Insight by DUO Security

Moving toward a smarter, stronger, more flexible approach to identity management

Few would argue that the pandemic was the killer app for identity management and the move toward zero trust.

With upwards of 85% of federal employees working remotely, the threat surface expanded making identity and access management much more critical for agencies as they met their missions.

Over the course of the last 12 months, agencies have figured out how to issue smart identity cards using derived credentials. The General Services Administration and the Postal Service are entering into a second 90-day phase of their pilot to offer employees an alternative to going to an office or credentialing facility to obtain new or updated identity cards.

With the success over the last 12 months, agencies now need the policy that underpins the successes of the past year to catch up.

The National Institute of Standards and Technology is moving in that direction with an update to FIPS 201-3. The Office of Management and Budget updated its identity credentialing and access management (ICAM) policy in 2019 emphasizing the need for each agency to have a single ICAM policy and connect it to architectures, policies and standards.

All of these efforts are helping to unlock the potential of new and emerging approaches to authenticate users. And this also opens the door further to more advanced implementations of zero trust architectures and for agencies to take a more risk-based approach to cybersecurity.

Agencies need to continue to move toward a seamless and frictionless experience for employees and citizens, while also moving away from static policies and frameworks.

“We’ve got doctors overseas. We’ve got sensors. We’ve got internet of things coming. We’ve got so many technology devices. So we’ve got to be able to identify these make sure that they can be trusted,” said Rob Hankinson, the acting director at the Office of Information Technology Infrastructure for the Department of State. “Not all of them can take a PKI-based credential loaded onto it. So having the flexibility to use other factors and multiple other factors and different attributes of that system to make a single decision and whether or not a device or a person, or a anything at all should be accessing the network and what privilege they have is going to be huge.”

NASA faces a similar challenge.

Rob Birchmeier, the identity, credential and access management lead at the Marshall Space Flight Center for NASA, said the space agency has to start issuing credentials that fit their customers’ needs better.

“The ability to have additional credentials available via policy is going to be really tremendous for us. The thing we’re struggling with right now is getting technology up to the level to be able to issue those because there’s a lot of upgrades we’ve got to go through because NASA is a little bit different than some of the other agencies,” he said. “We’re going on our own issuance. We don’t use the GSA Access Card. We actually issue our own. So we have to maintain all that infrastructure. We’re getting those upgrades in place so we can get those ready when policies are finalized. We can actually start issuing those additional credentials that will allow us to meet the needs of the customers and admissions better.”

Current Approach to Identity and Access Management

One thing that we have been seeing as more agencies push toward accelerating progress, is they are making it easier for the public to engage in digital services. One thing coming out of the Social Security Administration, is they are making it easier for their users in order to get accounts and be able to access things that otherwise they would have to call the person to do. A number of agencies, GSA and the Postal Service, one of the things we recognized during the pandemic, was that we needed to make sure that we were reducing exposure and risk to the public and the employees and contractors that work in the government.

Zero Trust and Identity and Access Management

In the last 10 years, we're about building the strongest enterprise grade authenticator we could, and we have strong identity binding of that authenticator to an individual. I think we've done that. When you look at how fast technology is moving and you look at how long physical smartcards have been the predominant authenticator in use in the federal government, that's a testament to how successful we've been about creating that authenticator. The next 10 years is going to be about smarter, stronger and more flexible authentication. As we've seen mobile devices becoming more secure, as we've seen the cryptographic chips and elements embedded on those devices gaining increasing security and sophistication, beginning to rival that of physical smart cards, as we've seen the needs of admission and the network's diversifying… we need to have more flexibility in the authenticators that we're leveraging, as a part of that authentication workflow.

Zero Trust Pilot Programs

We have a challenge with getting real-time information at the speed of relevance that we require to really enable that zero trust framework. We're still really, really good at it, but to get to that kind of 100% level of agility that we're looking for, it requires us to focus on the front end of the identity management from that initial establishment of the identity and how we can get those attributes downstream as quickly as possible. I think what we're seeing is there's, there's not a one-size-fits-all type of answer here, especially at the in the department where we operate a lot of classified programs, we have a lot foreign partners that are attempting to access that data. So ensuring we have the identity correctly established and distributed on the front end is critical.

Listen to the full show:

Panel of experts

  • Rob Hankinson

    Acting Director, Office of Information Technology Infrastructure, Department of State

  • Rob Birchmeier

    Identity, Credential, and Access Management Lead, Marshall Space Flight Center, NASA

  • Jordan Burris

    Chief of Staff, Office of the Federal CIO, Office of Management and Budget

  • Sam Yousef

    Deputy Director, Defense Manpower Data Center

  • Bryan Rosensteel

    Cyber Security Architect, Public Sector, Cisco

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts