Consolidating access control yields big payoffs

Imagine how tedious life would be if you needed a separate, specially issued debit card for each grocery store, gas station, restaurant, pharmacy, department store or Web retailer that you patronized — and a separate password for each card, too.

It would burdensome. It would also be costly to the businesses involved if each one had to issue those identity credentials to every one of its customers. And who would bear the brunt of those costs? 

That is pretty much the operative situation, though, for government agencies when it comes to managing employees, consultants and contractors, and then controlling which information technology resources and networks they can tap into, whether they are turning on their computers in the morning, updating their personnel records in a human resources system, booking work-related travel, or signing in to an information-sharing wiki. Those IT access security mechanisms, essential as they are, are hardly ever a single system. Instead, each application or system typically has its own access control system.

As a result, users must remember multiple passwords and log-in methods, while IT departments must handle the grunt work of manually managing duplicative systems.

At the Agriculture Department, for example, it takes 200 employees to manage user accounts and roles and another 73 employees to focus on compliance, auditing and reporting tasks related to access control, according to USDA's Office of the Chief Information Officer.

It wasn’t so bad years ago when IT played a more limited role and there were far fewer systems to manage. But times have changed. Computers and software applications have proliferated and are now essential cogs in almost every government operation.

The old fragmented, one-off model for identity management and access control just won’t fly anymore. It will be increasingly costly — and risky from a security perspective — to allow things to continue. Fragmented identity management systems are also a drag on agencies’ ability to quickly tap new online opportunities, whether they are homegrown, fielded by another agency or offered by a cloud provider.

"Access control is one of our key defense mechanisms," said Dennis Heretick, a security consultant and former Justice Department chief information security officer. "We need to share [information] across agencies and industry, but you don't want to share that if you think it will get to the wrong people."

Besides bolstering security and helping to clean up an agency’s internal practices, a streamlined approach to identity management also provides a foundation that can dovetail with efforts to simplify access to government data and online services.

Therefore, for budgetary and strategic reasons, government IT leaders are seeking to make the business case to agency leaders for the construction of unified and standardized identity management infrastructures. The CIO Council has taken up the cause and released a preliminary road map and implementation guidance for agencies in November 2009, and it promised that more help will follow.

Some agencies have already started to move. USDA, for one, has launched a project to centralize 70 identity databases. The duplication of identity stores and access control mechanisms drives up the number of employees needed for those jobs, said Owen Unangst, director of innovations and operational architecture at USDA's Office of the CIO.

Unangst, who is shepherding USDA's identity management overhaul, said the effort will slash IT administrative costs and give the department's workers one set of credentials — a smart card and personal identification number — to access multiple applications. But it won’t be a one-and-done deal.

“This is not a short-term project,” Unangst said. “This is something that is going to be a permanent new function, a permanent new responsibility in USDA.”

Security experts say many agencies share USDA’s experience with fragmented identity and access management systems. When the full costs of doing nothing are considered, it seems clear that some form of centralization is not only desirable but even necessary.

Problems of ID Fragmentation

Fragmented identity management causes a number of problems for organizations beyond just cost and time.

Such an approach raises several security issues, said William MacGregor, a computer scientist at the Information Technology Laboratory at the National Institute of Standards and Technology’s Computer Security Division.

The cost of enrolling users — establishing identity, assigning roles and access rights, and issuing credentials — becomes costly when multiplied across scores of applications. For that reason, organizations might wind up with a less-than-robust process for identity proofing and credentialing.

Similarly, organizations might also gravitate toward low-cost, low-assurance authentication approaches — user name/password as opposed to two-factor authentication. The latter approach involves something a person knows, such as a PIN, and something the person possesses, such as a smart card or other security token device.

“Lots of silos of identity management force the practice in an individual silo to be on the low end of the cost and capability spectrum,” MacGregor said.

Fragmentation also leads to password vulnerabilities. Users obliged to maintain multiple passwords might be tempted to keep them short and simple, which makes them more vulnerable to brute-force attacks in which hackers use powerful computer programs to try thousands of different possibilities to crack passwords. On the other hand, users who choose longer, more complex passwords might need to write them down, introducing another security risk.

“Many people, because they have so many passwords, will use simple passwords, and many systems don’t enforce strong passwords,”  Heretick said.

Account deletion presents another vulnerability in highly fragmented security settings. When an employee leaves an agency, that move must be reflected across all of the systems to which he or she formerly had access. But when access control systems abound, there’s a greater chance of an account remaining active after the user departs.

And then there are the administrative costs that mount when identity stores and access controls proliferate across an agency. Redundancy requires a larger IT staff to maintain systems. And having a multitude of passwords keeps help desks busy resetting forgotten ones.

Many users also have a desktop and laptop PC assigned to them, which further multiplies costs. Heretick said organizations incur systems administration costs for two seats plus all the applications users access. “It becomes tremendously expensive,” he said.

Disparate identity systems also drain time. Multiple log-ins, for example, steal minutes and affect productivity. Jamie Sanbower, director of security solutions at Force 3, a solutions provider that focuses on security, unified communications and data center technology, suggested that agencies “look at the end-users and determine how their day-to-day productivity is affected by multiple sign-ons.” 

