Insight by Okta

State’s Directorate of Defense Trade Controls pushed the ‘easy’ button for better identity management

Identity Management

The reason why we want to have the access management in one place is that even though we have separate applications, the roles and responsibilities within each of those applications, in our instance, are the same. We wouldn’t want to do this if there are differences in terms of what access a particular person would have in the system. In the registration system, everyone can have read-only access to it, and the licensing analysts and specialists would be able to establish comments on it or send a comment to industry.

Authentication Solutions

Each individual defense company or university or company that we are dealing with, they are in the best position to determine who can see what, how they should see it and what role they should play. A lot of the complexity of user management for external users, we have pushed back out to industry.

IT Modernization Overview

Each industry participant has a self-appointed corporate administrator. That corporate administrator is responsible for all the roles based permissions for their company

Tools and Shared Services

We are at FISMA moderate, but for all of these cloud services and applications we are going to push them to high in 2020. We can inherit a lot of the controls from the cloud platforms if they already at high. But there is a number of things that we have to make modifications to that can’t be inherited by the cloud providers. It’s a shared responsibility.

In many ways, State Department’s Directorate of Defense Trade Controls has accomplished what many believe is nirvana when it comes to identity credential and access management.

The Directorate of Defense Trade Controls has a single system that manages ICAM that ensures a roles-based approach for employee and contractor access to data.

“Those types of roles we have implemented are not in the individual applications which is normally the way we’ve done it,” said Karen Wrege, the chief information officer of the directorate, on Ask the CIO. “But we are doing it in the platform, in a single place so it makes it much less complicated and much more seamless to administer and make sure we have the right people looking at the right things.”

The Directorate of Defense Trade Controls has about 250 employees using the ICAM system today, which lets managers of the business units decide how much access to their employees need.

“The reason why we want to have the access management in one place is that even though we have separate applications, the roles and responsibilities within each of those applications in our instances are the same,” Wrege said. “You wouldn’t want to do this if there were differences in terms of what access a particular person would have in a system. For example, in the registration system everybody can have read-only access to it and the licensing analysts and specialists would be able to establish comments or send a comment over to industry saying they need to do something. The more you can simplify this, the better you can manage who has access to what. What you really is least privileged.”

Wrege said she wasn’t sure this approach to identity management would even work. But after an initial attempt to implement ICAM software on an application-by-application basis proved too difficult, she took the plunge into a strategy that focused on centralization.

“At first, I was a little suspicious. Is this actually going to work? So suspicious, as a matter of fact, that I really didn’t want to deploy this across the board. It wasn’t until I started to fail at trying to do it application by application–it was taking a long time, it was complicated and it was not very seamless–that I decided to change course,” she said. “I have been really happy with the results of it. It took me about a day and a half that this was the right thing for the mission.”

Wrege said moving to a centralized system for identity management helped the directorate overcome some of the challenges with legacy systems and created a single sign-on for employees.

At the same time, the directorate also is using a similar identity credential and access management system to ensure the 13,000 external businesses that work with the organization are who they say they are when they are when they log onto State’s system.

Wrege said ensuring the roles and responsibilities of external customers, which include everyone from Lockheed Martin or Boeing to small firms that export a commercial part or serve as subcontractors, is more complicated and as the directorate moved to the cloud, it became a bigger challenge.

She said a key piece of the external ICAM effort is the use of digital certificates for each company.

The Directorate of Defense Trade Controls worked with Okta to incorporate the digital certificate into the company’s software.

“Each industry participant has a self-appointed corporate administrator. That corporate administrator is responsible for all the roles based permissions for their company,” Wrege said. “The corporate administrator goes into Okta and does the roles based permissions there.”

The directorate must also have the digital certificate on its systems to create the “handshake” between the company and the government.

“I see our responsibility as building a system that allows the other side do what they need to do. That was not inconsequential, even going down to the record level. That required us to do the programming to allow for that,” Wrege said. “But not having to build from scratch the user management role based piece and the two-factor authentication, I really feel like we just pushed the ‘easy’ button.”

The identity management effort also underpins the Defense Trade Controls directorate’s effort to put more applications in the cloud.

“I would consider the identity management solution the center of the wheel and we have a lot of different cloud platforms that we use. We are using ServiceNow for a lot of our IT service management and all kinds of internal requests. We also use it for self-service for our industry customers, and we have a lot of custom built applications in ServiceNow for some of the smaller requests that come in from industry,” she said. “We also use Boxx. A lot of these applications contain numerous attachments. By far, that is the largest piece of our dataset, a combination of technical data and all kinds of documents. We also use Tableau to do dashboards and reporting on all of our data. And when we have these custom apps that are in Microsoft Azure’s government cloud.”

She said having the identity management software connect the eight different applications that are or will soon be in the cloud proved valuable immediately.

“We have two data centers that house our eight applications so we will close those down, which is good for everybody,” Wrege said. “We are building the roadmap for 2020 and beyond.”

That roadmap includes initiatives around data cleansing and data governance to ensure the information is accurate and valuable.

“Imagine if a diplomat goes to visit a country, they may want to know how much was exported to that country. We want to make sure that data is correct,” she said. “One of our information collections might have multiple countries as beneficiaries of this license and we don’t know specifically the dollar amount that goes each country. We want to equip them with those kinds of talking points because they are important in diplomacy, yet we have this problem in certain instances where there are five countries and there is a dollar amount and there is no easy to figure out which country got how much.”

Copyright © 2020 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.