When Boston overhauled its identity management infrastructure, it learned that even a solution built with best-in-class components also requires a seamless user experience.
When Boston transformed its identity management infrastructure, it relied on insights from the identity lifecycle subcommittee made of human resources officials, according to Chief Information Security Officer Gregory McCarthy.
They’re the ones who best understand who identity moves throughout an organization, McCarthy said during a Nov. 30 SailPoint webcast on identity security.
“People start their career in the government and retire from the government, so during that lifecycle, they can have 10 different positions within an organization, and they should have a smooth transition if they’re going from an IT department to the HR department, or what have you,” McCarthy said.
User experience is key, especially when employees are changing jobs, and the city initially struggled with that.
The Department of Innovation and Technology opted to implement three tools -- SailPoint’s IdentityIQ, Ping Identity’s suite of tools and Radiant Logic’s RadiantOne FID -- that were largely ready to use out of the box -- to replace the legacy, highly customized identity management infrastructure.
“Because we implemented best-of-breed solutions that were three different toolsets, we didn’t initially think about ‘What is the user experience going to look like? How do we ensure that it is smooth and easy for an employee to access these applications?’” McCarthy said. “When you’re thinking about implementing a best-in-class identity management solution that may not be all under the same brand or umbrella, you really need to think about the user experience,” he said.
That problem was solved with the introduction of the staff-facing Access Boston portal, which “tied all three of these applications together and allowed the employee to have a really smooth, seamless interaction with the technology” McCarthy said. “If they couldn’t use the technology, regardless of how great it was, it would have been a failure.”
Access Boston centralized how city government employees access the data and IT they need to do their jobs. It launched on April 1, 2019, after a two-year, $2.4 million effort and addressed several of the pain points the department had identified. They included a lack of single sign-on, onboarding delays and a reliance on help desks for simple tasks such as password changes.
Cybersecurity was also a concern. In fact, until a few years ago, identity management fell under the purview of the department’s enterprise applications group.
“My team put forth the proposal to look at how we can take over the identity access management program under security as opposed to enterprise applications,” McCarthy said. “There are key differences between what enterprise applications does and security do. They go hand in hand, but our enterprise application teams are corely focused on delivering new products and delivering products securely are sometimes two different things,” he said. “We wanted to ensure that our identity access program really had the oversight of our security team.”
Now, employees can use one username and password and multifactor authentication (MFA) to get everything they need from any device – fixed or mobile. They can also use self-service options to update passwords and request access to data and applications.
The transformation also involved providing secure remote access through a virtual-private network (VPN) using MFA – a move that McCarthy said was critical when the pandemic hit the year after the launch.
“VPN is under attack on a regular basis, and I think especially during the pandemic that we’ve seen a lot of well-documented attacks on VPN tools, so having that MFA in place before the pandemic was extremely valuable,” he said.
Today, McCarthy and the cybersecurity team are focused on privileged access management implementation and rollout to administrators to gain control over who has access to accounts and how they are being used.
In the longer term, he said he would like to find a way to offer identity access management to the public.
“Right now, our program is primarily focused on employees and access that employees have, but I really think that it could be extremely valuable to allow for constituents to have an identity or a login to our city applications,” McCarthy said. “There are a lot of different engagements that constituents have with the city, whether it’s … licenses or a property tax payment or checking out a library book or checking their child’s grades on the school system…. They all have different access and different logins and different passwords with those. To streamline that could be really life-changing for our citizens.”