This blog post is an excerpt from GovLoop’s recent guide “Your Guide to Identity and Access Management.” Download the full guide here.
One agency plays a critical role in creating guidelines for other agencies to follow in the realm of identity and access management (IAM).
The National Institute of Standards and Technology (NIST) establishes standards for information systems security across the federal government through a series of guidelines and best practices in NIST Special Publications. NIST views information system security from an internal standpoint, or how the federal government uses information systems, and an external perspective, in terms of responsibilities the government has to citizens.
“All of our information security deals with identity and access management, whether that is physical access management or logical, on the line access,” said David Temoshok, Senior Policy Adviser at NIST’s Trusted Identities Group. “We look at the context for that, for how we manage our information systems and access for our employees and other individuals who are privileged to access our systems.”
GovLoop interviewed Temoshok shortly before the federal government updated its IAM policy to learn more about how NIST addresses the issue across the federal sphere.
The responses below have been lightly edited for brevity and clarity.
GOVLOOP: What issues are top of mind for you as an IAM professional in government?
TEMOSHOK: First, in terms of security, we want to make sure that anyone accessing our resources is in fact who they claim to be. We manage our resources based on privileging who can access resources, and we make sure that we can identify those individuals and confirm or authenticate that they are who they claim to be.
The second factor that our security and access management is centered around is protecting information. We want to make sure that we protect the information that may be necessary in order to determine access. So, privacy and security go together as our top priority issues.
The third thing that I would say is key to us is usability. Security can make things difficult or complex for users, and we want to make sure that our IAM controls always consider usability, so that controls aren’t too complex for users.
What are some challenges that agencies face when implementing IAM?
The first would be dealing with the public. For federal agencies that deal with the public and want to move services from a paper-based process to an online process, like the Internal Revenue Service or the Department of Education or the Social Security Administration, they are all looking at providing online services in a secure way. If it’s necessary to know who you’re dealing with in an online service, and in most cases it is, it becomes necessary to have a legitimate way to prove the identity of that claimed individual.
Identity proofing remotely with the public is very challenging. It means being able to verify identity evidence, in the form of a driver’s license or another form of evidence, remotely. Let’s just call that assurance. And we recognize that there can be different levels of security or assurance that are needed for different types of transactions.
Again, the key issue for us is the privacy and the protection of personal information that we may collect. So, the challenge as we try to move additional services online to allow access to federal services and transactions to the public, is that we also need to be able to expand our capabilities to be able to securely provide assurance that federal agencies are dealing with who the individuals claim to be. We call that authentication.
What do you think the current trends around IAM are in the federal space?
The trend that we are advancing to the federal government is to move from user ID, PIN and password to multifactor authentication, which involves using two forms or more to identify a user remotely.
I would give an example of those industry initiatives in the form of the specifications developed by the SAS Identity Online Alliance. Those provide for very secure cryptographic controls that are very user-friendly in a digitally accessible program. Those types of devices are commonly available on Amazon and through other outlets, and we encourage that type of use, both for internal use in the federal government, as well as for the public.
Can you talk about ID and access management in terms of the everyday employee? What do advances in this area mean for the way that they perform their jobs?
In terms of the everyday employee, a little bit of background is necessary. In 2004, the president signed HSPD-12, which required a secure badge and identification capability for physical and local access for all federal employees. It was a common badge and common identifier, and wasn’t intended to be agency-specific, but governmentwide. We published the standard for that badge in 2005, called the Personal Identity Verification (PIV) Standards.
However, with the current workforce being mobile and agencies wanting to be able to have the same access of the PIV card, there’s a smart card that’s the size of a debit or credit card that has an RFID (radio-frequency identification) chip. Now all laptops and desktop computers have ports that allow these cards to be inserted and read. However, smartphones do not have a similar type of port for a card like that to be able to read the chip on the device.
It’s become very key for us to have both security and privacy for access control and to extend that capability to the federal user. There are many jobs in the federal government that require employees to be away from the duty station to fulfill their responsibilities. This allows them to gain access to their online applications and information in a way that is secure, usable and protects their information.