What’s more, as new applications proliferate and operate throughout a hybrid cloud environment, having a sound approach to identity and access management has become increasingly critical, noted Sean Frazier, federal chief security officer at Okta.

The highly mobile nature of the U.S. military workforce, compounded by a civilian DoD workforce that’s become more hybrid with respect to telework and remote access, only adds to the urgency, Frazier said during Federal News Network’s second annual DoD Cloud Exchange.

“We need to think about how we move to a dynamic workforce where we can still enable the enterprise users to access things from anywhere, at any time,” he said. “Being able to build identity constructs and being able to build security around those constructs is super important.”

Access drives security conversation

In fact, Frazier said, solid identity, credential and access management (ICAM) is the fundamental requirement in building new digital systems.

“Nothing really happens until somebody or something asks for access to something,” he said. “That’s always an identity conversation, being able to prove that the person asking for access to the data is really that person.” That “person,” Frazier adds, could be another application, such as an artificial intelligence program, or any of a myriad of nonhuman internet of things entities.

Two qualities, Frazier said, must exist in the architecture of an effective ICAM system:

• Continuous vetting: That’s essential to account for the fact that people and things move around and access systems from different locations. It’s critical to continuously validate, at wire speed, the validity of an access request.
• Use of context in validating a request: The system has validate access based on the environment, the users and the privileges — and get increasingly smarter at it. For example, does the IP location of the device match the normal location of the credential offered? Is the request coming from a known device or from the middle of Russia?

Facial recognition and other biometrics have proven reliable authentication factors, but they raise privacy concerns. Frazier said the approach taken by Apple and other device makers holds promise for DoD. Namely, store the biometric factor on the device and not in a database somewhere, which shifts that element of device validation off the network.

With cloud computing and digital transformation progressing hand in hand, DoD agencies should look to cloud-hosted ICAM solutions rather than building the capabilities themselves, he advised. A cloud-hosted ICAM, in which the vendor keeps applications and servers patched within the Federal Risk and Authorization Management Program (FedRAMP), is an important element in achieving a zero trust environment, Frazier said.

“We’ve been talking about the ‘what’ of zero trust for five or six years. Now, we need to focus on the ‘how,’ ” he said.

What that means is that DoD organizations (and many civilian agencies) aren’t starting their zero trust efforts from scratch, Frazier added. Because of that it makes sense for agencies to stand up tiger teams to assess where they are on their zero trust roadmaps and then build from there, he recommended.

To listen to and watch all the sessions from the 2022 Federal News Network DoD Cloud Exchange, go to the event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.