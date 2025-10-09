Risk-based decisions should drive ICAM capabilities whether on premise, in the cloud or in hybrid environments, says Ping Identity engineering leader.

When it comes to technology modernization and cybersecurity, some agencies are in danger of getting left behind.

The reason is simple, said Kelvin Brewer, the director of public sector sales engineering at Ping Identity. Legacy systems that aren’t capable of supporting modern identity credentialing and access (ICAM) management capabilities, he pointed out.

Agencies carrying a large amount of technical debt will struggle to keep their systems and data secure and put their zero trust implementations at risk, Brewer said during Federal News Network’s Cyber Leaders Exchange 2025.

“All of that legacy stuff gets left behind and becomes a target for infiltration, for bad actors. If we’re truly going to be zero trust, one of the things that needs to happen is we need to keep supporting the legacy technologies that are probably still going to take a while to get replaced. Maybe, some of the things will never get replaced,” he explained.

Why flexible identity service matters in government

The ICAM model must also adapt to the different missions across the federal government that in turn require a variety of technologies.

“There’s no way to standardize on one thing, like just software as a service,” Brewer said. “There’s no way to standardize on that and have a truly zero trust framework for an agency because a lot of agencies have many different departments that that need multiple different types of identity solutions.”

He offered an example. Some parts of the Commerce Department have moved entirely to the cloud and can lean on using an identity management application that can integrate across all systems. But other parts of Commerce still require ICAM capabilities on premise and in the cloud. Still others will never be able to move systems into the cloud.

“One of the challenges with really getting to a place where you’re comfortable with your zero trust framework is having the ability to say, ‘We have a flexible identity solution to be able to meet all of our needs,’ ” he said.

Brewer recommended that agencies “get a solution that’s going to augment what they have already got because there’s serious technical debt that’s been put into an existing identity management solution that’s meeting the 70% to 80% of the use cases today. But there’s just that high exposure of those other use cases that it can’t do because it’s a legacy system.”

Why ICAM should use risk-based authentication decisions

Agencies usually have two choices: They can replace their legacy systems and move to a new ICAM system, or they can augment existing identity management capabilities.

Brewer said these challenges only increase when agencies are at the edge or in low-bandwidth environments.

“There are situations where we’re deployed out to a backpack, and the backpack itself has a really low bandwidth Wi-Fi antenna that the phone can connect to. They can then authenticate into the solution right on their phones and communicate with something that may be collecting intelligence data or doing something of that nature,” he said.

“There are use cases like that all over the place where you don’t want to be connected to the web, and what you’re trying to do is allow somebody on that tactical edge to be able to connect to a solution. But they need to authenticate in, and they need to then be provisioned the right access based on their role. You can’t just assume that just because they can log in, they should get access to anything.”

Brewer said all of these use cases come down to the simple idea of making risk-based decisions for how and the type of ICAM system implemented.

“We don’t want to over verify or over prompt for multifactor authentication or any of those things. What we want to do is be constantly checking risk, and that’s where these risk solutions can help,” he said.

“They’re so important because what they do is they look at the signals, including outside signals, and identify if the person who is coming in is the right person. We can check all sorts of signals, things like keystroke speed and things like that. We can do user event behavior analytics that allow us to see anomalies that then say this is an increased risk.”

