The evolution of identity, access management underpins the future of zero trust
December 16, 20212:28 pm
5 min read
Date: On Demand Duration: 1 hour
Cost: No Fee
Two things have become abundantly clear over the few years. The first is zero trust is more than a buzzword as more and more public and private sector organizations move toward this mindset. Second, identity and access management is not only back in vogue, but it’s a key foundational piece to moving toward the end goal of a zero trust environment.
Agencies have been trying to tighten up identity and access management (IDAM) for the better part of 15 years. Departments made significant progress after the breach suffered by the Office of Personnel Management in 2015. But it wasn’t until the pandemic did the value and need for more advanced IDAM capabilities become more obvious.
It’s clear that agencies need to rethink their approach to identity and access management as part of their IT modernization strategy. The role-based, least privileged and just-in-time access is the future for many organizations as applications and workloads move to the cloud and work in more of a DevSecOps ecosystem.
Their goal will be to bring all of new and existing technologies together to ensure the citizen or employees’ experience is secure and effortless.
James Saunders, the senior advisor for cybersecurity at the Office of Personnel Management, said the move to zero trust actually begins with their move to the cloud.
“We’re now heavily leveraging the cloud, with the Cybersecurity and Infrastructure Security Agency’s draft zero trust maturity model and OMB’s draft memo. We are using that to actually draft our zero trust strategy and what we’re doing for each of the pillars identified in the maturity model: data, identity, device, network and application,” Saunders said during the panel discussion What role does identity play in zero trust? “We have a set of projects that help us move toward that optimum maturity model set forth by CISA. For example with data, one of the things that it call us for is to have a data inventory and a data classification scheme. So we are partnering with our privacy team and our chief data officer team to figure out what solution, what processes and what people we will need to bring in to really help us accelerate and address that particular one pillar. Those same conversations are happening across all the zero trust pillars through our zero trust governance team.”
The OPM mission owners also are part of the zero trust governance teams to represent their needs and requirements as they modernize.
Dorothy Aronson, the chief information officer at the National Science Foundation, said at her agency, zero trust underpins a host of other efforts around improve customer experience, modernizing the infrastructure and converging disparate and older systems.
“We don’t talk necessarily about zero trust, but we’ll talk about something that might impact them, for example, two-factor authentication is going to be required from here on. Our customers aren’t interested in necessarily whether there’s an OMB mandate to do that or not, they just want to do their work. We have been integrating the zero trust approach as we modernize everything else, it’s all one single integrated approach,” she said. “With zero trust, what we’re doing is really liberating. It’s the opposite of zero trust in my mind, which means there is no longer a central data center, there is no longer a single wall protecting everything. It’s rather you tell us who you are, and we give you what you need. So you can move outside of this small town, you can be wherever you want to be, as long as we know for sure who you are, that’s where this identity piece is absolutely critical.”
Kelvin Brewer, the senior manager for public sector presales at ForgeRock, said OPM, NSF and so many public sector agencies are considering they can change their foundational framework to truly create a security perimeter.
“What we’re all trying to do with zero trust is we’re trying to standardize how we address the trust but verify model, and bring in some of the newer technologies and around identity, which is really now the new security perimeter,” he said. “It’s not a tall wall. It’s a pretty short wall, and it’s about the individual per person. But it’s still that identity is the new security perimeter. That’s where a lot of the groups that we’re working with are looking first at how do we truly create a security perimeter out of our identities. That’s the steps that seem to be the first effort in accomplishing zero trust out of all the pillars.”
Brewer said while each organization is taking a different approach to implement zero trust concepts, there are some similarities like simplifying their architectures and creating a seamless integration among applications.
Tim Li, the cyber strategy leader for the government and public services practice at Deloitte, said agencies need to understand their zero trust uses cases as they create their roadmaps.
“Identity continues to stress new use cases. The pandemic drove digital transformation efforts and new citizen services. I look at citizens and the interaction of citizens with government and how that has changed operating ecosystems, I think that is something to think about as some of the news cases across the board,” Li said. “Some of these things didn’t exist in terms of interactions that we had before. Some of the ecosystems that we have today as well didn’t exist before, as I think about extended supply chains and some of the third party relationships all have evolved, which has necessitated us to rethink some of what these use cases might look like.”
Current Zero Trust Strategies
The Impact of Cloud on Zero Trust
Identity and Access Management
This program is sponsored by
Please register using the form on this page or call (202) 895-5023.
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.