Identity and access management is essential to modern cybersecurity. As agencies transform their IT environments through the adoption of cloud solutions, they need to ensure they can easily manage which users have access to which applications and data. Without that ability, transformation simply creates too many vulnerabilities.
The challenge is that cloud solutions extend applications and data outside the traditional network perimeter and security controls. The more cloud solutions that agencies adopt, the more challenging it is to manage that environment.
“As the cloud grows, so grows the need for pristine identity and access management,” said Michelle Tuggle, Principal Security Analyst, Security and Compliance at Okta, which provides cloud-based identity solutions. GovLoop recently spoke with Tuggle to discuss the role of identity and access management in federal agencies.
A commitment to privacy, security
Not only does Okta help agencies securely adopt cloud solutions, it also provides its solution through the cloud. As Tuggle said, “Okta was born in the cloud.” From the beginning, the company has made privacy and security its top priorities.
From a privacy perspective, Okta adheres to three fundamental principles:
- Customers own their data.
- Okta only uses their data to provide the service.
- Okta keeps its customers’ data safe and secure.
Okta employees can access customer data in one of two ways. First, customer support uses custom tooling that is protected by the Okta Identity System, with access limited to employees who require access to do their jobs and enforced using FedRAMP-compliant authentication.
Second, Okta’s operations team accesses customer data via a Secure Socket Layer virtual private network, with team members using an Okta-managed certificate placed on an Okta-managed endpoint, plus a physically separate FIPS 140-2 Level 1 validated hardware multifactor authentication token.
As a foundation of its security strategy, the company has made a firm commitment to the FedRAMP program.
Okta’s cloud platform is currently classified as a FedRAMP Moderate or Impact Level 2 (IL2), and is working towards getting its FedRAMP M+ classification (IL4). In the near future, the company expects to move to FedRAMP High (IL5).
Earlier this year, Okta was selected to work with the FedRAMP Joint Authorization Board (JAB) for a Provisional Authority to Operate (P-ATO) as part of the FedRAMP Connect initiative. The JAB prioritizes cloud service offerings based on government-wide demand to help meet government-wide mission needs.
Zero trust requires collaboration
Going forward, Okta looks forward to supporting agencies as they move to a zero trust architecture.
As part of zero trust, an agency applies security measures at the level of individual applications, data or systems, and verifies the identity and permission level of every end user or device requesting access. Obviously, identity is key to zero trust, but it is only part of the solution.
“Okta is focused on being a collaborative partner,” Tuggle said. “We know that from a zero trust perspective we can’t do this alone. It’s going to take several partners and several IT sections to come together to create some of these zero trust environments.”