Finding the balance between strengthening credentials and access control, without making things burdensome for users, is a central challenge to improving federal cybersecurity.
At the Government Accountability Office’s Innovation Lab, which is designed to be a practitioner of new computational capacity, identity verification is a major issue. Taka Ariga, GAO chief data scientist and director of the Innovation Lab, Science, Technology Assessment, and Analytics, said they have to deal with on premise environments and new cloud environments. Colleagues across federal government, as well as the National Institute of Standards and Technology’s 800-53 and 800-63 guidelines, are common sources of best practices.
GAO by design has a unique pan-governmental purview, which Ariga said requires them to account for different classifications of data and different levels of sensitivity to perform their oversight work. GAO has arrangements with agencies to access various sensitive information including tax and benefits documentation.
“But this is part of doing business as an oversight entity — that we not only secure the information that are trusted to us, but access them in a way that enables us to do the analysis. And so we do that collaboratively with the agency themselves to make sure that they understand our security postures as well,” he said on Federal Drive with Tom Temin.
During the pandemic, accessing secure facilities was a challenge for GAO’s remote workers as well.
The Innovation Lab adopted a cloud-first, cloud-native approach as staff configure their tool stack and infrastructure. Ariga said his organization recognizes that they need to communicate back to some of the on premise data center, and that operating under a multi-cloud construct means communicating between different types of cloud infrastructures.
“For example, if we don’t we sort of utilize cloud native capability, but instead try to do a shift or lift model of that cloud journey, we may end up creating pockets of differentiated access, differentiated security boundaries that are very difficult to maintain consistently,” he said.
However, not every prototype will need its own configuration; therefore it takes a deliberate approach with different levels of sensitivity and use capabilities, he said.
One thing GAO has used for “a while,” he said, is single sign-on. It is meant to make user experience seamless while still adhering to the principles of zero trust, the leading school of thought in access management right now. As the agency delves further into cloud boundaries, cyber staff will explore specific single sign-on capabilities that could be augmented to their existing posture or rationalized in some way, he said.
GAO is looking at commercial authentication tools when it pertains to only-agency use. Ariga said the organization also spoke with the General Services Administration about their Login.gov, and with the Bureau of the Fiscal Services to learn what has worked for them in terms of authentication. Nevertheless, passwords and proofing still seems to be the standard for login credentials despite years of looking for alternatives. If security is too burdensome for users, they may look for ways to circumvent it, and it should be scaled so that external users and partners are not dissuaded from accessing the services they are entitled to.
“I think GSA’s Login.gov has done a tremendous job in terms of adopting leading practices when it comes to authenticating users. Matter of fact, we’re having conversations with Login.gov, not just to secure our internal system per se, but also how can identity verification be a mechanism to sort of mitigate the growth of improper payments?” he said. “Right now, many of the federal benefits out there are still relying on just eligibility verification. But there’s an element where if we can layer identity verification on top of that, might that also help to stem the tide of improper payments?”
Ariga said GAO recently convened a panel of experts from across the federal oversight community, industry providers, academics and others to delve into best practices around identity verification. From that discussion, GAO hopes to produce a report in early 2022, which will articulate what kinds of identity verification controls that individual agencies can consider.
“We’re also in the process of developing a simulation model that goes along with those recommendations, so that individual agencies can, based on their facts and circumstances, adjust different criteria and see the different tradeoffs that they can make,” he said.