Think of the human or machine identity and map that to all of the accounts and then decide on the privileges, the access, the roles, the personas and then link that together.
Morey J. Haber
Chief Technology Officer, Chief Information Security Officer, BeyondTrust
How to Operationalize Identity and Access Management
It’s not just tying back to a single source to define your identities, but it’s all your sources. As we get into the federated model, it gets even more challenging because it may not be an authoritative source that we are necessarily looking at, but it may be a relationship we are looking at to get folks in the door.
Global Public Sector Strategist, SailPoint
When it comes to cybersecurity, the perimeter is dead.
It’s everywhere your employee is with their smartphone or tablet computer.
It’s in the cloud and it’s in your employee’s house.
The Office of Management and Budget said in its 2019 rewrite of the identity management policy, which has an entire section focused on moving beyond the perimeter for security.
It says agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems. To ignite adoption of this new mindset around identity credential and access management (ICAM) capability deployment across the federal government, each agency must harmonize its enterprisewide approach to governance, architecture, and acquisition.
The policy continues to expand into each of these areas calling for each agency to have a single, standard identity and access management policy, to use a risk-based approach to decide on how to apply ICAM and use commercially available and open standards.
While the policy laid the foundation, the coronavirus pandemic is serving as the “a-ha” moment to illuminate why identity and access management is so important.
With the attack surface increasing due to remote workers and the expansion of digital services, agencies must consider elements of moving toward a zero trust architecture like ICAM, access standards based on trust algorithms, automated policy decisions and continuous monitoring.
Through the continuous diagnostics and mitigation (CDM) program, agencies have been bringing all these concepts together to better protect data and systems. And Frank Briguglio, the global public sector strategist for SailPoint, said now that CDM has set the foundation, it’s time for agencies to take the next step to make identity management more central to securing data and systems through a zero trust framework.
“Operationalizing the identity becomes critically important,” he said on Innovation in Government. “Identity is being considered now as one of the stronger pillars to meet the zero trust model. The amount of metadata we are gathering about identities, we can then start building context and context can be viewed not only from what someone is doing with their access, but should they have access? Do we have all the checks and balances met for a privileged user or even a user of a high-valued system?”
The recognition of the importance of identity to security may not be a new concept for most agencies and companies, but it’s one they didn’t always get right.
Morey Haber, the chief technology officer and chief information security officer at BeyondTrust, said too often agencies focused on accounts to determine access and roles.
“Think of the human or machine identity and map that to all of the accounts and then decide on the privileges, the access, the roles, the personas and then link that together,” he said. “As a CISO, one of the hardest things that I have and my peers have is actually building that map, understanding all of the places where you have an account, where you may have access to it, even if it’s shared, which is not a security best practice, or if you are an owner of the account and the privileges assigned to it. One of the best things you can do is to limit the number of accounts, only provide one…so that when you have to report on an identity’s access you are minimizing the amount of account relationships and potential aliases to get a coherent perspective of what is really going on.”
Haber said an account could be a username or an email address or any number of ways to authenticate a system or application, which is why agencies need to consider a tool to better manage identity management beyond accounts.
Agencies can move to that new approach by first conducting an inventory of their identities to know how many and which employees are connected to them.
“As surprising as it sounds, human resources or even your expense systems have great inventories of what people are purchasing or expense reports that they may have to get you to at least top level of what that identity is, and then you can use other tools to drill down to accounts and the associated pieces,” Haber said.
Briguglio added agencies are starting to take identity inventories and are realizing they may not have considered all the ways employees can get on the network.
“It’s not just tying back to a single source to define your identities, but it’s all your sources,” he said. “As we get into the federated model, it gets even more challenging because it may not be an authoritative source that we are necessarily looking at, but it may be a relationship we are looking at to get folks in the door.”
The focus on identity management gained more importance than ever as many agencies moved a majority of their employees into a remote work environment.
Briguglio said with the maturity of CDM, the move to the cloud and now the surge in telework, agencies finally are realizing that identity is more than just a smart card under Homeland Security Presidential Directive-12 (HSPD-12).
“They are realizing that the access management methodologies are different for different classes of users. They are realizing that they need the automation and efficiencies to reduce the footprint of overexposed accounts and entitlement creep,” he said. “These were things that were hard before. They have the platforms now to do this and it really is the time to take advantage of what they have done over the last couple of years through CDM, through asset discovery, through the identity master user record and tie them together to build that governance model.”
Haber added that once agencies get the inventories and authoritative sources in place, they still must deal with machine or automation accounts that may have broad and unfettered access to the network.
He said those types of accounts are how hackers move laterally across networks and cause real damage.
“When you are doing this identity management and privileges an account has, you have to consider zero trust, each asset you are connecting to should be unique and have a unique set of credentials to do something like a credential scan or patch management where there is no agent,” Haber said. “Also in the context of ‘just in time’ you do not have to have these identities and their associated accounts present all the time. They should be available when change control or assigned to and then removed operationally or disabled when they are not. That is really critical to automation. If they are on all the time, then a threat actor can basically use automation machines to compromise a federal network because they are not being monitored, typically, the same way.”
SailPoint, the leader in identity governance, delivers an innovative approach to securing access across the enterprise with the SailPoint Predictive IdentityTM platform. The platform is designed to securely accelerate mission objectives while delivering adaptive security and continuous compliance. SailPoint provides a comprehensive view of access to all resources across multi-cloud infrastructure, and helps make faster, more informed access decisions, detect potential risks and easily enforce access policies for all users.
BeyondTrust is the worldwide leader in Privileged Access Management (PAM), empowering agencies to secure and manage their entire universe of privileges. Our integrated products and platform offer the industry’s most advanced PAM solution, enabling agencies to quickly shrink their attack surface across traditional, cloud and hybrid environments.
The BeyondTrust Universal Privilege Management approach secures and protects privileges across passwords, endpoints, and access, giving agencies the visibility and control they need to reduce risk, achieve compliance, and boost operational performance. We are trusted by 20,000 customers, including 70 percent of the Fortune 500, and a global partner network. Learn more at www.beyondtrust.com.
Morey J. Haber
Chief Technology Officer, Chief Information Security Officer, BeyondTrust