Security

IAM Is Fundamental to Zero Trust. Where Should Feds Start?

The adoption of modern identity and access management tools is both urgent and complex.

Marty Spain is CDW•G's Director of Federal Services & Solutions, and leads a team of energetic problem solvers and creative thinkers to support some of the most complex national security systems.

Paul Petroski

Paul Petroski is the Federal CTO for Focal Point, a CDW company, and provides complex, enterprise-class solutions to public and private sector clients. His current responsibilities include project and program management, solution development and innovation, team management and development, business development and project delivery for federal government customers. He has substantial experience that spans verticals and solution offerings in the IT middleware space, with a focus on identity and access management and data security.

Jim Walker

Jim Walker is an IAM Manager at Focal Point, a CDW company. He has more than 18 years of experience as a federal employee leading, architecting and building authentication and identity management solutions. His current responsibilities include project and program management, solution development and innovation, team management and development, business development and project delivery for federal government customers.

On Jan. 26, the Office of Management and Budget published the federal government’s final zero-trust strategy, laying out what agencies are required to do between now and Sept. 30, 2024, to transition to a new security architecture.

The strategy recognizes that stronger enterprise identity and access management controls are fundamental to zero trust. “Without secure, enterprise-managed identity systems, adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks,” the strategy notes.

But modernizing IAM and privileged access management (PAM) tools can be a daunting task for agencies, even those with relatively mature identity controls in place. Where should federal IT leaders and security teams begin?

As with many complex technology transformations, it should start with an assessment of the current state, followed by pilot programs and implementations, through to ongoing support and maintenance. CDW’s recent acquisition of Focal Point Data Risk, a world-class provider of IAM and other cybersecurity solutions, means that federal agencies can turn to a trusted partner to help them navigate the tricky path to zero trust.

Click the banner to get access to customized content on cybersecurity by becoming an Insider.

How Agencies Can Start Modernizing IAM Systems

Upgrading IAM systems requires modernizing the underlying technology as well as the business processes connected to these solutions. Agency IT leaders need a clear view into how all their existing users, systems and applications tie into their IAM and PAM solutions. Those include not just the employees and contractors, but their devices as well. The systems can range from human resources, payroll and enterprise resource planning to networking, messaging and mission-critical applications.

IT leaders can and should start with an in-depth assessment to determine where they sit on an IAM maturity model. That will help determine how well agencies are managing the user lifecycle and show which users have access to which apps or data, under which circumstances and when. It will also help assess whether their systems are using commercial tools that can be updated and eventually automated.

Assessments also need to determine the agency’s processes for change management and user support related to IAM.

Following a comprehensive assessment, IT leaders can start building a roadmap for modernizing IAM solutions in line with the agency’s mission and business goals, all under the rubric of zero-trust principles.

The final strategy document calls for the deployment of centralized identity management systems for agency users that can be integrated into applications and common platforms, as well as for the adoption of strong multifactor authentication. Importantly, the strategy notes that “when authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.”

This process will likely take several years, so agencies will need to start with pilot programs and establish key milestones. Working with trusted partners like CDW•G, agencies must also look forward and determine what kind of funding they will need to ensure that modernization continues.

IT leaders should also consider what kind of long-term support and expertise they will need to maintain enterprise-level IAM systems that enable zero trust. At the same time, they should also consider how to modernize businesses processes related to IAM, such as onboarding new users and contractors and deactivating access for those leaving the agency.

EXPLORE: How will zero trust evolve in the federal government in 2022?

Modernized IAM Offers Benefits to Federal Agencies

There are many obvious benefits to a modernized approach to IAM, including the ability to support just-in-time access, in which users get access for a defined period of time, perhaps just a few hours, so that a specific task can be performed.

Modernizing IAM also enables agencies to enhance their productivity by onboarding and offboarding users more quickly and accurately. Upgraded IAM tools are also more adaptable and responsive to changing mission requirements and government mandates.

Additionally, upgraded IAM systems make it easier for agencies to leverage strong multifactor authentication for a variety of use cases: government to government, government to business and government to citizen. Each having specific use requirements around identity proofing depending on the risk posture of the application/use case.

The shift to zero trust is really a rallying cry for implementing modern IAM tools. These tools are needed now more than ever as agency workforces continue to work remotely. The time to modernize IAM solutions at agencies is now.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.