FCWPerspectives
    32
November/December 2017 FCW.COM
federated approach.”
“The technology is there, the design
patterns are there, but the policies aren’t there,” another said. “We don’t need to be able to share everything with everybody, but when we do, we need it to be frictionless.”
In most cases, that’s easier said than done. “The expense or problem usually comes in the identity-proo ng of that individual because they’re remote,” said one participant, who pointed out that the face-to-face process for an employee or contractor can take hours.
Another executive agreed. “The proo ng is the big conundrum, and it sits in identity.” He added that dur- ing the Obama administration, the National Strategy for Trusted Identities in Cyberspace conducted a number of pilot tests, some of which informed the National Institute of Standards and Technology’s Special Publication 800- 63-3 on digital identity guidelines.
But the recent massive breach at Equifax has raised new concerns.
“How are we going to proof online when tough questions are now being asked about how the credit bureaus, for exam- ple, and the data brokers have been doing things?” he asked.
Another participant
added that, “without
strong proo ng, you can’t
offer more services that the citizens really want.”
Some said partnerships are the only viable answer. For instance, the IRS cannot identity-proof every taxpayer, but it could partner with state depart- ments of motor vehicles to do so. One participant said federation could also work by letting people use an existing credential issued by a  nancial institu- tion, for instance.
More than one participant refer- enced the cybersecurity sprint in 2015 after the massive breach at the Of ce of Personnel Management, with one executive saying its focus on privi-
leged-user access could be a model for future efforts. “In a very short period of time, it turned the numbers around in a big way and probably had a pretty big impact on the overall security struc- ture,” he said. “That’s not agency-spe- ci c. That’s actually a good example of how we can do this governmentwide.”
“Insider threat is the chief risk, so we need to do a better job of know- ing who’s on our networks, who has access, especially privileged access, and better managing that,” anoth- er executive said. He added that it requires performing basic tasks such as deprovisioning users after they leave the organization.