Insight by Okta

Zero trust driving DoD’s identity management evolution

Agencies have been talking about identity credentialing and access management for more than two decades.

The Defense Department, particularly, has been a head of most other agencies for much of the last 20 years. But the need to modernize their technology, their processes and how they are used is clear.

This is why DoD released a new identity credential and access management (ICAM) strategy about a year ago that outlines seven strategic goals, including taking a data centric approach, deploy shared services and enabling consistent monitoring and logging to support analytics.

DoD wants to work toward creating a digital identity for all 8 million of its customers—servicemembers, their families, contractors and civilian employees.

Part of their long-term goal is to create a continuous identity-as-a-service, using strong authentication tools on platforms like an iPhone or an Android device.

DoD, and really every agency, must build on the momentum to take full advantage of the convenience, security and flexibility of identity management tools and capabilities.

Sean Frazier, the federal chief security officer at Okta, said the common access card (CAC) was elegant and forward thinking 20 years ago. But today the digital threat landscape has changed and DoD, and really every agency, has to be able to prevent nation states and other sophisticated hackers from accessing systems and stealing their data.

“That why things like zero trust security, multi factor authentication and continuous risk evaluations for authentication are super important. DoD has to be vigilant and these authentications have to happen almost in real time, all the time. We don’t have the option to let down our guard at any point,” Frazier said on Modernizing Mission Security sponsored by Okta. “That need really has enabled and accelerated this whole concept of authenticating to get access to things. It’s why zero trust has become so important. It really is the thing that meets the need of today.”

Tom Clancy, the former chief of identity solutions at the Office of the Department of Defense CIO, said the military must figure out how best to build on the high assurance and convenience of the CAC as it moves to the next generation ICAM architecture.

“As we look at enabling these new architectures and these capabilities that are going to get us to that military advantage, we need to figure out how to expand and extend those capabilities. We need to keep the same high level of assurance in the face of that near peer cyber adversary,” Clancy said. “Doing that and sort of pivoting to strong identity providers that can federate identity, be interoperable and carry forward this broader ecosystem of high quality high assurance authenticators. If we get that wrong, we can throw out the great assurance level we have with the CAC that went with the background investigation of proofing that chip with a private key that’s well protected, those are really fundamental parts.”

Clancy said the new architectures must include federated identity management, interoperable credentials and approaches that fit into a broader technology ecosystem that includes cloud services and on-premise applications.

This is why concepts like zero trust are key to the future.

Frazier said as DoD looks to consolidate identity management infrastructures, it should take advantage of off-the-shelf technology with strong security attributes and uses open standards based single sign-on capabilities.

“That is super critical because it both reduces the cost and reduces the friction on the user experience side,” he said.

Clancy added the move toward mobility made using the CAC more difficult, and the need to give allied and agency partners is pushing DoD toward new ICAM strategies.

He pointed to the Defense Information Systems Agency’s efforts with PureBred as an example of how DoD is evolving its identity management efforts.

“One of the core pillars of zero trust is that you don’t necessarily have access to the entire thing. Zero trust talks about landing on a network. So when you land on the network, you automatically don’t have access to all the stuff. But the same thing is true for ICAM. Just because you log in with a CAC doesn’t mean I have access to all this stuff. So what you’re really doing is you’re moving the perimeter from the CAC, you’re moving the perimeter from the network all the way down to the data layer,” Frazier said.

DoD's Identity and Access Management Strategy

As we look at enabling these new architectures and these capabilities that are going to get us to that military advantage, we need to figure out how to expand and extend those capabilities. We need to keep the same high level of assurance in the face of that near peer cyber adversary. Doing that and sort of pivoting to strong identity providers that can federate identity, be interoperable and carry forward this broader ecosystem of high quality high assurance authenticators. If we get that wrong, we can throw out the great assurance level we have with the common access card (CAC) that went with the background investigation of proofing that chip with a private key that's well protected, those are really fundamental parts.

Authentication and Zero Trust

The CAC platform is the Cadillac of identity proofing and authentication. But the Cadillac comes at a cost. We have one mission partner that we work with that has 40 different systems that people have to log into with 40 different passwords they have to remember, so consolidation of that by leveraging off-the-shelf technology, that strong security and being able to leverage what I consider open standards based single sign-on, is super critical, because it both reduces the cost and reduces the friction on the user experience side.

Listen to the full show:

Featured speakers

  • Sean Frazier

    Federal Chief Security Officer, Okta

  • Tom Clancy

    Former, Chief of Identity Solutions, Office of the Department of Defense Chief Information Officer, Office of the Secretary of Defense

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts