Co-author: Jim Pflaging
The rapid proliferation of cloud services, mobile solutions, and internet-facing applications has expanded and blurred the modern enterprise network perimeter. So porous has the perimeter become that, in 2014, then-FBI Director James Comey remarked that “there are two kinds of big companies in the United States. There are those who’ve been hacked . . . and those who don’t know they’ve been hacked.” This new reality, in which enterprises should expect breaches of their network defenses, calls for a logical refocus on resiliency: mitigating damage by implementing internal identity security controls such that no attack can affect catastrophic impacts.
Recognizing the importance of identity in securing critical IT assets, the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program focuses heavily on raising baseline federal identity governance capabilities such that agencies have visibility into the users on their network, the attributes those users maintain, and the accounts they are authorized to access. The Report to the President on Federal IT Modernization also calls for an evolution in IT investments — moving beyond traditional perimeter security protections to an emphasis on defense-in-depth capabilities that will “prevent malicious actors from moving laterally across linked networks” with the ability to access large amounts of information. The transient nature of the federal workforce and the complex web of employees, vendors, and contractors involved in the execution of various critical missions makes identity a fundamental component of an overall strong federal network security posture.
Federal agencies struggle with an excess of “over-privileged users” — individuals with access to more resources than are necessary to perform their job functions. Identity governance solutions provision users to access the right applications and revoke that access when it is no longer needed. They help organizations define and enforce user-access policies, such as separation-of-duty (SoD), and automate the process of reviewing user-access rights across the organization by initiating campaigns for business managers to approve or revoke access as part of a centralized governance program. These processes greatly ease compliance requirements applicable to federal agencies, including the Federal Information Security Management Act (FISMA) and Federal Identity, Credential, and Access Management Architecture (FICAM), and limit the extent to which identity presents an exploitable threat vector among attackers looking to disclose sensitive employee or classified data.
To get firsthand accounts of the types of challenges organizations are empowered to solve by implementing identity governance solutions, The Chertoff Group recently conducted interviews with select federal civilian agencies benefiting from governance tools available to them through the CDM program. The Chertoff Group’s interviews revealed that organizations engaged in identity governance implementation vary in deployment maturity and, relatedly, find value in different use cases. Despite their varying degrees of maturity, however, all agencies interviewed highlighted value derived from their governance implementation, particularly in the following areas:
- Automation of traditional, manual provisioning elements to onboard and provision employees with the necessary credentials to do their jobs
- Auditing of provisioning decisions at regular intervals to ensure appropriate and compliant access
- Management of access privileges to avoid the risk of entitlement creep, preventing both malicious and negligent insiders from knowingly or unwittingly exploiting privileges and moving into unauthorized areas
- Compliance with a complex regulatory environment that demands full life-cycle management of federal identities (e.g. FISMA) and regular reporting on security effectiveness
Asked what advice they would offer to agencies yet to procure identity governance solutions, agencies interviewed said to expect integrated solutions encompassing applications, systems and files; strong provisioning; life-cycle management; threat detection; and compliance efficiencies. Further, agencies recommended life-cycle planning at the outset of the implementation process and stressed the importance of securing buy-in and cooperation from agency leadership and peers across their agencies.
Attention to these recommendations will position agencies to derive fuller and more immediate value from their identity governance efforts, ultimately allowing them to more securely confront technology trends like mobility and cloud services by protecting their networks from within. With a focus on protecting data located on and off the network — rather than just protecting network borders through stronger defenses and higher firewalls — identity becomes the new security perimeter.
Michael Chertoff served as secretary of homeland security from 2005 to 2009. He is currently Executive Chairman and Co-Founder of The Chertoff Group, a global security and risk management advisory firm. Jim Pflaging is Principal and Technology Sector & Strategy Practice Lead at The Chertoff Group.
For additional information on the need for a holistic approach to identity security as well as real-life advice from federal operators, please download The Chertoff Group’s most recent white paper: “Taken from the Source: First-Hand Accounts of Identity Governance Implementations and their Value to Federal Cybersecurity.”
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.