Benefits of ID Integration

Security executives point to a number of benefits in transforming identity and access management into a more centralized activity. A consistent approach to security is one key advantage. Organizations that try to enforce IT security directives — password policy, for example — across multiple points are bound to find that some systems fall between the cracks and fail to comply.

For agencies, Sanbower said, the biggest business benefits of tighter integration stem from reducing the risk of uneven policy enforcement and mishandled passwords.

On the cost-savings front, consolidation of identity systems reduces administrative expenses. Features such as single sign-on reduce the number of passwords in circulation and the number of password reset calls to the help desk. Some industry estimates put the cost of a reset at $25 or more per call.

The Homeland Security Department is among the agencies working to reduce passwords with a common credential, a smart card. The cards “will replace multiple PIN and password log-ins for multiple applications with a single log-in,” a DHS spokesman said.

MacGregor added that a consolidated identity store and multipurpose credential can help agencies rein in user enrollment costs. Those components can spread the cost of enrollment across numerous applications. “Enrollment is always a large fraction of the overall credential life cycle cost,” he said. “It’s not unusual to see it as a quarter to 50 percent of the cost of [issuing] credentials over the life cycle.”

Improvements in identity management could also help agencies deal with emerging trends such as cloud computing.

“As the federal government evolves to cloud computing — and services that go across federal entities not just across departments — access to those services really needs to be authenticated with strong credentials,” said George Schu, a senior vice president at Booz Allen Hamilton.

Schu also pointed to information-sharing technologies that fall under the rubric of cross-domain solutions. Those solutions aim to let government organizations exchange information across multiple security domains, either horizontally across federal agencies or vertically from the federal sector to local government entities.

“Access to these systems...[has] to be backed by strong credentials that you only get through a unified, standardized identity management process,” Schu said.

How to Get to an Integrated System

An integrated identity and access management system involves a number of elements. They typically include a system for issuing a unique credential to every user, a central directory for storing users’ identity data, a solution for provisioning and managing user accounts, and an access component that includes single sign-on capabilities.

Government agencies have made the most progress on the credentialing end because of Homeland Security Presidential Directive 12. Signed in 2004 by President George W. Bush, HSPD-12 calls for the federal adoption of a common credential for accessing government buildings and information systems. The directive also requires credentials to be issued based on sound criteria for verifying a user’s identity. NIST standard FIPS 201 spells out the requirements for the credential, the personal identify verification card.

Governmentwide, nearly 4 million PIV cards have been issued to employees for 86 percent coverage. Seventy-two percent of contractor personnel have received PIV cards.

USDA has issued 98,800 PIV cards, covering 87 percent of its employees, according to an Office of Management and Budget report on HSPD-12 status released in December 2009. USDA has also purchased products from CA that will let the department centrally manage identity and access management. The product lineup includes an enterprise directory that houses all user identities in one location. With that component in place, USDA can look for opportunities to consolidate its 70 identity stores.

When it comes time for an agency to start enabling various software applications to capitalize on the user information from a common credential or identification system, the first step is to get an inventory of all applications, said Phillip Loranger, chief information security office at the Education Department.

With that information in hand, officials can find out from application owners whether they intend to keep their systems around for the next three years or so. There’s no sense in enabling applications that will soon be unplugged, which means agencies will need to rank the priority of individual applications.

Agencies have three options. They can modify applications to accept FIPS 201 credentials, they can modify them so they can interface with a portal that accepts the credentials, or they can discontinue the applications if they are too expensive to modify.

At USDA, applications will be integrated in the next couple of years. The first batch of five applications will be linked to the agency’s new identity management infrastructure by midsummer. They include agency-specific applications and enterprise-level systems, such as USDA’s AgLearn e-learning system.

USDA picked applications that will be relatively simple to integrate and would be at risk if accounts and roles were managed incorrectly, Unangst said.

This summer, UDSA will begin to prioritize additional applications for inclusion, identifying those with the highest risk. By March 2011, Unangst said he expects to have 60 to 100 applications integrated, with more to follow.

MacGregor said setting integration priorities might be among the toughest challenges in achieving integrated identity management. But agencies might be on their own when it comes to bringing applications into the world of centralized management and PIV cards.

Tim Baldridge, a computer scientist at NASA, said agencies that want to enable applications for PIV cards lack formal guidance. “There’s no document or written work that I’ve seen that would give somebody a clear path to that solution space,” he said.

The CIO Council has been working on implementation guidance. The Federal Identity, Credential, and Access Management road map and architecture the group released last year will be updated with a collection of lessons learned from early agency implementations.

A strong, internal focus can smooth the implementation task. Neville Pattinson, chairman of the Smart Card Alliance’s board of directors and an executive at Gemalto, advised agencies to appoint a program manager and, possibly, establish a program management office to oversee an identity management overhaul.

“It is a nontrivial transition, going from disparate systems to a centrally managed system,” he said.

But that shouldn’t come as much of a surprise. After all, it took more than a few years to deploy the dozens of identity management systems that most agencies wrestle with today.