Leadership buy-in and user-centric implementations will help ensure successful deployment of IAM solutions, one cyber expert says.
Getting executive leadership buy-in and understanding agencies’ specific business needs are key factors in implementing an effective identity access management (IAM) framework, according to a former state security official.
To get agencies on board, the cybersecurity community needs to approach the issue from a “top-down perspective,” Gregory Williams, Colorado’s former director of security risk and compliance and identity access management, said during GovExec’s June 22 Cybersmart TV segment.
Williams said his department championed IAM, explaining to other agencies how it can cut down on breaches and eliminate orphaned accounts. His team often secured executive buy-in by talking about “how the solution that we were providing would essentially solve some of the problems and issues” repeatedly turning up in audit findings, he said.
Successful identity management solutions should also be “as user centric as possible,” meeting the specific needs of the agency, Williams said. For example, PingID, which sends an authentication request to the user's mobile device, “is a good multifactor authentication solution because everyone has a mobile phone,” he said. At the Colorado Department of Corrections, though, “we had to come up with an alternative solution because cell phones were not allowed.”
Providing a good user experience, depends on understanding the agency’s size, complexity and business culture, he said.
“Baby boomers may be more comfortable with traditional methods of authentication such as badges and tokens, whereas millennials are more tech savvy and might be more comfortable by using apps,” he said.
Once agencies have deployed IAM, they should look to develop a single sign-on solutions, which will improve user experience, he said.
“[Without single identity], you have to go to one system, authenticate, and then go to another system and have to authenticate again,” he said. “If I was still in the state, I’d invest money into finding some kind of solution where you can sign on once and get credentials to be passed on to the next system without having to re-authenticate.”