The county uses a cloud-based identity management platform to give staff members access to all the resources they need for their job with a single sign-on. No more juggling multiple login credentials for individual systems and databases. The next step is to give residents a single identity they can use to engage with any county department or program.
That’s harder than it sounds.
“There are a lot of older system vendors that just haven’t come up to speed with single sign-on, or they are still in the world of usernames and passwords, or they have their own proprietary systems to manage identity,” says Gregg Turnbull, director of innovation and insights for Larimer County.
Then there’s the issue of evolving online habits. Turnbull wants to give residents the option of logging into non-sensitive interactions using credentials from social media providers like Facebook and Google — but that’s a moving target. “What’s popular today may not be popular tomorrow,” he says.
And while social media credentials work well for non-sensitive engagements like community newsletter signups, identity validation gets more complicated as the county contemplates transactions that require higher security.
“We’re still experimenting. We know there are different levels of access we need to think through,” Turnbull says. “We’re also rebuilding our website, so all the things we did on our old site, we’re bringing into this new space. Our plan is to build off that — to strengthen the identity so we can dip into more protected engagements.”
Adobe Stock
THE ABCs OF IAM
Larimer County is among a growing number of state and local governments that are strengthening IAM. Almost 60% of counties and more than 50% of cities plan to upgrade IAM systems, according to Center for Digital Government (CDG) research conducted in 2023.
Activity is heating up at the state level, too. More than 70% of states responding to CDG’s most recent Digital States Survey planned to strengthen IAM capabilities over the next several years. The survey, released in late 2022, collected responses from 46 states.
IAM refers to the process of verifying and authenticating a user’s identity and level of permissions. It’s a two-part system.
The first half of IAM is about authentication. The user enters their access credentials. The login attempt is compared against an identity management database that an organization (ideally) updates constantly. Multifactor authentication (MFA) then matches the user to their digital identity.
The second half of IAM, access management, is about authorization. It controls which users have access to which resources: email accounts, databases, applications, shared folders, etc. Upon login, IAM enables access to the resources the authenticated user is entitled to see or use. Nothing more, nothing less. In this way, IAM defends systems and data from hackers, internally as well as externally.
Most organizations have some form of IAM in place. But the new frontier is pulling together multiple identity systems — which are often attached to individual systems or serve specific departments — into a unified approach. Here’s why:
User experience. Perhaps the most obvious reason to take a unified approach to IAM is the user experience. Employees are more productive and less frustrated when they don’t have to navigate different identification and verification methods for multiple applications or services. The same benefits apply to constituents navigating an organization’s website.
Security. Enterprise IAM enables more secure remote work and protects against cyber threats. A widely distributed network with a patchwork of individual authentication and control mechanisms is inherently more vulnerable. IAM makes it easier to securely manage all these assets and identities, especially in a cloud or multicloud environment.
Automation. Staffing shortages and operational efficiency are another motivating factor. IAM automates the tasks, such as setting up and deleting accounts, that nobody wants to do.
Ease of integration. Software is evolving: More applications now come pre-built for IAM technologies like SAML, OAuth and others. SAML, which stands for security access markup language, lets users access multiple domains and applications with a single set of credentials. Their identity is automatically linked, or federated, across multiple identity management systems.
Zero Trust. IAM is foundational to the Zero-Trust security environment agencies are trying to move toward.
Just because a request originates within the corporate firewall doesn’t mean it’s legitimate. As such, a Zero-Trust system always fully verifies each request. Approval is specific and based on the “least privileged” user access necessary to complete a request.
“If you don’t have identity and access management, how do you do Zero Trust?” asks Barry Condrey, a CDG senior fellow and former CIO of Chesterfield County, Virginia. “All these companies that are selling Zero Trust are also selling you IAM along the way. Forward-thinking CISOs, when they want to do Zero Trust, start with that identity and access management piece.”
WHERE AGENCIES ARE HEADED
Enterprise IAM projects often start with internal government staff, where the universe of users is smaller and the technical landscape is potentially less complex. As jurisdictions focus more on constituent experience, they’re launching single sign-on initiatives for the public.
During his tenure as Maryland’s CIO, Michael Leahy implemented an IAM application that covered about 30,000 of the state’s approximately 50,000 employees. All agencies that utilized the state Department of IT (DOIT) network were required to implement the solution.
It took 18 months to get support for the project, one year for vendor procurement and planning, and another year for implementation.
