DISA’s Priorities for Identity, Credential and Access Management

This blog post is an excerpt from GovLoop’s recent guide “Your Guide to Identity and Access Management.” Download the full guide here.

Identity and access management standards have heightened over the years as agencies adapt to increasingly effective cyberattacks and breaches.

Brandon Iske, ICAM Lead at the Defense Information Systems Agency (DISA) has been in the IAM space for close to nine years, serving at DISA for all of that time. GovLoop spoke with Iske to pinpoint how the agency focuses on identity and access management issues and the agency’s future plans.

The responses below have been lightly edited for brevity and clarity.

GOVLOOP: What issues are currently top of mind for you as an identity, credential and access management (ICAM) professional in government?

ISKE: The Defense Department Criminal Investigative Service has identified ICAM as a top four cyber initiative. So top of mind for me are our efforts in partnership with Design Management and Builders Corporation and the National Security Agency to solve enterprise challenges for DoD. We have a couple of capability enhancements that we’re aiming to invest in and enhance that fall in the DISA [Defense Information Systems Agency] lane, like automated account management provisioning, with master use of record capabilities, as well as centralized authentication for central identity providers. Those are the efforts that I focus on.

I’m curious about your process for identifying those central priorities.

Within DoD we have a senior-level forum. That is the official forum where over the last couple of years there have been entire team efforts across the services and agencies to define gaps in the identity space. So, most of the capabilities have been vetted through that senior leadership forum as top priorities, and then bubbled up as part of the DoD CIO’s [chief information officer’s] top 10 cyber initiatives.

What do you see as some of the current trends around how people talk about ICAM, how it’s being implemented and what challenges agencies face?

I think DoD has an opportunity to enhance a lot of capabilities. We’ve been very focused on defense critical infrastructure and the common access part. You can look at programs like the CDM [Continuous Diagnostics and Mitigation] program in the Homeland Security Department, which has very specific investments and enhancements in the space. But my bottom line is that I think there is a lot of commercial capability out there that we just need to leverage and adopt.

A lot of our challenges aren’t always technology challenges; they often involve the business process. We have hundreds of financial systems and need to look at who should have access. Those aren’t IT problems; those are business problems. We have to work those business problems, and then have the technology to implement those separations and audit capabilities.

Why do you think ICAM is especially important now, with the rise of digital services and a push for more reliable self-service options for employees and citizens?

I think it’s important. I think having a lot of applications in the cloud is a big driver. It’s a big disruptor to how we’ve done things traditionally. I think the new heightened attention to DoD’s financial audit has been a big driver as well. So we have a very high assurance authenticator that is our CAC [Common Access Card]. That has carried us quite far, for decades at this point. But I think there are additional commercial capabilities that help us streamline how we get access to systems. We rely today on a very painful or slow paper process, and so there’s a lot of opportunity to enhance that as everyone looks to automate, whether you look across industry or government.

How would you describe the maturity of policies and standards around ICAM and where do you think they’re headed?

I would say the policies and standards are fairly mature; this is a pretty well-defined area. There’s a robust vendor marketplace for capabilities in this area, and it’s just really our strategy of how we’re going to implement and architect that from the department. One of the fundamentals that I’m really trying to drive toward is allowing local control of identity governance tools and automation, plus supporting publishing data and attributes up to the enterprise.

Finally, can you talk about ICAM as it relates to the everyday employee? What exactly does this mean for employees as they do their jobs?

The best case I like to use to explain what we’re trying to do is an example from DISA. As we migrated to the new Time and Attendance system, we went through a process: Every employee had to go through an approval process to get access to the system.

From my perspective, if we take a data-centric approach to this, we already have authoritative data sources that know that I’m a DISA employee. Every employee is going to have access to Time and Attendance. There should be an automatic process to provision our accounts and establish those fundamentals.

But today we operate in a very decentralized fashion and rely on paper processes or maybe automated processes that are still based on the overall paper process. I think that leads to a delay in being able to accomplish or work on your mission. So, if I need to access some system, it might take me days, weeks, months to get that, depending on the people and the processes that requires. But we’re trying to put capabilities in place that automate a lot of that, to the greatest extent possible, to provide near real-time access. Also, if I leave an organization, we want to make sure that my accounts are disabled or deleted in a timely and proper fashion.

You may also be interested in NIST Expert Talks Benefits, Challenges of Identity and Access Management.

Photo Credit: DISA

Leave a Comment

Leave a comment

Leave a Reply