Security

Assess Identity Management Maturity to Protect Against Credential Theft

Focal Point Data Risk’s Rapid IAM Strategy Assessment provides an objective measurement for federal agencies.

Buck Bell is executive vice president at Focal Point Data Risk, a CDW company.

As federal agencies work towards a zero-trust environment, identity verification becomes critical. Users be able to verify their information before entering the network, and they will need assistance in protecting those credentials.

Captured credentials remain the most efficient and undetected technique for compromising an enterprise, and well-designed identity and access management (IAM) programs are a critical barrier against these threats.

Focal Point Data Risk’s Rapid IAM Strategy Assessment provides an objective measurement of an agency’s IAM program and its ability to protect itself.

The assessment is geared toward going in and focusing on what the current lifecycle and access management processes are for end users of any type. Say a federal worker arrives in the office or logs on remotely. How did they get access to all of their systems, and what permissions did they have within them?

The IAM assessment is a series of live interviews to gather information about how all that works. Here’s more on the system’s benefits and how it works and fits into an evolving zero-trust environment.

Click on the banner below to learn how to become an Insider.

The Assessment Strategy Is Customized to an Agency’s Specifications

The Rapid IAM Strategy Assessment is customized to specific needs, selecting from a number of IAM risk areas. The assessment can also align with ISACA’s IT Assurance Framework (ITAF), COBIT 5.0, ISO 27001/27002, ITIL v3, or the NIST standards.

Agencies that receive the assessment can customize their assessment scope based on need. The assessment can cover:

Authorization
Shadow IT
Separation of Duties policies and toxic combinations
Unique identifiers
Role-based access controls
Strong authentication/multifactor authentication
User provisioning, termination and transfer
Employee or customer user repository
Privileged account management
Generic, system and non-human account management

How Focal Point Works with Your Team

A major component to this assessment is the interview process, where Focal Point gathers information on current state processes, the status of technical debt and what systems look for to manage identities.

Ultimately, the interviews aim to gather what your agency wants to achieve going forward. Focal Point speaks with vast numbers of people to get this information, including human resources experts, security teams, application stakeholders and business management teams.

Interviews are also meant to help agencies identify gaps in their identity management solutions that pose security risks. To this end, Focal Point may also interview stakeholders in this realm, such as risk managers.

WATCH: Find out more about what CDW•G can do to assess identity needs.

Rapid Assessments Provide Security Benefits

After interviews come assessment results, where Focal Point provides feedback to clients on the maturity of the IAM system in its entirety, and what Focal Point’s observations and recommendations are relative to the business outcomes that the organization identified. With these points in mind, Focal Point then provides a two-year roadmap for your team.

With Focal Point being a third party, your agency receives an objective evaluation of your IAM, and with the ability to select the scope of the assessment, you can maximize its value. The assessment also measures your IAM against best practices, meaning you can future-proof your program by incorporating those practices.

Focal Point will also work with you to incorporate compliance mandates to meet the standards that align with the Sarbanes-Oxley Act, the European General Data Protection Regulation and the Health Information Portability and Accountability Act (HIPAA).

There has been an effort to interpret and plan around several directives, including:

Executive Order 14028 – Improving the Nation’s Cybersecurity
Department of Defense Zero Trust Reference Architecture
NIST Zero Trust Architecture
CISA’s Zero Trust Maturity Model
The Presidential Office of Management and Budget’s Memorandum M-22-09

LEARN MORE: Why agencies must detail who and what can access their digital assets.

Given the high focus that M-22-09 places on identity management, agencies are working to understand how investments in customer data management will translate to compliance with the Federal priorities for Zero Trust. According to OMB’s memorandum, those priorities envision a Federal Government where:

Federal staff have enterprise-managed accounts, allowing access everything they need to do their job while remaining reliably protected from targeted, sophisticated phishing attacks.
The devices that Federal staff use are consistently tracked and monitored, and the security posture of those devices is considered when granting access to internal resources.
Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
Enterprise applications are tested internally and externally, and can be made available to staff securely over the internet.
Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.

The memorandum notes that this strategy places significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication.

Identity management is a key part of a zero-trust security posture, something that more and more organizations are embracing with the rapid adoption of cloud computing. In an age of remote work and dispersed teams, having a strong IAM is imperative.

The reality is that with a distributed workforce and the distributed nature of the data, a lot of it moves out to the cloud. The normal historical boundaries no longer make sense, and agencies must adapt.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.