“I certainly understand people’s reticence to try new things in government, because government is a negative sum game,” says Leahy, now vice president of national IT strategy for Government Sourcing Solutions and a CDG senior fellow.
If you don’t have identity and access management, how do you do Zero Trust?
Barry Condrey, former CIO, Chesterfield County, Virginia
California is moving toward statewide implementation of IAM under its Cal-Secure roadmap released in 2021. The five-year security plan calls for enterprise sign-on capabilities across state executive branch agencies and departments to eliminate the need to separately authenticate and sign on to individual applications and systems.
“We’ve had disparate identity systems fronting our statewide services that we provide to our citizens for years. It’s very costly for each department to run their own solution and systems, and it’s horrible service for our citizens,” said John Cleveland, the state’s deputy chief information security officer, in a 2023 Government Technology IAM webinar.
Lea Eriksen, CIO for the city of Long Beach, California, has also looked at enterprise IAM to provide easier access to resident services. With no funding to explore solutions, she arranged a no-cost proof of concept for a single sign-on solution.
Her plan was to pilot some larger city agencies on the test platform, but a snag materialized. Long Beach, like many medium-size cities, maintains some of its operations and services on older technology platforms. Unfortunately, much of its existing resident-facing IT infrastructure can’t support single sign-on technology.
The pilot team pivoted, creating a couple of mock agencies for the test portal. Because actual residents would test the portal, the city ensured the portal complied with its security and privacy practices.
Feedback on the pilot portal revealed that MFA was the most difficult element for users to grasp. Some had never used MFA before and had to be shown how to install and use an authenticator app on their phone.
Altogether, Long Beach invested more than a year preparing, developing and executing the pilot. While the city ultimately decided to delay an IAM solution for constituents, the IT department gained a realistic picture of what it would take to achieve a unified approach.
“I told my team, ‘Don’t consider it an unsuccessful pilot; pilots are to explore things,’” says Eriksen.
She hopes to partner with the state or federal government on a future solution. “We’re making sure that when we invest in new technologies, they are set up to do single sign-on,” she says. “We put it into contracts and RFPs so that down the road, we’re set up for success.”
Larimer County currently offers single sign-on for a handful of low-risk transactions through its community portal. Residents can establish a central identity in the portal using Facebook or Google social media accounts or a traditional username and password. That central identity lets residents join community boards, manage board activity, subscribe to county newsletters and perform other routine activities.
As the county evaluates new applications, Turnbull is also prioritizing technologies that easily plug into the county’s enterprise IAM platform. “Our goal is that we won’t say yes to any application that fails to offer this level of identity management. That’s our vision.”
KEY CONSIDERATIONS
A successful enterprise-wide implementation hinges on taking people and processes into account, not just technology.
Before you implement: At the risk of stating the obvious, the team selected to lead the implementation must have the chops for a multiyear, multi-budget-cycle project. The scope requires strong project management, business relationship management, change management and technical skills.
“Enterprise projects require enterprise skillsets,” says Condrey. “What you need is somebody who’s a really good communicator who understands enterprise architecture.”
Putting appropriate policies and governance in place ensures everyone is on the same page and accountable to the same standards.
Implementations are expensive — six figures at a minimum, possibly much more. The applicable administrative body or bodies will likely require a cost-benefit analysis to show return on investment. The upside is that approved funding makes the planned solution an easier sell to the individual agencies and departments that will use it.
“You can get folks that are part of the broader networked environment, but they try to carve off their own shop and can get defensive when someone comes in and says, ‘You need to implement this control because we’re implementing it enterprise wide,’” Bruce Coffing, chief information security officer for the city of Chicago, said in the Government Technology IAM webinar. “Sometimes it’s selling the benefits of the solution overall, as well as things like handling the cost and centralizing management.”
Buy-in from every department with an existing enterprise application is crucial, as is leadership’s understanding of the benefits IAM will deliver.
“Sometimes technologists like CIOs and CTOs make the cavalier assumption that everybody understands the value of technology the way that we understand it,” says Condrey. “And that’s so not the case. Somebody needs to be on point for making sure the right people continue to understand the value of identity and access management.”
While you’re implementing: Implementations often include significant process reengineering. Thorough architecting and design can help the team create a roadmap for all the individual projects and tasks, their timelines and the resources needed to cover them.
