In recent years, federal cybersecurity initiatives seem to have generated measurable security improvements. Yet there is a disconnect between progress on cybersecurity mandates and actual security itself.
Agencies have not fully implemented existing federal cyber mandates or initiatives, and the small percent left undone may become government’s next big breach.
The 2015 cyber sprint focused heavily on areas of identity and access management (IAM), encouraging better practices and capturing measurable results. Federal agencies initially increased use of strong authentication for users, moving the needle from 42 percent to 72 percent.
This is great progress but leaves opportunities for bad actors through 28 percent of user accounts. Since the sprint, 94 percent of agencies report that their IAM efforts are improving, but a sizable two in three respondents admit there is still room for progress, according to a survey from One Identity.
Insight by Leidos: In this exclusive executive briefing, executives will discuss their approach to whole-person health care.
IAM is not only essential to agency security; it is frequently the gap bad actors exploit. Most recently, Homeland Security Department (DHS) employee information was improperly exposed. When the threat is external, it only takes one user’s credentials in the hands of the wrong person to compromise an agency’s sensitive data. Any user credentials can ultimately endanger sensitive information when cyber criminals utilize escalation techniques and other creative approaches to access personally identifiable information (PII) or other confidential information.
Another area that requires completion is the authentication and management of privileged users — a pillar of IAM — focused on protecting super-user accounts. Privileged accounts were a focus of the cyber sprint, as access through one led to 2015’s Office of Personnel Management (OPM) breach. As a result of the sprint, agencies improved authentication for privileged users to close to 75 percent. Yet the most recent FISMA report shows that privileged user personal identity verification (PIV) implementation is still at 89 percent, creating a false sense of security.
Privileged account management can reduce both the risk and impact of a breach, if fully implemented. In many cases the gap in getting to 100 percent is cultural, attached to an understandable fear of relinquishing necessary super-user access. Yet the privileged users still sharing that access ultimately create a closeable cyber gap — a least-privileged approach that provides access only to the information and functions users need to do their jobs is essential.
For sensitive information and activities where full administrative rights are necessary, privileged users should be granted temporary access. This limits the time during which users can see it and, if possible, the actions they can take on the system while replacing the anonymity so many bad actors hide behind with individual accountability.
Full implementation and consideration of other identity and access management basics can also help. From changing admin passwords after each use to “vaulting” privileged credentials, simple actions can overcome the missteps often attributed to human error. More effective privileged password management is necessary to fully secure an agency.
The key to better security is easier than it seems, lying in the practices we already know and recommend. Agencies need to view unfinished cyber progress as what it is — a lack of security. With 85, 90, even 95 percent of users properly authenticated and managed, sensitive information will continue to be stolen. But by getting IAM completely right, agencies can ensure proactive defense against today’s sophisticated hackers.
Dan Conrad is the federal chief technology officer for One Identity.