The Government Accountability Office (GAO) recently released a government cybersecurity audit report focused on actions needed to strengthen US capabilities. Over time, GAO has made approximately 2,500 recommendations to federal agencies to enhance their information security programs and controls, yet, less than half of these have been implemented. Though many key recommendations are offered in the newest audit report, including strengthening the workforce and our nation’s critical infrastructure, important security considerations remain missing.
How can federal agencies go above and beyond the security expectations GAO has set, limiting unwanted access to sensitive information?
Identity and access management (IAM) is a key starting point. In its report, GAO did not address a need for enhanced IAM efforts, and in many cases, government agencies are not effectively executing on IAM. However, as digital transformation progresses, IAM done the right way can secure user accounts and data, acting as an enabler for innovation.
To ensure this, agencies must look to IAM as a tool to provide the right access (and only the right access) to the right people through systems and methods that support individual agency needs and practices that are reliably validated and flexible enough to deal with digital transformation.
At a basic level, agencies are improving general IAM practices. Recent FISMA findings noted an increased use of multifactor authentication — a positive step toward enhanced data security. From fiscal year 2015 to 2016, findings show an increase in both unprivileged user PIV implementation and privileged user PIV implementation.
But to fully support digital transformation, IAM efforts need to address more than two-factor authentication alone, and must also include more comprehensive access control, privileged account management (PAM), audit trail and recording capabilities and reliable provisioning and deprovisioning.
Privileged accounts have access to a great deal of data, much of it sensitive and only accessible via these “super user” credentials. Unfortunately, these types of accounts become the most attractive targets for potential bad actors who know privileged accounts provide the keys to the kingdom.
Limiting access to only what’s crucial for privileged users’ day-to-day tasks sets a strong baseline. When elevated access is required, unique credentials can be granted for a limited time depending on needs to ensure continued productivity and individual accountability.
During this time, actions are monitored and tracked in case of an incident, allowing an agency to ensure the origin of an incident can be identified and accounted. This monitoring and tracking is often required for government reporting and compliance, and its value carries over all user accounts.
Despite this obligation, however, many government organizations fail to properly track their user access data. This is a vital mistake, as reporting and compliance is not only a requirement, but audit trail analysis can allow agencies to determine the root cause of a breach and then work to troubleshoot and remediate. With easy access to information on exactly what activity occurred on all user accounts, agencies can act quickly to limit damage caused by an attack.
When it comes to the changing workforce and user access, fast action is also necessary to ensure data security. Automated and comprehensive deprovisioning should play a role in securely off-boarding government employees. Without automated deprovisioning, former employees may retain access to an agency network’s sensitive systems and data, potentially leading to leaks to bad actors.
Through automation, agencies can eliminate human error and inefficiencies that put critical data at risk. At the same time, changing roles and new access can be provisioned quickly, increasing productivity and ensuring access is provided where needed.
These three aspects of IAM are critical, but agencies also need to take into account the type of environments they are operating on and their plans for future modernization.
As agencies make the investment in IAM solutions, they should consider how their IT environments are changing, and look for options that can fill security gaps between legacy andmodernized systems. Security shouldn’t be held back by outdated IT, but it also must be designed to adapt so agencies can maximize their investments.
Security solutions that adapt to legacy systems, while keeping users and information safe today should become a top government priority.
In today’s transforming landscape, government employees and citizens alike demand convenient, flexible and secure digital data access. In an environment that changes unpredictably, IAM provides a comprehensive approach to keeping information safe, even as other security recommendations evolve.
By getting IAM right, agencies will find they can keep data safe, while enabling digital transformation.
Andy Vallila is Vice President and General Manager, One Identity Americas.