Please register on this page to watch the full discussion on demand.

Identity and access management is the center piece of cybersecurity. Nearly every layer of the zero trust architecture is dependent on the identity pillar.

If an employee wants to get on the network, they will need to verify and validate their identity. If they want to access an application, their identity holds their roles and responsibilities that would let them access that software program.

While agencies have been focused on improving how they implement and manage identity, credential and access management (ICAM) for the last 20 years, the move to the cloud and the need to access data and applications at the edge are driving a host of new challenges.

Agency ICAM capabilities need to be flexible enough to work just as well at headquarters as they do at the edge in a low bandwidth environment, with new systems and legacy applications and with employees, contractors and other partners.

Brian Hermann, program executive officer for PEO Cyber at the Defense Information Systems Agency, said the use of automation and integration tools makes the management of identities much easier and more rigorous.

“The challenge that we have as we move to zero trust in total, of being able to enable application owners to adopt ICAM, means that we have to divide and conquer. We could facilitate the onboarding of all those applications across the department in a timely manner to get to our target where we’re trying to get to for the end of fiscal 2027, and so I think it’s okay to have a number of ICAM services,” Hermann said on the discussion Modern ICAM Strategies: Real time identity management across agencies, partners and at the tactical edge.

“The key behind it is really the synchronization of data so that we all are based on the same identity, and then federation allows a user to access from their home an authentication site, a resource that is served by another identity provider in the department,” Hermann further explained. “Then, there is an assertion that is passed securely among the identity providers that we allow, so that is a necessary thing from a user perspective, but it’s also important to us as we think about what zero trust really is.”

DISA relies on a federated approach

DISA, which is one of several identity service providers to the entire Defense Department, is creating a standard architecture that all other ICAM services will follow. Once every ICAM provider meets that common architecture, then federation across applications and networks can occur, Hermann said.

“Federation that allows us to meet, to defend and determine exactly what standards are being upheld within each of our ICAM programs and then enable collaboration,” he said. “I know that our closest allies are not all on public key encryption functions for their users. A lot of them are still on username and password and multifactor authentication, and that’s probably OK. But we need to know what kind of trust we should have in them, what access they should have. So for me, federation is extremely important, not so much just for financial stuff, but to enable that experience and to allow mission applications to do what we need to do.”

While DISA must provide an approach for many military services and Defense agencies, the General Services Administration is focused only on its employees and industry partners.

Dovarius Peoples, deputy chief information officer at GSA, said through its zero trust implementation, the agency is moving away from a traditional perimeter-based security approach toward an architecture that verifies people and devices each time they try to access the network.

“We consider our users — as well as our business users, external users — customers as a use case. First, we looked at it from a use case perspective, and then we had to determine how to integrate those users from ICAM services. We cover our end users, our technicians, our mission partners, as well as the general public, but ICAM really is a foundational building block to zero trust, integrating from cloud to supply chain risk management,” Peoples said.

“We look at continuous monitoring as well as when we look at the authorization process. All of those things have been baked into the overall zero trust strategy within GSA that we’ve deployed. We have all of our accounts integrated from an identity standpoint, looking at it from one solution to be able to manage those various accounts through their individual lifecycles, to make it easier for the staff to access a lot of our mission critical capabilities.”

IoT, connected devices bring complexity

The challenge of integration throughout an employee or user’s lifecycle is a big focus for DISA too.
Hermann said the agency eventually has to expand and take advantage of human resources data across the entire DoD.

“Human resources data exists in multiple HR systems for every service. A lot of the Defense agencies and field activities have separate HR systems, so getting attributes has been one of our biggest challenges,” he said. “Fortunately for us, the Defense Manpower Data Center is a partner in that kind of triumvirate of ICAM capabilities in the Department of Defense, along with us and the National Security Agency. Together, we’re trying to work through that and enable us to get after all the use cases that we have to. But it has been a challenge, and you’ll see that in the metrics associated with who has adopted the automated account provisioning, that is primarily financial applications.”

Internet of Things and other connected devices like bots add another layer of complexity to the ICAM integration and automation effort.

Loren Russon, senior vice president of product and technology at Ping Identity, said agencies have to figure out how to treat devices that have nonhuman identities.

“They need to be treated as first-class citizens, so they need the same kind of onboarding, registration and verification. They need the same authorization. They need the same lifecycle management. They need the same thing as nonhumans,” Russon said. “That is definitely a common trend that we’re seeing. I also think that that conversation around onboarding — we call it zero day start and then there’s zero day stop —  that zero day start has a birth right from these HR systems … where you can start to manage the lifecycle of the person or machines from zero day start to zero day stop.”

Single pane of identity glass

DISA and GSA both manage nonhuman entities in the same way they manage employees or partners.

GSA has been a leader in robotics process automation (RPA) for more than five years and has ensured those machines have the full identity lifecycle.

Hermann said DISA recently took over this role for the public key infrastructure from NSA.

“We’re operating that capability. That is a challenge for the department, both for IoT and for things like RPA. But to be able to limit and validate the things that can be done with an RPA, for example, based on an assured understanding of what that is supposed to be doing, not just what it’s capable of doing, it creates a healthy relationship and that’s key,” he said. “The object you are using to be able to authenticate, and the application of the resources consuming, needs to be managed. We need to ensure that the relationship is well understood, and then you manage the rights of what they can and can’t do.”

Russon said one of the best ways to manage people and devices, whether at a headquarters location or at the tactical edge, is through an identity control plane.

“That allows you to have a central way of defining policy and a central way of creating unique user journeys,” he said. “Considering an authentication flow for somebody in the enterprise is very different than somebody maybe on a tarmac trying to authenticate into a different safe environment. Those journeys need to be there, and then you need to have that single pane of glass for dashboarding. What’s going on in my environment, and how can I react to that?”