Building on the cybersecurity sprint with CDM Phase II
- By Darran Rolls
- Apr 25, 2016
The cybersecurity sprint of July 2015 -- launched by the White House in the wake of major breaches at the Office of Personal Management -- was critical in the efforts to improve the security of federal IT systems. The root of the attack was identity; attackers stole the password of a contractor with access to OPM systems and used that login credential as a vector through which to penetrate these systems and steal millions of records.
The sprint that followed focused heavily on closing the vulnerabilities associated with passwords and pushing agencies to dramatically increase their use of two-factor authentication to mitigate the risk of stolen credentials. The results were impressive; use of personal identity verification (PIV) cards increased to over 72 percent and progress is still being made.
However, agencies must not convince themselves that PIV cards alone can fix the authentication problem. Organizations still face the larger problem of “identity security” – essentially, who has access to what -- and struggle to solve issues related to users with too many privileges or changing permissions for those joining, leaving or moving within organizations.
No two breaches revealed these flaws more clearly than those perpetrated by Bradley (Chelsea) Manning and Edward Snowden, both legitimately credentialed users. The breaches resulted from a failure to properly govern authorization and illustrated the need for agencies to embrace a comprehensive approach to identity governance.
Now is the time for agencies to build on the momentum of the cybersecurity sprint and focus on a complete identity and access management (IAM) strategy rooted in governance that can protect against the full range of identity-centered attacks.
In most agencies, user- or identity-based access to enterprise systems is tiered, addressing the basic question of authentication and the more complex question of authorization. Considering the number of identities an agency may have across its employees and contractors as well as the multidimensional systems used and the varying levels of access required, it is easy to see how an enterprise might have hundreds of thousands of access points into its systems, each of is a point of exposure.
Out of those hundreds of thousands of identity exposure points, it takes only one to be compromised. At a time when adversaries are increasingly targeting identities relative to other attack vectors, agencies need to increase their focus on identity security. Though the 2015 30-day cybersecurity sprint jump-started many of the necessary changes needed to secure federal networks, many government leaders have recognized the need for a more comprehensive identity and governance strategy that covers the entire organization, from contractor to administrator, providing controls and governance for the full lifecycle of the identity and the accounts and access it is afforded.
The role of CDM
The Continuous Diagnostics and Mitigation program run by the Department of Homeland Security will play an important role in the government’s progress towards implementing comprehensive identity governance.
Phase II of the CDM program is heavily focused on raising the baseline IAM capabilities of all federal agencies to continuously identify networked devices and systems, monitor users’ statuses and mitigate identified risk. Phase II requirements include managing:
- Trust for those granted access
- Security-related behavior
- Credentials and authentication
- Privilege and account access
The CDM program will deliver some important building blocks to federal agencies to help improve identity governance. These building blocks, however, will not in and of themselves cover the full gamut of the IAM lifecycle. Components will need to be integrated and additional functionality will be needed to deliver a complete lifecycle approach to IAM that is rooted in strong identity governance.
More information on how the four requirements of CDM Phase II relate to IAM strategy is available here.
Darran Rolls is CTO of SailPoint.