Since 2004, federal agencies have had to follow a presidential directive that mandates a federal standard for secure and reliable forms of identification. Yet the issue of identity and access management continues to bedevil the government. Also known as ICAM (identity, credential and access management), IAM systems have allowed IT teams to streamline their identity management efforts.
According to a 2018 Office of Management and Budget and Department of Homeland Security report, one of the most significant security concerns that results from the government’s current decentralized and fragmented IT landscape is IAM processes.
The report called on agencies to “improve their IAM architecture through the centralization of such solutions” and said agencies “need to move toward a single, authoritative solution for establishing and managing attribute- or role-based access controls for their users.”
The issue is clearly a high priority for federal IT leaders. According to a 2018 Digital Trust survey sponsored by Unisys, about two-thirds (64 percent) of federal government IT leaders view identity management solutions as a “very important” way to address the growing cybersecurity threat to their agencies. And in April 2018, OMB issued a draft memo on updating federal IAM policy.
“Agencies must be able to identify, credential, monitor, and manage user access to information and information systems across their enterprise in order to ensure secure and efficient operations,” the memo notes. “In particular, how agencies conduct identity proofing, establish digital identities, and adopt sound processes for authentication and access control will significantly impact the security of their digital services.”
What Is IAM?
At its simplest, as OMB notes, IAM represents “the security disciplines that enable the right individual to access the right resource, at the right time, for the right reason.” IAM is made up of the “tools, policies and systems that allow an organization to manage, monitor and secure access to protected resources,” the General Services Administration notes.
GSA’s Office of Information Integrity and Access manages the federal IAM program, which “provides collaboration opportunities and guidance on IT policy, standards, implementation and architecture, to help federal agencies implement ICAM.”
Jeff Kidwell, vice president of vertical markets at identity governance solution provider SailPoint Technologies, says his company looks at the issue through the lens of identity governance.
“Who has access to what? Should they have that access? Has that access been reviewed?” he says. “Governing that identity from start to finish of that lifecycle — it’s not about most privileges, it’s about least privilege.”
Unique IAM Challenges for Feds
The government faces several specific challenges when it comes to IAM. The vast scope of the government means that there are numerous IAM solutions spread across agencies. OMB found that, across government, agencies employ fragmented IAM programs, solutions and user directories, according to the 2018 OMB/DHS report.
“This structure prevents agencies from achieving a comprehensive understanding of their users, managing those users’ access to the agency network, and effectively safeguarding sensitive government information,” the report says.
For example, one agency noted that it has a decentralized environment with 23 domains and over 300 unique user groupings based on geographic location, “which precludes the agency from effectively managing users’ access to information across the enterprise.”
Furthermore, agencies’ inspectors general reported that only 55 percent of agencies limit access based on user attributes and roles and only 57 percent review and track administrative privileges. Further, only half of agencies have processes in place to restrict users’ access to information
Another challenge is the presence Personal Identity Verification cards and the unique challenges of managing PIV-enabled environments, Kidwell says.
“There’s a big gap between legacy systems like identity cards and authentication through new methods,” says Zeus Kerravala, founder and principal analyst of ZK Research. “There’s the theory behind ICAM, but making it a reality can be a challenge depending on the starting point.”
Yet another unique challenge is the fact that agencies have numerous contractors that work for them. Those contractors tend to come and go, and their identities must be continuously tracked and managed to ensure data security. Additionally, agencies’ use of contractors scales up and down depending on the work the agency is doing (for example, during a decennial census, the Census Bureau is likely to have a higher number of contractors).
How Agencies Can Choose and Deploy IAM Solutions
Kerravala says that agencies should look for an IAM vendor that can help them with a migration path between where they are today and where they need to be to meet OMB’s mandates. “Running systems in parallel is never a good long-term strategy,” he adds.
When agencies deploy IAM solutions, they typically do so not in one-year or three-year contracts but for decade-long agreements, Kidwell says. That means agencies need to “evaluate all aspects of your identity partner — not only their technology and platform, but also the company, their financials, commitment to the marketplace.”
Agencies should “look for a proven, market-leading platform that has the reference base and provides the flexibility to any given organization to meet their requirements from a deployment perspective.”
OMB Pushes for Updated IAM Policy
The draft OMB policy covers three main areas: implementation of effective IAM governance; modernization of agency IAM capabilities; and agency adoption of IAM shared solutions and services.
Agencies must “define and implement IAM policies, processes, and technology solutions that encompass the agency’s entire enterprise, align with the governmentwide Federal IAM Enterprise Architecture, and meet Federal policies, standards, and guidelines.”
Additionally, the policy says agencies need to designate an integrated IAM office, team, or other governance structure in support of its Enterprise Risk Management capability that includes personnel from the offices of CIO, chief security officer, human resources, general counsel, senior agency official for privacy, and component organizations that manage IAM programs and capabilities. Among other directives, the policy states agencies should “develop a mechanism to streamline and automate enterprise-level performance reporting” and that this mechanism should align with existing and planned reporting and analytics structures and tools, such as the Continuous Diagnostics and Mitigation dashboards and Federal Information Security Management Act reporting.
OMB also says that to modernize their IAM solutions, agencies need to “establish authoritative solutions for their IAM services, promoting the most effective solutions at an enterprise level.” Agencies also must “ensure that deployed IAM capabilities are interchangeable and developed based on open Application Programming Interfaces (APIs) and/or commercial standards to promote interoperability and enable componentized development.”
Meanwhile, OMB notes common shared solutions and services have been created or are being developed across government — such as credential management services and identity assurance an authentication service for consumers — to “support the accelerated adoption of modern ICAM capabilities. Agencies should begin moving to ICAM shared services and should plan to incorporate new services once they are available.”