How exactly can an agency secure data with an emphasis on identity and access management? A panel at IBM’s ThinkGov centered on this question.
The speakers included:
- Lisa MacDonald, Director of the Identity Capabilities Management Division, Office of Biometric Identity Management, Homeland Security Department (DHS)
- Joe Hamblin, Chief Technology Officer, IBM Security Federal
- Donna Dodson, Chief Cybersecurity Advisor, National Institute of Standards and Technology (NIST)
The panel was moderated by Dr. Shue-Jane Thompson, Vice President and Partner, Cyber and Biometric Service Line, IBM Global Business Services.
Thompson first asked about the common challenges of operating in a cloud-centric environment.
Hamblin pointed out that when an agency moves to the cloud, a lot of attention is devoted to how users can authenticate themselves and access resources. But there has been less thought about the different devices that people interact with and how to get someone to approve those devices for use. One challenge is that many agencies don’t have the infrastructure to support a federated model, Hamblin said.
The solutions to those challenges require unified action throughout the agency; the process of implementing solutions becomes inefficient and confusing if different parts of the agency go ahead with different solutions.
MacDonald pointed out the challenge of managing data in biometrics settings because of the sensitivity and irreplaceable nature of the data. “I think that’s something we have to be cautious about and really balance,” he said. “We have over 45 unique customer organizations.”
There are a lot of controls in place around who is able to see what data. Some of the questions that arise internally are who has the ability to change that data, how are we testing or monitoring that data and who has root access?
Thompson then posed the matter of dealing with rapid transformation in the digital world while also building trust in identity and access management.
From Dodson’s perspective, these are exciting times. The transformations that are happening all around us are opening up so many opportunities and innovations. “It all comes back to identity management,” she said. “While a lot of the discussion so far in identity management has been around the people side, we need to think also about the device side.”
Thompson emphasized the importance of looking into the next generation of threats and taking preventative measures based on those answers. She asked the panelists about the one thing they would do if they had the ability to accomplish anything in identity and access management.
MacDonald would develop a better framework for a risk-based approach to determine which identity attributes are appropriate to use and when.
Hamblin pointed out that agencies still do things manually; even though the technology is out there, the political side they have to contend with hampers development. He would better develop employee personas within a workplace or allow an employee to maintain one unified identity with different trackable personas. For example, if Jane Doe is an administrator who manages a certain workflow, she will have specific access to the services and data she needs to do her job. But when she logs into her email, she will revert back to being a traditional user and only have access to her information.
Dodson wanted strong authentication capabilities that would work well in the various environments that agencies use today, while also helping preserve privacy in the organization and allowing for easy user access.
“We have to look at the direction technology is going and make sure that we have strong identity management capabilities that can be used with the myriad of technologies that are here and that are on the way,” Dodson said.