Federal outlook: ICAM access and automation
- By Dan Conrad
- Mar 06, 2020
News about agencies failing to meet federal cybersecurity standards should set off alarm bells, but instead, it has become a recurring headline. Recently, the Office of Personnel Management’s inspector general released an audit on that agency’s security program and practices based on the National Institute of Standards and Technology's Cybersecurity Framework. While the audit found improvements across the board in cybersecurity, the IG stated that OPM had not developed or implemented an identity, credential and access management (ICAM) strategy.
More concerning than agencies struggling to meet federal cybersecurity standards is the lack of basic, internal accountability practices regarding users. The same 2019 audit found that OPM did not maintain a complete list of all contractors who have access to its network. This is especially impactful as estimates show that as of 2017, there were over 4 million contractors working for the government, and the Pentagon has recently noted that both small and large contractors are struggling to meet the agency's cybersecurity standards.
The government is not alone in this challenge. A recent survey of enterprise security IT professionals revealed that globally not only are third-party users given access, but 72% are given privileged permissions. Only 15% of respondents are very confident that third-party users follow the same access rules as their internal users on their networks.
Not knowing which contractors have access to government agency networks is a huge vulnerability. Additionally, if third-party users are not being held to similar cybersecurity standards, agencies’ networks can be exposed to vulnerabilities through their contractors’ networks.
In 2020, agencies must critically assess their authentication methods, third-party access and develop a system to identify and generate a complete and accurate listing of users and access.
While current reviews of federal ICAM policies may be bleak, a light at the end of the tunnel is the growing conversation and emphasis on ICAM as an integral part of cybersecurity. Additionally, the concept of identity and perimeter is changing to more accurately reflect the current workforce and mission needs. With a “work anywhere” mentality that brings increased productivity, there is no clearly defined perimeter. ICAM can’t be just about access as contractors, workers and guests log on to networks by the minute across the federal space. Whether it’s a standard user account that needs protection, authentication or access, a highly privileged administrator or even a shared account, agencies are realizing the need for a “wandering credential” that authenticates and audits accounts as they are being used.
Authentication and automation
A basic first step for all agencies is to take an inventory of all accounts and make sure access, including privileged access, is properly managed. A list of contractors as well as employees must be kept up to date.
Next, agencies must know what, when and how users are accessing the network and information. They can deploy behavioral biometrics that analyze when accounts log on, how long they access certain documents or networks, typing speed and more to authenticate the user.
Automated systems can help reduce the burden of most authentication processes while still maintaining a high level of security. Any accounts that cannot be verified should be automatically frozen, flagged and individually verified as well as logged in an internal database to encourage agency transparency of threats.
Then, agencies should continuously remove accounts that no longer need access to networks to avoid bloat and work to ensure authorized users can only access information relevant to their job. Automated provisioning or deprovisioning authorizations are always appropriate.
An audit capability can also be extremely valuable in the case of a breach or attack, allowing agencies to look back at the accounts that were used and narrow down the cause of the event.
With these capabilities in mind, agencies should look to implement solutions that are also operations- and automation-ready, easy to deploy, transparent and frictionless and that can easily scale and transform alongside the agency’s needs.
Making drastic changes to the way people work is usually not effective, but finding ways to secure the operations transparent to the users or administrators will quickly gain acceptance. Security is increased by designing for the way humans actually behave versus forcing users into new and unnatural processes.
The success of government is dependent on contractors and third-party user accounts. While this dependency can open agencies to vulnerabilities, it also significantly supports the missions and their success. By following these steps, agencies can establish and implement a strong, comprehensive identity strategy for 2020 and beyond -- the foundation of any strong cybersecurity posture.
Dan Conrad is federal CTO and field strategist at One Identity.