As cybersecurity risks continue to grow across government agencies, the little-known world of identity and access management still receives scant attention — but services can't move forward without it.
Everybody did it, whether they worked in city, county or state government. Staff would put up little Post-it notes on the edge of the PC monitor with passwords to the different applications they had to access. It could be particularly bad in county government, where one worker may have to access multiple state-run applications to manage human service clients, for example.
Should that worker resign from the agency, all those passwords would have to be stripped out of each individual system. But it didn’t always happen in a systematic, orderly way. Not every agency had a reliable vetting system for onboarding and offboarding new and old employees. Old passwords would remain active, creating a potential security nightmare.
Welcome to the decidedly unflashy world of identity and access management (IAM), a back-end operation that gets little attention but has become increasingly important in state and local government, where sharing information is a growing priority, but where managing identity in pursuit of better security has failed to keep abreast with change. Simply put, IAM defines and manages the roles and access privileges of users, who can be government workers, businesses or individual citizens. The goal of IAM is to give one digital identity to a user. Once that identity has been established, it must be maintained, modified and monitored throughout each user’s access life cycle, according to Identity Management Solutions Review.
With the growth in security risks in recent years, IAM has become a more important tool to allow the right people to have access to the right information at the right time. But other reasons are driving the need for IAM. Government has many more systems and software applications than ever. Those applications are for new customer services as well as worker tools that didn’t exist in the past. Government also has more of these applications in the cloud and allows for more applications to run on mobile devices. It adds up to an online environment that increasingly mirrors the private sector in terms of choices and services that exist entirely online.
Yet, government remains federated, which creates a challenge to the goal of having some kind of single sign-on and enterprise IAM, according to Andras Cser, vice president and principal analyst at Forrester, the IT research firm. “You’re seeing some centralization, but single systems for single purposes still predominate,” he said. “Most departments just want to manage their own users at this time.”
In 2012, IAM received attention from NASCIO, the state CIO organization, when it issued a call to action about the necessity for mature IAM in state government. The organization followed this up with a State Identity and Credential Access Management (SICAM) Guidance and Roadmap document that provided a vision for IAM architecture as well as steps on how to address trust, security, interoperability and process improvement. While states and localities have taken advantage of IAM platforms from IBM, Oracle, Microsoft and other vendors, IAM remains a work in progress. Enterprise IAM is a struggle for most CIOs. Worse, too many agencies and governments still have a paper-based process in place to create, maintain and disable user accounts, resulting in improper access rights. Lack of investments in core IAM tools, systems and platforms will continue to stymie growth in enterprise IAM and single sign-on.
Another challenge is the surge in cloud computing activity. State and local governments are shifting to the cloud in order to deploy online services more rapidly without the traditional infrastructure costs that go along with the construction of on-premise IT systems. While there are clear benefits to using the cloud, there are also drawbacks. The cloud can aggravate the “challenge of verifying identities and managing access to applications and data by consumers, employees and business partners,” explained George Moraetes, in the article Meeting Identity and Access Management Challenges in the Era of Mobile and Cloud.
Henry Bagdasarian, founder of the Identity Management Institute, a membership organization that provides IAM training and certification for its members across the globe, also sees the cloud as reshuffling the IAM landscape. “It’s changed everything related to IAM,” he said. “In the past, everyone had to move through the corporate network. Now, we have cloud applications accessible through the Web, bypassing network security, which used to be the focal point of security.”
The result is a heterogeneous environment where on-premises applications require one set of access controls while cloud applications require something different, creating a daunting level of complexity, according to Moraetes. Governments, as well as other organizations, now struggle to manage identities and access requests because the data resides in various locations and business units.
The growth in mobile technology has also complicated the adoption of IAM. “People use their mobile devices to access corporate systems and so there needs to be some segregation between the corporate data and personal on the mobile devices,” said Bagdasarian. As governments initiate more BYOD policies, the issues around identity and access management across multiple devices must be addressed early on to avoid problems down the road.
But the problem with IAM isn’t just one of rapid and continuous technological change. It’s also a governance issue. “Organizations lack centralized identity governance,” said Bagdasarian. “This is causing a delay in consolidation of identity directories.” That delay can be tied back to the fact that people will use the same credentials, such as email passwords, to access different standalone systems. Trying to track, monitor and update all those passwords for so many systems has become a daunting task.
Moraetes points to the lack of centralized access management solutions, such as enterprise directories and single sign-on, as key impediments to IAM solutions, along with the ongoing issue of outdated provisioning processes that are manual and inconsistent between business units or agencies, in the case of government. Inadequate provisioning and manual user certification and accreditation operations can slow down and impede how well users can access useful information and, in worst cases, lead to security problems.
One of the biggest security threats to government is credential harvesting, where hackers use phishing scams to obtain a user’s password or identity credentials and gain access to important data. The first line of defense against this problem is the use of multi-factor identification, which can keep hackers and data thieves from gaining access to cloud applications and other systems, said Bagdasarian.
Another strategy is to create a holistic IAM solution within government. A white paper, The Challenges and Benefits of Identity and Access Management, published by F5 Networks, points out that comprehensive IAM includes “centralized access management, automation, reporting and contextual application of security policies” as the key ingredients to meeting today’s IAM needs. That means an end to silos for data, regulatory compliance and information security. Patchwork approaches are no longer acceptable if enterprise IAM is to take root.
An important element to making this happen is the role of the chief information security officer. Moraetes said that the CISO and his or her team can “vet identities, approve appropriate access entitlements, and grant or revoke user identities, access and entitlements in a timely manner,” while enforcing compliance within an organization’s IAM policy. Forrester’s Andras Cser said the role of the CISO has become pivotal as far as IAM is concerned, given how security continues to be a high priority. “They have to pull all of this together for centralized control in IAM.”
Advances in technology also promise to make IAM an easier lift than it has been in the past. For example, Microsoft’s Office 365 offers dual-factor identification. But the new trend is in middleware companies that offer solutions to centralize identity directories, which can facilitate single sign-on and multi-factor authentication across all systems, according to Bagdasarian.
These firms, such as OneLogin, Okta and Ping Identity as well as familiar names such as IBM Cloudant, Oracle Identity and Microsoft’s Azure Active Directory, are identity-as-a-service platforms that simplify the tedious work of onboarding and offboarding users. This process has become more important as new compliance regulations require organizations to certify how they provide access to their systems on a quarterly basis, said Bagdasarian. “Without a rigorous process in place, organizations run the risk of taking a user off of one system but not another when they leave, creating a security problem,” he said.
By 2020, every person online will create roughly 1.7 megabytes of new data every second, according to the Identity Management Institute. Meanwhile, the number of Internet of Things devices is expected to reach 31 billion in the same year and rise to 75 billion by 2025. By 2020, 83 percent of enterprise workloads will be in the cloud, while on-premises computer work will shrink to just 27 percent.
The environment in which state and local governments operate will mirror those trends. In addition, the amount of data sharing will increase as policymakers see the value in providing cost-effective, integrated applications that serve the public good. A shrinking government workforce will mean a single worker using tools that holistically draw data from shared resources and can handle multiple tasks that used to require many workers. But this requires a robust IAM.
The bottom line is that identity and access management will be essential to the future of how government operates. A well-designed, well-managed IAM will reduce friction when it comes to data sharing while helping to provide the level of security that is now mandatory. An inadequate and balkanized IAM operation will slow down and impede the progress. The public won’t realize this and policymakers will not understand the reason behind the problem, but CIOs and their peers will be on the hook if IAM isn’t modernized and made workable at the enterprise level.