The Power of Identity in the Federal Government Q&A

Our CTO, Darran Rolls, recently participated in a podcast with Federal News Radio on the topic of identity governance in the federal sector. While you can listen to the full podcast here, what follows is a shortened version, honing in on the power of identity in the Federal Government.

What makes identity governance a key factor in cybersecurity and in preventing data breaches?

You can’t manage what you can’t see. Identity governance provides strong administration, audit and oversight of who has access to systems, resources and data. Existing perimeter investments are no longer effective in today’s borderless environment, given that they are designed to identify and prevent malicious attackers from compromising the infrastructure, not to monitor and control what your users are doing.

This is why identity is so important today. It provides the visibility and control over all corporate applications whether they are in the cloud or on premises. It provides intelligence and awareness about who has access to which systems and what users are doing with that access. It provides the power and control to guarantee that only the right people are able to access specific information.

I’m an avid reader of forensic reporting, digging into the details of what really happened during a data breach. When you look at those reports, basic identity governance mistakes are typically at fault or in play. Weak passwords, orphaned accounts and inappropriate access are common in these situations. Orphaned accounts are incredibly common in the federal space, and these make for easy access that allows hackers to stay under the radar.

What does the word ‘hygiene’ mean in the context of identity?

In identity management, we frequently talk about a managed lifecycle – joiner, mover, leaver. This is the hygiene at play. It’s really just basic administration. In your job you have a set of access. When something has changed in your role, we need to adjust that access. Often a move is a complicated process, and if done incorrectly, we leave behind privileges someone shouldn’t have.

Edward Snowden didn’t have a ‘leave’ point, but he did have high-level privileges that he kept as he moved within the organization. He retained entitlements that he shouldn’t have retained, something we call entitlement creep. This is an example of insider threat, not a hacker. He was strongly authenticated but given the wrong access.

What does identity do that authentication doesn’t?

To be clear, strong authentication is a critical first step, but authentication is not enough. Authentication is binary. It’s a decision that’s made. You present a credential and I accept it or I don’t. Authentication is absolutely necessary but alone is wholly insufficient. Behind that initial authentication process sits the world of authorization. Managing the systems that provide authorization is what identity governance stands for. It’s the practice of understanding, controlling and auditing the myriad of ways we provide access to systems and data.

Academically we often talk about the five A’s of security and authentication is the first A. Behind that are: authorization (knowing who the person is), audit (having the ability to create oversight) analytics (visibility and investigation) and of course administration (managing all of the above). So there are lots of disciplines that sit beyond authorization and make it valid.

The DHS CDM program has put in place a procurement vehicle for government agencies to rapidly go beyond authentication and put in place the governance of access.

Can you give me a before and after snapshot of a federal customer?

I can offer one very specific use case. This agency was no stranger to identity management. They had focused on strong authentication for some time. They were trying to work with a legacy provisioning system and had spent five years and 10 million dollars but had only achieved minimal application coverage. They were still taking 4-5 weeks to give access to people, doing rubber stamp audits and had no self-service in place for password resets. It was a very immature security environment. After the first phase of their SailPoint deployment, in less than six months, they had expanded to 60 new systems, extended the scope of their PIV card coverage, and had introduced strong joiner, mover, leaver cycle controls. People were actually getting the right access the day they joined and automated HD actions were driving the suspension of all Access when things changed. They have also improved compliance around who had access to what and had vastly improved their overall security risk posture.

2017 is seeing a reset in Washington D.C. What advice do you have for the incoming administration?

One simple piece of advice – with the change in administration, maybe as many as 4000 people are changing roles and responsibilities. All of those people have accounts and access priveledges that must be updated or deleted. My advice is to be thorough in the management of this transition process. Are these people being given the right access? Are the outgoing people being fully removed from the data and access they have enjoyed for the last 8 years? This is a colossal identity governance problem. The joiner, mover, leaver cycle would be a huge focus for me. Where change happens is where vulnerability is introduced so I hope they have a good system in place to manage the process.

Federal organizations are under increased scrutiny over their cyber defense posture against foreign entities and insiders. Identity governance provides a foundation to ensure only the right people see the right information at the right time, regardless of how it’s accessed. Read more about federal identity governance.