Insight by Okta

Expanded threat surface requires agencies to move toward higher levels of security

Agencies are modernizing their infrastructures at an incredible pace over the last nine months. And it’s clear identity management, especially through cloud services has been key to that success.

But like with anything, agencies can’t rest on their laurels. They have to be innovative and continue to create an identity centric model.

Sean Frazier, the federal chief security officer for Okta, said as agencies better understand their cyber risk profile, they will have to depend on more secure tools, including those that live in the cloud.

Frazier said for the Defense Department, particularly, this means using identity and access management services that meet impact level four (IL4).

“What that means is, you have a higher number of security controls that we as cloud service providers have to pay attention to. So a lot of us in the cloud space, start off with moderate because that’s a good place to start. And there’s about 300-plus controls that we’ve got to pay attention to. And then IL4 adds a certain number of controls on top of that for organizations and agencies who are more security focused and security conscious,” Frazier said on the discussion Accelerating DOD Missions with Identity and Access Management sponsored by Okta. “Then, if you look at the impact levels of FedRAMP, they move up to IL5 and IL6, but IL4 is really the meat and potatoes for the DoD community in order to deliver services to the armed services.”

But it’s not just the military services and agencies that need this added level of security. Frazier said the move to remote working expanded most agency’s threat surface.

“As we look at the use cases that are driving modernization, we’re looking at those higher level controls that we have to pay attention to. They are looking at folks like Okta to be able to deliver our services and capabilities at those higher level of controls, but everything is a risk-based decision. So there’s nothing that’s kind of a set in the ground or set in stone for delivering security. Every agency has to look at the risk has to it has to look at the services and the applications they’re delivering and model those based upon that risk-based activity,” he said. “It’s actually built upon kind of layers of discussions we’ve had over a year. So least privilege, roles-based access control, adaptive access control because there might be an example where someone doesn’t need to modify this database unless he’s in a certain period of time where he has access where he needs to add his input. We have to be able to take context into effect and be able to deliver that in an automated fashion. We can’t have people behind the scenes saying, ‘okay, I give you the access now, and I’m taking the access away,’ because what if you forget to take that access away, someone comes in pretends to be you, and all sudden can manipulate that database. We need that to be automated. We need that to be kind of delivered in a in a least privileged way. So that way, if there’s a point in time where you need to be able to do editing of data, we deliver it to you only when you need it, and we take it away when you don’t.”

Frazier said this is part of how agencies need to move away from a “trust but verify” approach to one that is built around “never trust always verify” for people, devices and data.

At the same time, however, agencies have to balance usability with the security approach.

“This is why we leverage the platform-based technologies that make it easy. Apple has done this at scale, I always like to I’m big Apple fanboy. So I’d like to pick on Apple. But Apple’s done this at scale with Touch identity and face identity every time I log into my device, I’ve got to prove who I am with my face. But it happens very simply, just by me looking at the device. A couple seconds later, even less than a couple seconds later, I’ve got access to all my applications. So the balance is leveraging easy-to-use user focused technologies that strengthen the ability for us to apply that every single time,” Frazier said. “There are a lot of agencies that have been looking at adapting these modernized technologies. You don’t have to be Apple to recognize there are some really great off-the-shelf technologies that you can leverage as a government agency to be able to deliver your mission in a seamless way for your end users. That’s one of the things that if you look at why people go work for private sector companies versus public sector company organizations, a lot of it is that technology. They’re kind of used to using that best of breed technology and they want to bring their own device in and use face ID or leverage the stronger technologies, but make it super easy for them to use. Agencies have been looking to adopt that model for years. I think that’s starting to accelerate now, especially when it’s tied into cloud infrastructure.”

Identity and access management in the cloud and balancing usability and security are part of the continued move to a zero trust architecture.

Frazier said whether it’s phishing or security assertion markup language (SAML) hijacking, agencies need to be prepared to address the ever-growing and ever-changing threats.

“Because of those things is why we have to apply zero trust principles to protect us against,” he said. “We need to keep putting the foot on the accelerator for zero trust. We need to build that in as you’re looking at technology, modernization capabilities and digital transformation. Cybersecurity can’t be this other thing way over here, they got to be tied together. Agencies there are two halves of the same coin. If you’re thinking about deliver services, you’ve got to think about cyber.”

IL4 Security Considerations

As we look at the use cases that are driving modernization, we're looking at those higher level controls that we have to pay attention to. They are looking at folks like Okta to be able to deliver our services and capabilities at those higher level of controls, but everything is a risk-based decision. So there's nothing that's kind of a set in the ground or set in stone for delivering security. Every agency has to look at the risk has to it has to look at the services and the applications they're delivering and model those based upon that risk-based activity.

Zero Trust

We need to keep putting the foot on the accelerator for zero trust. We need to build that in as you're looking at technology, modernization capabilities and digital transformation.

Listen to the full show:

Featured speakers

  • Sean Frazier

    Federal Chief Security Officer, Okta

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts