Better identity and access management
- By Dan Conrad
- Sep 07, 2018
Agencies are making strides in identity and access management. In fact, a May Office of Management and Budget report found that 93 percent of civilian users have enforced usage of personal identification verification cards. Yet this alone is not enough to keep an agency safe. Multifactor authentication is just one piece of the IAM puzzle, which should also take into account authentication, authorization, administration and auditing to ensure security without sacrificing usability.
Authentication is an important place to start. As agencies examine approaches, they should consider adaptive authentication, which can reduce the impact on workers, easing security fatigue and increasing the likelihood users follow appropriate protocols.
With adaptive authentication, when users log on to a system from their desks during work hours, authentication requirements are kept relatively minimal -- perhaps just a simple password. But if they try to access sensitive information from an atypical location in the middle of the night, the system will automatically recognize the abnormality and require additional identity verification, such as a one-time password token, or authentication via behavioral biometrics, such as typing rhythm. In this way, an automated system can reduce the burden of heavy-handed authentication processes, while still maintaining a high level of security.
Even with the right authentication methods in place, agencies can still find themselves at
risk if authorization practices are inadequate. Roles need to be carefully monitored to ensure individuals can only access information relevant to their jobs. Roles may change as an employee receives a promotion or joins a new project. In these situations, it’s common to increase a user’s access without removing unneeded permissions or revoking rights when a project ends. This is particularly risky when the access in question may be to sensitive government information.
Enforcing the right authorizations depends on effective administration. This means quickly and accurately provisioning and deprovisioning. Without quick provisioning, users may spend too much time requesting access to information they need rather than accomplishing their jobs. And if they are not deprovisioned as job functions change or as they leave an organization, their old accounts can be used maliciously. Automating administration prevents these tasks from becoming too time consuming and ensures employees can accomplish what they need to do and nothing else.
Lastly, IAM must include the ability to audit. Auditing is essential for the compliance and reporting required for agencies, but it is also valuable in the event of a breach. Audit capabilities allow agencies to look back at activities that occurred on their network so they can more easily hone in on the cause of a breach or proactively identify abnormalities that should raise concern. As cyber criminals become more creative, mitigating the impact of a cyber incident is just as important as preventing one altogether.
The timing is right for the federal government to readdress IAM, but the approach can’t stop at authentication alone. Comprehensive IAM focused on authentication, authorization, administration and auditing is critical to keeping government information safe. If agencies put these elements in place and focus on getting the right information to the right users, their approach to IAM can become a mission enabler.
Dan Conrad is federal CTO at One Identity.