Industry Insight
BY KEN DURBIN
What agencies need to know about access management
Identity has always been a critical component of online communications, even from the early days of America Online. That question has become more serious as
the internet has matured, however. Agencies must ensure that the right people are accessing the right gov- ernment resources at the right time and for the right reason.
Accordingly, the Office of Management and Budget recently released a draft policy for the implementa- tion of identity, credential and access management (ICAM) at federal agencies.
At its core, effective ICAM comes down to one basic need: visibility. How- ever, the way most agen- cies’ systems are structured hampers visibility.
Instead of building those systems according to a cohesive architecture, agencies reacted to urgent and immediate needs by integrating point product solutions.
Furthermore, they built their networks using differ- ent vendors’ technologies to fix specific problems, but those products were not created to work with one another.
Over time, those “fixes” contributed to an enterprise filled with blind spots and coverage gaps that hackers exploit. In other words, im-
mediate needs outweighed longer-term goals, but now agencies find themselves paying for that approach.
They must take a holistic approach to cybersecurity that focuses on an end- to-end solution where the parts work together to cre- ate true visibility.
From the start, that strat- egy should include a com- prehensive ICAM program that will improve agencies’
network in the middle of the night from Albania.
• Data container apps.
Agencies must protect and ensure compliance for data that might be moved or migrated from cloud-based applications onto mobile devices. To that end, they should use data contain- ers that prevent anyone besides a credentialed user from accessing that data. The containerized data
integrating authentication into access control systems, agencies must be able to positively identify a user via a dynamic second au- thentication factor. Verify- ing users with a wide range of multifactor authentica- tion methods — such as responding to a prompt sent to their phones or us- ing hard tokens or biomet- rics — can enforce access policies in on-premises and
32 GCN AUGUST/SEPTEMBER 2018 • GCN.COM
A robust identity management structure helps agencies understand who is accessing their systems, as well as when, how and from where.
understanding of who is accessing their systems, as well as when, how and from where.
Government agencies should consider access management as a perim- eter they must defend, and they should look for certain capabilities that can deliver secure access. They include:
• Passwordless intelli- gent authentication. Cloud applications with password- less intelligent authenti- cation can perform risk analysis and detect loca- tion-based anomalies, such as a credentialed employee based in Washington, D.C., who wants to access the
should also be protected by policies governing its use.
• Access control with integrated authentica- tion. Agencies need access control systems that not only look at context-based data use, but can also use digital certificates under a managed public-key infra- structure to validate user access. Agencies can tap those tools to create a “step up” policy for web applica- tions that require users
to meet further security conditions after login in order to access additional features.
• Multifactor authen- tication. In addition to
cloud environments. Identity management is
a major requirement for federal technology lead- ers, and OMB’s draft ICAM policy gives agencies tre- mendous guidance.
A secure and robust iden- tity management structure can greatly reduce risks and help catch nefarious actors before they can enter the system. With an end-to-end ICAM program, federal agencies can ensure that only the right people access the right information at the right time. •
— Ken Durbin is a senior strategist at Symantec Global Government Affairs.