Insight By Duo Security

Overcoming cybersecurity’s weakest link comes through better identity management

Federal cybersecurity is in the middle of a convergence. It’s not about defense in-depth. It’s not about perimeter security. And it’s not about identity and access management.

Federal cybersecurity is converging around all of these concepts and much more.

The latest Federal Information Security Management Act (FISMA) report to Congress shows why this convergence is happening. Agencies faced more than 31,000 cyber attacks in 2018 with a strong majority coming from email and phishing. For the first time, agencies also faced impersonation or spoofing attack, once again proving the ever-changing nature of how bad actors are trying to steal data and inflict pain.

At the same time, cybersecurity is converging around IT modernization with cloud smart, data center consolidation and other directives that are pushing agencies to move away from legacy systems and onto modern and secure platforms.

So as agencies move toward a hybrid cloud environment, managing, verifying and authenticating your employees’ identity becomes more critical than ever.

This is why concepts like zero trust are gaining steam in the government.

Earlier this year, the CIO Council and the Office of Management and Budget said it’s working with the National Institute of Standards and Technology to assess current state of technology that fits under zero trust framework. OMB also is exploring other areas that may need policy updates to address zero trust concepts.

For a lot of agencies, this convergence of IT modernization and security started with identifying and protecting their high value assets. Something DHS calls creating trust zones and then ensuring systems have a clear boundary and an architecture that lets business owners control who is on the network or system.

DHS is one of a growing number of agencies that are exploring how to use IT modernization to not just improve security, but create those pieces that make up the concept of zero trust.

Sean Frazier, the advisory CISO for federal at Duo Security, said employee and citizen expectations are forcing this convergence and the changes where identity is at the center of effort.

“We see customers moving toward a more risk-based approach and moving away from monolithic security technology,” he said. “We see people adopting zero trust, which has been around for a long time. It’s only really caught on because of the things being forced on us like mobility, cloud and soon to be 5G.”

Frazier said a new security model is necessary because agencies no longer are control or manage data centers, networks and applications.

“The inevitable security model for that is something where you can work with what you can control, which is user access to that data,” he said. “It is a very risk-based approach function where you will not just going to trust something by virtual of the fact they got on the network. We used to talk about this thing called comply-to-connect. Comply-to-connect is dead. We are now doing comply-to-access.”

Exploring Cybersecurity's Weakest Link: Identity Management

We do have roles that are defined by the business. Those are modeled in our systems and those are associated with the data that they are authorized to use. And we also track the systems from which they can access those data points, and we can turn on or turn off those capabilities based on risk across the enterprise.

Identity Management and the Convergence with Modernization

The users are driving culture for end point access. If we were still sitting in a world where everyone was behind a desk on a desktop or had a laptop they could plug a personal identity verification (PIV) card into, we wouldn’t be sitting here having these conversations. But we don’t live in that world anymore. We live in a very different world and culture that’s forcing these changes in IT.

Zero Trust

Zero trust has really brought the spotlight on identity. It has made everybody and anybody think about it, be concerned about it and want more from it. In that sense, I think it’s been great from an identity perspective. What we are doing at DHS, it’s really a collaborative approach. We’ve collaborated with us as the implementation shop, our CTO office as the future of technology and what’s out there, and our Science and Technology directorate as the research and development branch working together to define those zero trust use cases, what do we want to explore and how do we want to tackle it.

Listen to the full show:

Panel of experts

  • Beau Houser

    Chief Information Security Officer, Small Business Administration

  • Howard Whyte

    Chief Information Officer, Federal Deposit Insurance Corporation

  • Amir Dastouri

    Identity Services Branch Manager, Department of Homeland Security

  • Sean Frazier

    Advisory Chief Information Security Officer, Federal, Duo Security

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts