Zero trust relies heavily on authentication of the user’s identity. How do you know this user is who they say they are, how much do you trust them, and what assets do you trust them with?
But not every user possesses the same level of technological savvy, especially for agencies with public-facing systems that must provide access for all citizens. That requires building service models that take the full range of cybersecurity awareness and education into account.
For example, the Education Department deals with more than 6,500 higher education institutions and their students. Steven Hernandez, Education’s chief information security officer, said that can require various different kinds of authentication methods.
“When we do make those tradeoffs and decisions around when we have the tech-advanced and the tech-accessible user that has the cool authenticators, we probably need less concern about the association between the authentication and the identity,” he said during a Nov. 17 webinar. “At the other end, if we have a user who’s like ‘a username and password is what I can do,’ we may bring in some additional validation for identity. For example, what street did you live on 12 years ago? What car did you own in 1984? We’ll bring in some of those additional factors to figure out is this really the identity that we think we’re working with?”
Hernandez said this can also involve partnering with other agencies to share data that can be used in authentication. For example, Education already partners with IRS around financial data in order to streamline user experience in applying for financial aid, so repurposing that data for authentication is a natural fit. But Education also has data-sharing initiatives with other partners, like the Social Security Administration. Such data-sharing agreements can both improve citizen experience and strengthen security.
That can get kind of sticky from a legal perspective though, Hernandez said. Some citizen data requires legal authority to possess, so Education can’t necessarily go asking for data over which it doesn’t have the authority. On the other hand, he said, there’s a desire not to leave anything on the table that could help strengthen security. So there’s a tightrope to be walked, which Hernandez said results in discussions with other agencies about what is and isn’t possible, usually brokered and overseen by the chief privacy officer.
But Hernandez said these kinds of discussions help to lay the groundwork for what could become a shared services model for zero trust in the future.
“I think that we already have many of those pieces in place. The other piece is we have to maintain a citizens expectation of privacy, and frankly, independence. And we need to make sure that, as we build those systems that are more combined and federated, that citizens have the opportunity to choose their level of engagement and still get the services they need,” he said. “I think that zero trust provides us with a great path forward into how we can start to provide those types of services.”
He pointed to Login.gov as a potential first step along that road. It offers citizens the ability to choose whether they want a single login identity to access a variety of government services, or if they’d rather have separate logins for each one. That can determine what services citizens get access to, and how.
“But I think that we’re starting to go down the path and identity is the right place to start and authentication is the right place to start,” Hernandez said. “And we have that with Login.gov. I think as we go forward federalwide, we’re going to see greater adoption of shared services like Login.gov. And I think that’s going to move that conversation forward.”