Agencies must use identity as a foundational element to zero trust

Date: On demand
Duration: 1 hour
Cost: No Fee

Agencies have been on an identity management journey since the late 1990s.

From efforts like the federal PKI bridge to e-authentication to PIV and CAC to biometrics and derived credentials, agencies have spent the last two decades trying to solve the identity and access management challenge.

So 17 years after the Office of Management and Budget issued Homeland Security Presidential Directive-12 (HSPD-12), which mandated the use...

READ MORE

Date: On demand
Duration: 1 hour
Cost: 
No Fee

Agencies have been on an identity management journey since the late 1990s.

From efforts like the federal PKI bridge to e-authentication to PIV and CAC to biometrics and derived credentials, agencies have spent the last two decades trying to solve the identity and access management challenge.

So 17 years after the Office of Management and Budget issued Homeland Security Presidential Directive-12 (HSPD-12), which mandated the use of smart identity cards, agencies continue to rely on these token-based cards, but they also may be standing in the way of the future.

The future of identity and access management includes no longer relying on authentication methods that solely use VPN technology. They must include newer approaches to authentication and validation that rely on cloud and other technologies.

This renewed focus on identity and access management isn’t by accident. ICAM is a key foundational piece of the Biden administration’s push toward zero trust.

Agencies also are learning that the application of zero trust isn’t just about people, but devices, endpoints and everything in between.

As agencies modernize their identity and access management as part of their zero trust journey, they must also keep their true end goal in mind–improving citizen services and mission effectiveness.

André Mendes, the chief information officer of the Department of Commerce, said he is consolidating 13 separate identity and access management systems across the agency.

“Some of them already on the right on the route to zero trust architecture, others not so far along, so one of the first initiatives that I brought to the table was to create one item solution for the entire department that would leverage the strengths of the solution deployed by one of our bureaus, NOAA, and then would allow us to have an integrated system that would be easier to maintain,” Mendes said during the panel discussion the Evolution of ICAM Strategy in a Hybrid World. “The concentration of efforts into one solution would allow us to have a higher, lowest common denominator across the entire department. Fortunately, all of the bureau CIOs were agreeable to that.”

The Energy Department is taking advantage of the risk-based approach the National Institute of Standards and Technology ushered in with special publication 800-63, which lets agencies move away from the old “one-size fits all” approach to identity and access management.

“With zero trust, we know it’s well beyond people, it’s devices, it’s data, so this is actually a fun time that a lot of us have built the foundation, if you will, and it’s kind of exciting now that we’re extending this past the traditional people based I can’t programs,” Ken Calabrese, the program manager for the ICAM program in the Office of the Energy Department’s chief information officer. “One of the things that we’re working on right now, and I would stress is another critical thing that we all have to do, is privileged access management. When we were on site, and everything was within the domain of the local area network, separating privileged from standard users was desirable. In our world now, in particular, with going to cloud computing, separation of privilege from standard users is critically important. So we’re beginning to take a serious look at how we will implement that throughout the department.”

Aubrey Turner, an executive advisor for Ping Identity, said Energy and Commerce’s move to consolidate and improve identity and access management is the key foundational element to zero trust.

“How do you get to zero trust without identity? I don’t know of a way that you get there. And if you’re saying how do you get to least privilege without identity and least privilege as part of zero trust, there’s just no way to get there without identity,” he said. “Essentially, at some point, all identities will be treated as either known or unknown, depending on which side of that coin you want to play on. You’re basically treating an identity as something that you have to verify.”

Sean McIntrye, the director of solution delivery for the Office of the Chief Information Officer at the Federal Aviation Administration, said his agency is looking at identity as the new perimeter for security.

“We want to collapse our perimeters. We’re going to rely on the identity piece of it. Micro services for us is a big deal because we’ve got a whole lot of applications that we need to develop that are custom developed for many different reasons, but also our move into the cloud to take advantage of the cloud services that are out there, we have to be able to marry it all into the same solution,” he said. “Identity is the first pillar of the DHS playbook for a reason. It just sets the stage for everything else.”

Jeremy Grant, the managing director of the technology business strategy at Venable and the former director of the National Strategy for Trusted Identities in Cyberspace at NIST, said the big reason identity and zero trust are getting so much more attention today is the way federal network and system architectures have evolved.

“Whether it’s cloud, whether it’s mobile as some of us are in real office and some of us are in home offices right now, identity is the one common denominator that you can use as a protection layer to actually figure out who’s actually trying to come into my systems, and what are they trying to do,” Grant said. “Is it who they say they are, or is it the proverbial dog on the internet? I think with zero trust, it really is an identity centric approach to security. There’s a lot of different definitions out there, but to me, it was when Google first talked about it publicly with their Beyond Core initiative about six years ago, where it said they were not going to try to build firewalls or perimeters anymore because we think that anything we keep in a corporate intranet is going to be just as vulnerable as what’s out there on the plain old fashioned internet. So let’s just put all our data out there in old fashioned internet but encrypt it. Then if you want to access it, it’s really tied to identity.”

Learning objectives:

  • The Evolution of ICAM Strategy
  • Zero Trust and ICAM Strategy
  • Balancing ICAM with a Broad Base of Customers

This program is sponsored by   

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.

By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.

Panel of experts

  • Ken Calabrese

    Program Manager, ICAM Program, Office of the Chief Information Officer, Department of Energy

  • André Mendes

    Chief Information Officer, Department of Commerce

  • Jeremy Grant

    Managing Director, Technology Business Strategy, Venable

  • Sean McIntyre

    Director of Solution Delivery, Office of the Chief Information Officer, Federal Aviation Administration

  • Aubrey Turner

    Executive Advisor, Ping Identity