Everyone loves their downtime. However, what we don’t consider is the wasted time and productivity loss as we wait to get access to the things we need to do our jobs effectively. We’ve all experienced it before; as a user we need to request access, that request is routed to the appropriate approver, and depending if that approver is available or not it’s then routed to someone else, then the request is approved or not approved and the entire process is too lengthy and not seamless enough to navigate. In yesterday’s online training, “How to Develop An Effective Identity and Access Management Strategy,” expert panelists addressed user-experience and convenience factors when assessing an agency’s Identity and Access Management posture.
GovLoop’s Research Analyst, Hannah Moss, provided statistics on what is preventing agencies from securing their systems and ensuring users have the appropriate access privileges and verified passwords. Moss referenced GovLoop’s new report, “Transforming Agency Security with Identity & Access Management,” and shared that cybersecurity is a constant struggle. In this report, GovLoop surveyed over 250 public sector professionals and found that 80 percent of agencies require employees to use three or more authentications. What was most interesting about the findings was that budget, time and staff shortages, were not the most common roadblocks for agencies creating and monitoring a holistic security system. In fact, it was the complexity of existing systems, platforms and authentication protocols, according to Moss. Identity and Access Management (IAM) strategy eliminates these barriers by creating a single location and automated routine-tasks.
Ashley Stevenson, Chief Architect of Identity, Credential and Access Management (ICAM) for the U.S. Department of Homeland Security, shared the challenges and solutions of the four foundations of IAM:
- Digital Identity: The bits that make a person or thing unique.
- Credentials: Binds key identity bits to a token that others trust.
- Authentication: Person identities use credentials to authenticate to applications.
- Authorization: Applications assess privileges to determine account authorization.
The challenges are focused around the user and certain level of security. This is where the passwords written on sticky notes come into play. To solve this inappropriate and inflated access, agencies need to get stakeholder buy-in when developing an effective IAM strategy. Stevenson explained how every application is owned by different organizations with different missions or focuses and in order to get single sign-on integrated – smart card or pin that builds a chain of trust for users – agencies have to work with stakeholders and sell them on why a more personalized access control and audit trail is important, especially to the return on investment.
To figure out how to get stakeholder buy-in, agencies must first determine what IAM means to their organization. Dan Conrad, Identity and Access Management Specialist at Dell, explained what your “IAM umbrella,” including access governance, separation of duties and data governance, covers. But whether your end user productivity centers around provisioning, single-sign on, multifactor, or privilege management, “don’t let the scope creep get you,” says Conrad. Keep focus, start small and go through the completion of something in order to align your efforts with other IAM changes going on in your organization. Time is an important resource to mange when dealing with IAM projects. However, before you put an end date and get something done, involve your stakeholders, always! “If you don’t involve the stakeholders in your IAM project, the stakeholders will come for you and not in a good way,” shares Conrad.
Our training focused on many of the challenges to creating an effective identity and access management system. But all presenters agreed that it is of the utmost important to get it right. The GovLoop report outlined three benefits of a centralized governance strategy:
- Personalized access control
- User audit trail
- Streamlined user access
And three benefits to an automated system:
- Alleviates IT staff burden
- Increases end user productivity
- Ensures ongoing compliance.
These benefits, most importantly eliminating IT staff burden, is essential as government looks to do more on a budget – while remaining secure.
To learn more about identity and access management I encourage you to listen to the on-demand version of the training here and don’t forget to download the new GovLoop report: Transforming Agency Security with Identity and Access Management.