Identity is key to securing government systems. Yet many federal agencies still struggle to implement effective and comprehensive identity management.
During a recent GovLoop online training titled “Building an Identity-centric Security Foundation,” three government and industry experts discussed challenges around identity and described important first steps for agencies looking to elevate their approach to identity.
Here are three key takeaways from the event.
Start With an Inventory
To apply effective identity-based security controls, you first need to know what you’re protecting and from whom. That means taking stock not just of systems and data stores, but of those accessing those resources.
“You have to identify the different types of users,” said Frank Briguglio, Public Sector Chief Technology Officer at SailPoint, which provides identity-centric security solutions. Agencies need to assess the users of the system, and then align individuals with their needed levels of access, he said. “That allows us to build an access model.”
In support of a zero-trust approach to security, that model in turn should be tailored so that individuals have access only to the systems they need to do their jobs and the data they are entitled to see. “It all falls in line with that concept of identifying, and then protecting, and then detecting any anomalous access attempts,” he said.
Understand the Context
Identity requires comprehensive thinking. “It spans technology, user experience, privacy, security. There are even legal aspects to it,” said Kenneth Myers, Director of the Identity Assurance and Trusted Access Division in the U.S. General Services Administration Office of Government-wide Policy.
It’s important, too, to understand the ways in which identity is being applied as a means to access control across different user groups. “The context is very important,” Myers said.
For example, government may use similar tools to identify either employees or contractors, on the one hand, or citizens, on the other. But the aims of access control will be different in each case, he said. Understanding that context helps agencies to implement identity effectively, while supporting an appropriate user experience.
Use the Right Tools
Agencies have access today to a wide range of identity-management tools. That’s mostly a good thing. “I’m really excited about the flexibility that having these different models provides — that you don’t have to do everything the same way,” said Rebecca Nielsen, Specialist Leader, Risk and Financial Advisory, at Deloitte, a consulting firm.
But it’s important to ensure you’re using the right tools for a given requirement. She pointed for example to the use of a dynamic access model, one that can make real-time decisions about access on an individual level. If the rules round that tool are complicated, “it might make sense to keep that particular resource using a more traditional provisioning model.”
The point? “It’s really important to look at all of these things and think of them as tools in a toolbox,” Nielsen said. “Using the right tool for the right job…is really critical and something we should all pay attention to as we move forward.”
Sponsored by: