Zero trust builds on identity management
Having a robust ID management program in place is one of the most effective ways to enhance governments’ cybersecurity, and experts say it is within reach.
As governments move more services online and to the cloud, zero trust’s emphasis on identity management will be critical in keeping agencies and users protected, especially amid ongoing threats.
The Cybersecurity and Infrastructure Security Agency listed identity as one of its five pillars of zero trust, and for state leaders, identity management is especially challenging, given the number of employees and residents that interact with state agencies and staff’s vulnerability to phishing attacks targeting login credentials.
As a result, identity management has become a priority for state IT officials. The National Association of State Chief Information Officers identified it as one of the top strategies, management processes or solutions that its members should focus on in 2023.
Having a robust identity management program in place is one of the most effective ways to enhance governments’ cybersecurity, and experts said it is within reach.
“Zero trust is a journey,” said Dean Scontras, vice president of state and local government and education at identity management software company Okta. “And we say the first step in that journey is identity and securing identity.”
Governments have seen the consequences of inadequate identity management. In the early days of the COVID-19 pandemic, several states lost hundreds of millions of dollars through fraudulent unemployment insurance claims as hackers exploited systems unprepared to verify the overwhelming number of applicant identities.
Identity management is complicated by the different login credentials that users may need to access services at various state agencies. And while many states are centralizing and digitizing their services in the cloud, they are still a long way from federated identity, or allowing authorized users to access multiple applications with a single sign-on, while making sure staff, contractors and others have the access that they need.
An effort in Maricopa County, Arizona, looked to do just that, recalled Lester Godsey, the county’s chief information security officer. In rolling out a new human resources management solution, Godsey said leaders wanted to establish a “central source of truth” for the management of the identities of staff, contractors, interns and volunteers, as up to that point each department had been managing those identities themselves.
A centralized identity management system that supplies one set of credentials for each user, regardless of whether they do work for multiple departments or agencies is best deployed at the enterprise level, Godsey said.
Many agencies rely on multifactor authentication to verify users’ identities, something that is especially critical as states implement single sign-on platforms. Illinois CISO Adam Ford said verification of identities beyond usernames and passwords may be a “foreign concept,” but it is “here to stay,” given the rampant growth in fraud and hacking.
“Every single major breach you still hear about, I can guarantee starts with compromised credentials,” Scontras said. Identity management “seems like a really easy fix,” he said. “Until we get that lowest common denominator fixed, as they call it, we’ve got to keep talking about it.”
Illinois implemented the ILogin identity verification process for its Department of Employment Security in the wake of COVID-19 to protect user data with the latest security tools while simplifying the login process. Users must set up MFA when they sign up, which Ford said makes it integral to the registration process rather than as an optional step that many may ignore.
Bringing in new identity management efforts like single sign-on or MFA requires a “culture shift” among residents and agency staff “to understand that it is mandatory for the state to protect this resident ID," Ford said.
"This is very much not a technology problem that we're solving,” he said. “This is a business interaction problem; this is a resident problem."
Getting identity management under control will not help governments avoid vulnerabilities, warned Jim Richberg, public sector field CISO and vice president of information security at Fortinet. “Zero trust does not mean that an endpoint will not be compromised” nor that the illegal accessing of credentials can always be prevented, he said. But by managing identity, leaders can mitigate the effects of security incidents, as it is impossible to “expect perfection.”
NEXT STORY: Cyber training expands to local leaders