Condrey recommends organizations take a risk-based approach to the onboarding of systems. In other words, the most sensitive data and systems should be first: the enterprise resource planning system where personally identifiable information (PII) sits, systems that handle Health Insurance Portability and Accountability Act (HIPAA) data, and retiree information. If necessary, data catalog software can perform an inventory, classifying data and highlighting any regulatory issues.
“You need to roll this out in a very intentional fashion,” emphasizes Condrey. “You’re fundamentally improving the cybersecurity posture of those systems when you roll out identity and access management. You’re giving them a type of Zero Trust.”
We’re just focused on making every transaction a little bit easier.
Gregg Turnbull, Director of innovation and insights, Larimer County, Colorado
“The mistake a lot of people make is they get through all this expense to put enterprise technology in, and they don’t sustain it,” says Condrey. “At some point, a department director will go buy a new system, some whizbang cloud thing, only to find out it doesn’t work with the identity and access management system. So you have to do things like alter your procurement boilerplate.”
Post-implementation cleanup might also include updating data management policies. Human resources policies may need tweaking, too, as IAM could change the way HR onboards employees or provisions access to applications.
In short, appropriate enterprise governance will help prevent people from using one-off solutions that diminish the value of the enterprise tool.
Although IAM is more about lowering risk than saving money, an enterprise implementation can have some financial benefits, too. For example, state and local governments may find they’re in a stronger position to negotiate rates on cyber insurance policies.
SECURITY AND EXPERIENCE
For organizations looking for more secure identity management coupled with a better user experience, enterprise IAM checks a lot of boxes: centralized access privileges; simplified, secure access for employees and constituents; and more automated IT processes, auditing and reporting.
“There are plenty of examples out there about what happens when you don’t invest in security,” Coffing said in the Government Technology webinar. “For me, it hasn’t been a challenge of selling it to get the funding; it’s been about positioning the story with more of a risk-reduction focus. We’re focused on how it’s truly improving the risk posture of the organization for all.”
In Larimer County, Turnbull wants to make incremental progress. He envisions a not-too-distant future where resident interactions with the county become more personalized. The county website would create an enterprise identity for residents that retains information from their previous government interactions. Residents, however, would control the amount of identity information the county retains.
“I’d love to get to where most of the things that you do with Larimer County leverage that identity and we’re no longer asking you to fill out the same 13 fields every time you complete a form,” he says. “We’re just focusing on making every transaction a little bit easier.”
***
BOSTON EYES ENTERPRISE IAM
Like a growing number of jurisdictions, Boston is exploring how to give businesses and residents a single identity to conduct online transactions with any city department. A recent request for information (RFI) asked vendors to describe how they would provide a platform that supports online IAM across departments in a way that’s both secure and easy to use.
“The footprint of transactions that you can do online is growing, so not thinking about identity management from the public’s perspective would be a big miss,” says Santiago Garces, Boston’s CIO and director of the city’s Department of Innovation and Technology. “The mayor really has pushed us to embrace what is possible.”
Boston’s IAM initiative would likely start with business-to-government transactions, which involve a simpler ecosystem and represent a big chunk of the city’s online activity. Garces expects to tackle unified online identities for residents in a later phase, because that involves complex issues like aligning the new approach with existing identity systems used by libraries, schools and other municipal organizations.
“This will be implemented in different iterations,” he says. “It won’t happen overnight.”
Besides specifying strong security and frictionless user experience, Boston’s RFI seeks IAM solutions with low-code/no-code capabilities to make it easy for the city to modify services or launch new offerings. The RFI also says solutions should let residents easily manage their own identity profile and support multiple bring-your-own identity options.
Boston Mayor Michelle Wu’s 2024 budget allocates $1 million for the project.
City officials are also talking with the Commonwealth of Massachusetts about potential identity collaborations. “We’re trying to understand their roadmap,” says Garces. “We’ll also probably do some user experience research with businesses to understand what’s valuable to them.”
Garces says developing a unified digital identity is a huge opportunity for the city and its residents, especially if those efforts include city-state collaboration. He pointed to potential use cases like simplifying tax payments on auto purchases. Today, residents pay state and local taxes through separate transactions with separate agencies using different identity processes.
“If we’re able to share identity infrastructure between the state and the city, you could make things so much easier for people and businesses,” Garces says. “We don’t usually think of security initiatives as being user-experience initiatives. But if we get this right, we’ll get both: strong security and better experience.”
— Steve Towns
