity to enhance security and reduce their overall IT footprint.”
Because an IDaaS system can help agencies reduce administrative needs, it can also help agencies reduce costs.
“It’s a service, so you’re not buying a lot of hardware or software,” Dickson says. “If you go with a one-time token system, you’ve got to pass them out, manage them, reissue them if people lose them. There’s maintenance associated with it.”
User experience is also a key selling point for some agencies, including CMS.
The Maryland-based agency hopes to eventually provide a single set of credentials for all of healthcare clinicians’ interactions with CMS, facilitating access from one CMS application to another without requiring users to log in to each one separately. This would eliminate the need to remember multiple user IDs and passwords.
IDaaS also offers scalability to help address seasonal peaks in an agency’s workload. IDaaS solutions, such as Okta, charge license fees on a month-to-month basis which CMS sees as advantageous.
Easily Monitor Behavior and Uncover Risks
Some agencies are drawn to identity services because they offer tracking capabilities, Dickson says. This includes what’s known as adaptive authentication, where a specific situation, such as multiple login attempts or an unusual IP address, dictates which verification technique may be required.
“Once a user logs on to a particular cloud-based application, you can constantly monitor activity,” he says. “If it’s diverting from what you think is typical, you can ask for another type of verification. To be able to detect things that are fraudulent — dynamically, in real time — provides stronger authentication.”
In addition, a provider that specifically focuses on IDaaS may have more time and resources to dedicate to discovering potential identity risks and solutions than IT professionals who are responsible for other tasks.
“It’s a model a lot of agencies see makes sense for them,” Garcia says.
Each agency’s specific infrastructure needs dictate whether IDaaS is an option. For example, it may not work for agencies that haven’t embraced a cloud-based structure or those with legacy, homegrown applications, Dickson says. An agency with offsite collaborators who find it difficult to access federal networks may also run into issues.
But for many agencies, the capacity for single sign-on access, multifactor authentication and other security-centric elements make it a smart choice.
“Looking at the authentication capabilities of IDaaS compared with other options, there are password solutions on one end, which offer a poor user experience and aren’t incredibly safe,” Dickson says. “On the other end, a one-time password is secure, but usability is a little challenging. In terms of authentication and usability strength, it’s hard to get past how compelling IDaaS can be.”