The 5 As: Elements of a Complete IAM Strategy for Federal Agencies

It’s funny how things change but they always remain the same. In security we’ve been talking about “the four As” for as long as I can remember. I was recently on a webinar with Jeremy Grant from the Chertoff group talking about the same topic – but this time if was 5 As. The essential extra A was Analysis. I personally really like the extra A. He’s a great addition to the team and someone we’ll no doubt be talking about another time.

But back to the point of this blog post. The reason for mentioning the new A wasn’t specifically to shine the light on the new guy, as it was to draw close attention to one of the other four – Authentication – and in doing so, make the statement that no A can save the day single handedly.

Case in point; in 2015 we saw hundreds of millions of records being stolen during breaches at Anthem and the Office of Personnel Management (OPM). A common thread among these breaches was the fact that valid credentials were used to access and exfiltrate the data. In the OPM case, the breach kicked off a series of new security initiatives across many federal government agencies. Multi-factor authentication (MFA) quickly became a mandated agency best practice and the adoption of PIV cards rocketed nicely.

Amidst this progress, however, it is important that agencies don’t simply check the two-factor authentication box with higher PIV card adoption and proclaim to have “solved” identity security. While authentication is a critical first A of the five, alone it is most certainly “necessary but insufficient” and most agencies need to be aware of the identity risks that exist far beyond basic authentication, be it via passwords or stronger means.

To truly address the full range of operational security risks inherent in today’s environment, agencies should take a holistic approach to identity security – one rooted in governance.

Governance-based approaches go beyond authentication, to address the full lifecycle of identity and access management highlighted by the other 4 A’s. One of Chertoff Group slides from our joint webinar says it all:

Five As IAM

It shows the five As and helps to highlight that when properly implemented, a governance-based approach enables agencies to answer a number of critical questions around identity security, including:

  • How is a credential provisioned?
  • How are users authorized to access data or resources?
  • How are those authorizations managed and updated as roles or attributes change?
  • How is access to privileged systems provisioned and managed?
  • Are Privileged Account Management (PAM) solutions tightly integrated with the rest of the IAM processes?
  • Are firm controls in place to prevent the creation of new “phantom” accounts?
  • How is access revoked when someone leaves an agency, ensuring that “orphan” accounts do not persist?
  • With a blended workforce of employees and contractors – some with PIV cards and some without, how is access and privilege consistently managed for all users?

A strong identity governance solution is capable of assigning risk and appropriately managing both employees and contractors, and is responsible for automatically flagging things like privilege escalation without proper authorization. A leading identity governance solution will use something like a risk score for all users, to help understand the lifecycle and the history of entitlements and privilege – something essential to the other 4 As.

In order to adopt a governance-based approach, agencies need to also focus on the provisioning lifecycle, detailed management of privileged accounts and users, and inventorying and managing access to unstructured data. A comprehensive identity governance solution helps secure the overall systems access lifecycle by addressing all three of these needs from a single centralized point of visibility and controls.

Only when strong authentication is deployed along-side the other four As, can we hope to offer a complete IAM strategy; one that can provide the controls and oversight required to establish the appropriate governance of employees, contractors, and system administrators as they onboard and offboard in our systems. A governance-based approach drives beyond authentication to address the full lifecycle of identity and access management, helping to manage accounts, and data wherever it lives.