This blog post is an excerpt from GovLoop’s recent guide “Your Guide to Identity and Access Management.” Download the full guide here.
Identity and access management (IAM) is not just about doing security to comply with government requirements. Instead, it’s a means to ensure the consistency and trustworthiness of government services, especially as digital options expand.
This expansion means that office walls no longer define agencies’ perimeters because employees are increasingly accessing resources and data remotely from various devices. In light of these and other changes, the Office of Management and Budget (OMB) issued updates to the federal government’s identity, credentials and access management (ICAM) policy in May 2019. Among other things, the policy calls on agencies to take a risk management approach to identity management and align with the National Institute of Standards and Technology (NIST) guidelines.
Gone are the days when simply adhering to a checklist of security mandates was enough to defend against online impersonators, fraudulent claims and other attacks. Agencies must understand the unique risks they face and use that information to drive what technologies and mitigation strategies can reduce them, according to NIST Special Publication 800-63 revision 3, which establishes digital identity guidelines for federal agencies.
The policy update also calls on agencies to shift from managing who has access inside and outside their perimeter to using identity as the foundation for managing risks resulting from attempts to access federal resources. Having stronger authentication methods in place requires malicious actors to have better capabilities and expend greater resources to successfully subvert the authentication process, according to NIST.
Following the massive Office of Personnel Management (OPM) breach in 2015, the Obama administration launched a 30-day cybersecurity sprint to assess and improve the health of federal information technology (IT). That decision set into motion an accelerated effort to ensure all users, especially privileged account holders such as system administrators, use personal identity verification (PIV) cards to access federal networks and systems.
Those efforts are still being felt today, according to Sabari Gupta, an IAM expert. Even if agencies are not fully compliant with the federal directive requiring PIV cards, they are prioritizing the use of these credentials for account holders who could do the most harm to the organization.
Why is IAM especially important now?
The number of digital transactions between the public and government agencies is rapidly increasing. Citizens can skip in-person visits, and with a few clicks or swipes, they can file taxes, apply for food assistance and renew a license.
Although the rapid expansion of digital services has given the federal government faster, more reliable operations and connections with the public, it has also shed light on IAM’s critical role in providing a seamless digital experience.
IAM is particularly important now as technologies such as cloud mature and older IT systems become obsolete. “A new set of challenges has emerged because information about individuals has become more widely available through social media and breaches of personally identifiable information (PII),” according to the OMB memo on ICAM. “Identity management has become even more critical to the federal government’s successful delivery of mission and business promises to the American public.”
Agencies must adopt identity validation solutions that enhance privacy and mitigate negative impacts on the delivery of digital services and maintenance of online trust.
How does IAM support IT modernization and other efforts?
As noted earlier in the guide, IAM underpins many government efforts, including conducting background investigations, managing access to federal IT assets on-premise and in the cloud, and deploying emerging technologies such as robotic process automation (RPA).
IAM allows for secure and frictionless information sharing with the right people at the right time, and this is especially important as more government services move to cloud-based models. To support the increase of mobile technologies, OMB has made clear that agencies should use derived credentials, which provide strong authentication for mobile devices.
With the rise of automated tools that can take on identities of their own, agencies must be capable of managing digital identities for RPA tools and artificial intelligence (AI). For example, software bots can run unattended and work round-the-clock, meaning a person does not have to physically oversee all the work a bot is doing. This is great for productivity, but autonomous bots can raise security concerns.
That’s why OMB requires agencies to ensure that digital identities for automated tools are distinguishable, auditable and consistently managed across the agency. “This includes establishing mechanisms to bind, update, revoke and destroy credentials for the device or automated technology,” according to the memo.