Moving IAM and PAM Tools to the Cloud
In 2018, one federal agency decided to transform its on-premises IAM and PAM programs and move them to a cloud-based environment — a bold move considering PAM involves agencies’ administrator passwords.
Focal Point Data Risk, now part of CDW, worked with the agency to redesign and migrate IAM and PAM tools from SailPoint Technologies and CyberArk into the Amazon Web Services GovCloud for the department and four of its bureaus.
A primary driver of the shift was the agency’s need to comply with the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program. By moving IAM and PAM programs to the cloud, the agency hoped to gain tools that were easier to manage, support and update while maintaining high levels of security.
Cloud providers that go through the Federal Risk and Authorization Management Program certification process have proved that they offer the highest level of security to meet government requirements. FedRAMP approval gives agencies greater comfort in using cloud-based tools, even for sensitive programs such as IAM and PAM — tools that touch all of the agency’s applications that workers use every day, as well as agency administrators and the databases and passwords they manage.
In 2022, the General Services Administration signaled its support for this approach and released a Cloud Identity Playbook to help guide agencies “as they begin or expand the use of workforce identity, credentialing and access management services delivered via the cloud”. With cloud-based Identity as a Service, privileges are limited to those allowed by the service, and it delivers unlimited and automated scaling with global availability, as GSA notes.
Granular IAM and PAM tools are essential building blocks to any agency’s zero-trust architecture, and while agencies can modernize these tools to meet zero-trust requirements without using cloud-based approaches, migrating such tools to the cloud gives agencies greater flexibility.
How Managed Services Can Help Federal Agencies
Following the deployment, the agency partnered with Focal Point to receive 24/7 managed services for both their IAM and PAM programs.
During the pandemic, many civilian agencies saw their IT departments upended as workers left for higher salaries in the private sector. That has only increased the need for highly skilled and specialized federal workers who can manage IAM and PAM tools, especially as agencies transition to zero trust.
Managed services can provide help desk functionality and partner with agencies to manage software upgrades. Many are specialized in the technologies that underpin agency solutions. These services can be customized to meet an agency’s needs, providing coverage during typical working hours or 24/7.
These kinds of managed services offer tools such as IAM and PAM, as well as other cybersecurity functions, applications and services beyond the cyber realm, especially as more of those services migrate to the cloud.
To maintain and modernize legacy systems, agencies will need highly skilled workers. Managed service providers can fill the gap and help agencies that need workers with niche skills. This alleviates the burden on CIOs and other IT leaders who seek to ensure that solutions adhere to strict zero-trust requirements and other federal standards.