Identity and access management, along with zero trust architecture and supply chain risk management, are key foundational points of the president’s cybersecurity executive order issued in May, after several high-profile cyber attacks hit public and private sector networks in ways that affected wide swaths of the country.
But identity and identity access management are also key to getting to zero trust.
“Part of the zero trust architecture is presuming that you’ve been breached. So it’s no longer perimeter facing, it’s making sure that we’re verifying identity and access, internal and all the time,” Scott Davis, U.S. Customs and Border Protection acting chief information security officer, said on Federal Monthly Insights — Cybersecurity Awareness Month: Secure Identity and Access Management. “So it’s continuous monitoring of those things. But we do work with [the Cybersecurity and Infrastructure Security Agency] — they’ve given us, whether it’s directives or reporting, and then alerts on risks and threats that are coming down.”
The goal of CBP’s identity and access management program has to be the protection of information systems. The agency is dealing with external federal contractors, other agencies and private individuals through applications such as trusted traveler programs.
Davis, who became acting CISO over the summer after Alma Cole left for the private sector, described the complex web of employees and users whose access needs managing.
“We have obviously people that are on Border Patrol. We also have people that are doing air marine operations, we have people that are working with trade, so there’s people that are working with our trading partners and stuff comes in and out of the ports. We also have passenger folks, so people that are flying in or cruise travels, people at the ports for that — things of that nature,” he said onFederal Drive with Tom Temin.
With about 68,000 employees between headquarters, overseas, or in field operations CBP needs to balance identity management and network security with accessibility. That means a combination of simplified or single sign-ons, so that users do not need to memorize hundreds of IDs or passwords, and multi-factor authentication. CBP is part of the Department of Homeland Security’s continuous diagnostics and mitigation (CDM) program, to ensure only authorized users with specific roles have access to those systems.
Multi-factor authentication is a hallmark of zero-trust architecture, the buzziest concept in cybersecurity at the moment. Davis said it allows CBP to compartmentalize things including users’ access files, structures and more.
Public-facing applications such as the TSA PreCheck, Global Entry trusted traveler programs are also part of CBP’s ID and access management plan. Identity proofing is required for users of those programs; they must have certain other credentials.
“You would have to provide either a known traveler number, your passport information, passport number, to verify who you are,” Davis said.
“And then we do utilize the General Services Administration’s Login.gov. So that’s the ability for people to create an identity and a user ID, and then there’s multi-factor authentication so it’s — you provide your ID, and then you can either get a text or a phone call with a number to verify who you are.”
CBP uses a hybrid cloud and on-premises data architecture for access management, although Davis said they are shift more toward the cloud because of its enhanced resiliency and security. But the agency’s active directory of people’s role-based access is primarily on-prem.
As a cybersecurity leader, Davis gets his guidance for identity management from the National Institute of Standards and Technology’s Special Publication 800-63B, published in 2017 and updated last year, as well as NIST’s Federal Information Processing Standards 201-2. At DHS headquarters they also rely on the 4300A Sensitive Systems Handbook as a mission directive. In addition, CBP has agency-specific policies about access and identity management, and annual cybersecurity training.