In order to protect your state or local governments’ most critical assets and deliver on your mission using information technology, you must first be able to trust that the employees, partners and citizens are actually who they say they are.
To modernize systems, while remaining secure, state and local governments are turning their attention toward identity management, to ensure that critical organization data can only be accessed by the right people, at the right time and for the right reasons.
But good identity management is easier said than done. In GovLoop’s recent State and Local Government Innovators Virtual Summit, Shantanu Gattani, Principal Product Manager of Identity and Information Protection from Symantec and Joshua D. Spence, Chief Information Security Officer at the Office of Technology of the state of West Virginia, shared their tips and best practices for overcoming identity management challenges and why it matters in state and local government.
With cloud, the Internet of Things and the rise of mobile connectivity, citizens’ demands for digital services only continue to increase. This means that there are more digital profiles and identities to manage than ever before. At the same time, governments’ vulnerabilities to data breaches in this complex threat environment continue to increase as well. The vast majority of data breaches occur because hackers gain access to personal information. In fact, as of 2017, 81 percent of data breaches result from lost or stolen credentials.
Hackers are more interested in information tied to personal identities and financial information, like Social Security Numbers. And today, breaches are becoming increasingly bigger in size, sophisticated in tactics and costlier for organizations to recover. According to Symantec’s 2017 Internet Security Threat Report, over 1.1 billion identities were exposed this year.
“Traditionally, government services have been provided by a brick and mortar facility with people standing in line,” Spence said. “But now, you have digital services that introduce concerns with identity management,” Spence said. “With identity management, we need to focus on how we manage that interface between a human and a machine to validate who people are.”
This is because one of the weakest points of identity management is human passwords, which enable hackers to easily breach government data. “The data shows, threat actors are going to come in through the easiest possible way, and that way is usually passwords,” Spence said. “That’s where we have to dedicate our resources.”
Once identity is lost or compromised, it’s very difficult to recover. It can take an especially long time before agencies can fully retrieve data and make up for loss in financial costs as well as regain public trust. “Identity is one of the biggest frontiers today,” Gattani said. “Because it’s who we are online and it’s also what’s important to us.”
Traditional approaches to identity management require users to register with basic identifying factors. For example, when trying to establish an identity with a website, you enter your first name, last name and maybe create a username and password. The problem with this approach is an organization relies only on one person’s assertion about his identity. Gattani said this single-factor authentication approach doesn’t’ necessarily do enough in terms of security.
To counter this effect, organizations tried to make passwords more difficult. “In an effort to improve security, we tried to make it harder in identity verification,” Gattani said.” We made people change their passwords frequently or enter stronger passwords with numbers and symbols. But this only made it harder for users to remember their passwords, not harder for the hackers.”
“That means we’ve successfully trained everyone to use passwords that are hard for humans to remember but very easy for computers to guess,” Gattani added.
As state and local governments move in the digital direction, they need to be proactive in protecting enterprises with stronger identity verification methods well as educating citizens in how they can best protect themselves and their personal information. Agencies can improve their cyber posture through encouraging stronger passwords as well, multi-factor authentication and risk awareness.
“You need to understand your cyber risks, look at them from a risk severity perspective and engage the key stakeholders,” Spence said. “We also have a challenge with education and awareness of our citizens so there’s a level of responsibility that state governments hold in providing that education for digital services.”
At the enterprise level, it’s imperative that agencies protect access to any enterprise assets, even access from smart devices. Governments should have a wide range of authentication methods to verify a user’s identity before they access your sensitive information. Multi-factor authentication methods should incorporate verifying identities with something you know (i.e. user name and password), something you have (i.e. tokens and devices), something you are (i.e. biometrics and scanning fingerprints) and something you do (context and behavior).
“Now organizations are starting to use machine learning to detect patterns of service utilization,” Gattani said. “You can validate someone’s identity with automatic monitoring of how often someone logs on to check their accounts, what device they’re using and detect any erratic behavior outside the norm.”
As for the citizens, it’s up to us to be proactive in changing passwords using multi-factor authentication for all social accounts and demanding multi-factor authentication from service providers, even government.
Ultimately, identity management requires all stakeholders – state and local governments, IT staff and citizens alike – from all sides to be engaged in protecting data and personal information. As state and local governments look to modernize and digitize their services, they also need to look at their cyber posture from a risk management perspective. Additionally, it’s up to governments be proactive in identifying their vulnerabilities while helping users (internal and external) educate themselves on best security practices.