, ,

One Login for Gov? Security Experts Say It’s Possible

Tech giants have globe-trotted markets by offering convenience and synchronization. When people can send a request from their computer and receive the answer on their phone, that’s a hook. Or when there’s a single location for e-commerce, movies, music and books, customers gravitate to the digital bazaar.

Government isn’t quite there yet. Identity is fragmented, and even if an agency can manage sending a resident’s tax refund home, that’s not to say the housing authority will have an updated address.

COVID-19 has transformed how people prove they’re themselves in accessing government services and information. Many agencies and departments have developed their own online login pages for the first time, in lieu of in-person ID scans. All of this creates an opportunity: government’s own online, full-service superstore for its constituents and employees.

“One thing we’re focused on is identity across different boundaries,” said Lester Godsey, Chief Information Security Officer for Maricopa County, Arizona, during GovLoop’s Wednesday virtual summit.

Godsey leads all cybersecurity and data privacy initiatives for Maricopa County, and his job is to enable safe, secure technological innovation. This fantasy of a single login with access to multiple services isn’t so far-fetched, he says.

However, key security and data requirements stand in the way of a futuristic public service one-stop shop.

First, agencies must be on the same page with their data, Godsey said. Currently, agencies operate off multiple login screens, meaning the same customer will have separate accounts and disparate information. Consolidating these fields can’t be done in a day’s work.

Then, as agencies expand their online digital services, they necessarily carve out more entryways for malicious cybercriminals – a main reason why security teams have been so busy during the pandemic.

“Identity most people think begins and ends at a login page,” said Keith Casey, Product Marketing Manager at Okta, an identity and access management company that works with government.

But the single best time for hackers to attack a login screen is when the targeted constituent doesn’t even have an account yet, Casey said. In that case, the imposter can pose as the person and manipulate their information, creating a stream of data-flow from themselves to the agency. Even if they’re rebuffed in attempts to extract information, the pretender still involves the real person in the crossfire, and their services may be disrupted.

So what’s there to do about that?

Step One is to standardize data management. Agencies need to track their different login screens, match fields and develop a clear strategy to aggregate information.

Step Two is to explore the idea of identity-as-a-service, or a uniform, portable way of authenticating a login attempt for easy system access. Establishing identity-as-a-service disposes of login-screen infighting and data waste. And because profiles are singularly attached to one person, phony accounts will have a much tougher time posing as a real person.

“Take a holistic view of identity-as-a-service, and then identify what the angles are, what the gaps are,” Godsey said.

Maricopa County’s goal is to have a trustworthy, verifiable source of identity across agencies and, furthermore, across municipalities. Even looking beyond COVID-19 days, doing so would take them a step closer to being what Godsey calls a “digital county.”

Check out other recaps from today’s virtual summit here, and make sure to register for other upcoming GovLoop online trainings

This online training was brought to you by:

Leave a Comment

Leave a comment

Leave a Reply