In the late '90s, public CIOs dreamed of a single sign-on for all of their applications. E-government authentication would be centralized and easier to use. The technical benefits of this vision were obvious - lower costs, better security and transparent policy compliance.

Today, most public enterprises still struggle to keep track of who does what on their networks. Users still complain of too many user names and passwords. Government organizations still get audit findings because they can't answer some basic questions: Who are you, and should you be accessing that file? What's needed is a new, modified vision for identity management: reduced sign-on with better access controls.

Some users are starting to doubt the authenticity of e-mails or systems. Citizens may wonder if links will lead to a spoofed Web site and a fake government portal - so they opt to get back in line rather than go online. Good identity management is an e-government imperative now more than ever.

Yes, there's hope. Significant progress is being made, especially in the federal government, regarding standardization and coordination of identity management across all government levels.

I offer three recommendations to public-sector technology professionals for improving control of identities and access in government:

1. Get organized with the right identity management team. Include end-users, business executives, business process owners and technical experts in the requirements definitions. Ensure that the project has a good project manager with clearly defined deliverables, metrics and a project charter. Make sure appropriate resources and priority are provided.

Once the team is assembled, agree on your long- and medium-term goals. Develop a road map to fit into your future overall technical architecture. You may be surprised how much support this effort gets, due to the recent focus of auditors.

2. Look again at available solutions. Research the latest options in this fast-changing space. There are several excellent vendors that have finally worked out the kinks to make identity management work, so don't limit your analysis to the companies that you currently do business with regarding system support. There is also a good chance that you can piggyback on the efforts of other federal, state and local organizations rather than starting from scratch.

Where should you start to look? I recommend the E-Authentication Solution Web site. Two goals listed at this excellent site include: controlling costs, and mitigating security and privacy identity risks.

3. Start small and implement identification management in phases. Develop short-term wins that can come together like pieces of a puzzle to create your enterprisewide identification management and access control program.

While the biggest return on investment comes from examining the full life cycle of employees, from initial hiring to the day they leave your organization, I recommend breaking your processes into manageable pieces that can be implemented in 90- to 120-day (or no more than six-month) increments.

Your life cycle processes will be different for government staff than for contractors, so you must think about domain names, e-mail addresses and related naming conventions for various audiences. One idea is to add a naming differentiator between government staff and vendor staff. For example, state staff will continue to use the e-mail format SmithJ@Michigan.gov, while contractors will be identified with the extra word "contractor," such as SmithJ@contractor.Michigan.gov.

This change will help in your processes to regularly renew or disable account access. It will also clarify who can speak for your government organization on external matters. Finally internal messages from senior executives to government staff can be better segmented.

Most importantly don't ignore or delay identification management improvements based on past failed projects or technology. Good control of identities provides the backbone for cyber-security. The auditors are watching.

 

Dan Lohrmann Dan Lohrmann  |  Contributing Writer

Daniel J. Lohrmann became Michigan's first chief security officer (CSO) and deputy director for cybersecurity and infrastructure protection in October 2011. Lohrmann is leading Michigan's development and implementation of a comprehensive security strategy for all of the state’s resources and infrastructure. His organization is providing Michigan with a single entity charged with the oversight of risk management and security issues associated with Michigan assets, property, systems and networks.

Lohrmann is a globally recognized author and blogger on technology and security topics. His keynote speeches have been heard at worldwide events, such as GovTech in South Africa, IDC Security Roadshow in Moscow, and the RSA Conference in San Francisco. He has been honored with numerous cybersecurity and technology leadership awards, including “CSO of the Year” by SC Magazine and “Public Official of the Year” by Governing magazine.

His Michigan government security team’s mission is to:

  • establish Michigan as a global leader in cyberawareness, training and citizen safety;
  • provide state agencies and their employees with a single entity charged with the oversight of risk management and security issues associated with state of Michigan assets, property, systems and networks;
  • develop and implement a comprehensive security strategy (Michigan Cyber Initiative) for all Michigan resources and infrastructure;
  • improve efficiency within the state’s Department of Technology, Management and Budget; and
  • provide combined focus on emergency management efforts.


He currently represents the National Association of State Chief Information Officers (NASCIO) on the IT Government Coordinating Council that’s led by the U.S. Department of Homeland Security. He also serves as an adviser on TechAmerica's Cloud Commission and the Global Cyber Roundtable.

From January 2009 until October 2011, Lohrmann served as Michigan's chief technology officer and director of infrastructure services administration. He led more than 750 technology staff and contractors in administering functions, such as technical architecture, project management, data center operations, systems integration, customer service (call) center support, PC and server administration, office automation and field services support.

Under Lohrmann’s leadership, Michigan established the award-winning Mi-Cloud data storage and hosting service, and his infrastructure team was recognized by NASCIO and others for best practices and for leading state and local governments in effective technology service delivery.

Earlier in his career, Lohrmann served as the state of Michigan's first chief information security officer (CISO) from May 2002 until January 2009. He directed Michigan's award-winning Office of Enterprise Security for almost seven years.

Lohrmann's first book, Virtual Integrity: Faithfully Navigating the Brave New Web, was published in November 2008.  Lohrmann was also the chairman of the board for 2008-2009 and past president (2006-2007) of the Michigan InfraGard Member's Alliance.

Prior to becoming Michigan's CISO, Lohrmann served as the senior technology executive for e-Michigan, where he published an award-winning academic paper titled The Michigan.gov Story — Reinventing State Government Online. He also served as director of IT and CIO for the Michigan Department of Management and Budget in the late 1990s.

Lohrmann has more than 26 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a U.S./UK military facility.

Lohrmann is a distinguished guest lecturer for Norwich University in the field of information assurance. He also has been a keynote speaker at IT events around the world, including numerous SecureWorld and ITEC conferences in addition to online webinars and podcasts. He has been featured in numerous daily newspapers, radio programs and magazines. Lohrmann writes a bimonthly column for Public CIO magazine on cybersecurity. He's published articles on security, technology management, cross-boundary integration, building e-government applications, cloud computing, virtualization and securing portals.

He holds a master’s degree in computer science from Johns Hopkins University in Baltimore and a bachelor’s degree in computer science from Valparaiso University in Indiana.


NOTE: The columns here are Dan Lohrmann's own views. The opinions expressed do not necessarily represent the state of Michigan's official positions.

Recent Awards:
2011 Technology Leadership Award: InfoWorld
Premier 100 IT Leader for 2010: Computerworld magazine
2009 Top Doers, Dreamers and Drivers: Government Technology magazine
Public Official of the Year: Governing magazine — November 2008
CSO of the Year: SC Magazine — April 2008
Top 25 in Security Industry: Security magazine — December 2007
Compass Award: CSO Magazine — March 2007
Information Security Executive of the Year: Central Award 2006