The following is an excerpt from the whitepaper State and Local Government Cybersecurity and Compliance: The Importance of a Complete Identity and Access Management Strategy.
Social Security numbers, driver’s license records, health and tax information. These are the pieces of citizen data spread far and wide across both our state and federal governments. These records make up a blueprint of our lives, providing a traceable link to proving who we are. They are also priceless and thus, highly valuable to a hacker.
Private Citizen Data at Stake
A breach at a state-level Department of Revenue a few years ago exposed roughly 3.6 million Social Security numbers, along with 387,000 credit and debit card numbers belonging to state taxpayers. The consequences of that breach are no doubt still being felt today. The resulting lawsuits and demand for state-sponsored identity protection services alone cost upwards of $25 million. And this is just one of many examples where a government agency’s sensitive data was targeted by a hacker.
Given the highly sensitive nature of this data, state and federal governments are increasingly turning over more budget dollars needed to evolve their IT infrastructure into a more security-oriented IT environment. Government IT professionals must face this evolution with security, scalability, cost efficiency and compliance with complex regulatory requirements at the forefront of their minds. This combination of requirements is a tough balancing act to follow, particularly when IT budgets are constrained as they often are in government agencies.
The silver lining underlying the string of cyberattacks targeting state and local government agencies is that it has commanded increased executive-level attention, fostering an environment favorable to cybersecurity progress. This is good news and shows progress.
Where does that put government agencies in defining their path forward in better shoring up their cybersecurity defenses today?
The Path Forward Lies in Identity
The slew of attacks targeting government agencies we’ve witnessed in recent years share one crucial commonality: identity as a threat vector. Launched by a diverse set of attackers with motivations spanning financial gain, activism, terrorism, thrill factor and political influence, the majority of attacks relied on weak identity controls for success.
Given the increased focus on identity as the threat vector du jour for hackers today, identity governance must serve as the foundation for effectively managing government cybersecurity challenges.
A holistic approach to securely managing access to sensitive information — one rooted in governance —allows state and local governments to reduce the extent to which compromised user access allows inappropriate entry into their applications and data. It also provides an integrated solution to several of the challenges that have historically stunted state and local cybersecurity maturity.
Properly implemented, a governance-based approach enables state IT officials to answer many critical questions around effectively managing access to sensitive data and applications, including: who has access to what, should they have that access and how are they using that access.
To account for specific budgetary, talent and infrastructure challenges associated with state-level cybersecurity maturity, state and local IT security chiefs must prioritize multi-purpose cybersecurity solutions. Strong identity and access management offers one such solution. By taking a holistic governance-based approach to identity — looking at authentication, authorization, administration, analysis and audit — agencies can close many of their most easily exploited holes while keeping costs low, reducing burden on shrinking IT security staffs, and extending the lifecycle of legacy IT infrastructure.