From: Government Security News
President Obama’s proposed budget highlights the critical role that IT plays in making government work better for citizens and business. The budget encourages the wider use of technology to enhance efficiencies in delivering needed services, while cutting the IT budget over several years.
U.S. Chief Information Officer Steven VanRoekel titled his accompanying IT budget priorities, Doing More with Less. In this era of fiscal austerity, key strategic activities are essential to achieving this vision:
- Maximizing the ROI of federal IT:
- Productivity gap and 21st century government;
- Business and citizen interaction and national priorities;
- Cybersecurity.
A renewed emphasis on Identity and Access Management (IdAM) will be one of the critical elements that will determine the fate of these focus areas. IdAM is the primary technology for determining if a user is who he or she claims to be, which resources the user is allowed to access, and how to verify what that user does within the system. These are key questions that must be answered, regardless of the nature and scope of any system being developed. It is not surprising that IdAM will be a key enabler to achieving the “four pillars” since access control encompasses every aspect of IT, from shared service Cloud environments to mission-specific systems.
The importance of IdAM in government is exemplified by the mission of the Identity, Credential and Access Management Subcommittee (ICAM SC) of the federal CIO Council.
The consolidation of government data centers and the use of shared IT services place a new set of requirements on IdAM systems that agencies employ. Since the systems may no longer reside within the enterprise, agencies must implement new capabilities to control user identities and access control.
However, these controls cannot be delegated to the organization that is hosting the agency’s systems. Instead, the IdAM system will be used by the agency to provision users, as determined by information owners. The IdAM system will manage defined access control policies and provide appropriate auditing to verify that access is appropriate. As users’ needs change, the IdAM capabilities must be flexible enough to support those changes in a timely manner.
As smart phones and tablets become ubiquitous, and users demand more convenient access, the government has both an opportunity and a challenge in bridging the productivity gap. Mobile access allows users to get answers sooner, while improving agency performance and mission outcomes.
Federal employees and contractors use the Personal Identity Verification (PIV) credential as their primary authentication token. But the use of a clunky “sled” to connect a PIV card to a smart phone for secure access to systems is inconvenient and inefficient. NIST is actively evaluating alternatives for mobile devices that will leverage the Public Key Infrastructure certificates stored on a PIV card and offer comparable security measures to the PIV card itself.
This capability will provide significant efficiency for applications supporting first responder and emergency management communities. Access to news feeds, maps and situational awareness, as well as the ability to share information and collaborate, open the door to new classes of applications and services.
VanRoekel cited DoD and the Veterans Administration (VA) for enhancing their eBenefits Portal, which provides self-service access to benefits and healthcare information. VA will improve the capabilities of this portal by allowing users to employ credentials issued by trusted third parties.
A major focus of the National Strategy for Trusted Credentials in Cyberspace (NSTIC) is the use of “federated identity” and encouraging a joint private-public partnership to develop an ecosystem of strong credentials issued by organizations with which the computing public already has an established relationship. Federal applications will then consume these credentials.
Federated identity benefits all participants. End-users will have fewer passwords to remember, and the credentials themselves will be stronger and accepted by a variety of Websites.
Agencies will benefit by eliminating the need to issue new credentials, thus reducing the time and expense to deploy applications and lowering costs associated with re-setting passwords. A credential that allows an end-user to access multiple applications carries a higher perceived value versus a credential that only accesses one application.
FedRAMP, continuous monitoring and Homeland Security Presidential Directive-12 are key cross-government elements of VanRoekel’s strategy. FedRAMP is the government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for Cloud services. This approach uses a framework that will save money, time and staff by avoiding redundant security assessments. Moving systems to a Cloud-based model still requires agencies to address IdAM-related controls associated with any Web-based system. IdAM lifecycle functionality cannot be delegated to the Cloud operator, so commercial products that provide this functionality will be well-received.
HSPD-12 credentials should now be leveraged and used with all Cloud-based applications — even those requiring a lower level of assurance (see OMB Policy M-04-04 and NIST SP 800-63 Rev 1). OMB M-11-11 reinforces this: “…the agency will require the use of the PIV credentials as the common means of authentication for access to that agency’s facilities, networks, and information system…Additionally, standardization leads to reduced overall costs and better ability to leverage the Government’s buying power.”
Given VanRoekel’s imperatives, we can conclude:
- IdAM is needed to deliver new services and information to citizens and businesses, and to facilitate information sharing;
- HSPD-12 credentials support the transition of applications to a Cloud-based model;
- Implementation of IdAM maximizes agency ROI;
- NSTIC aligns with federal priorities, while providing benefits to citizens and businesses.
As investment options are considered, adequate funding for agencies to build and enhance their IdAM programs will provide an effective return, while helping agencies do more with less.
Steve Lazerowich is IdAM Architect, Cybersecurity, for the U.S. Public Sector at HP Enterprise Services.
Leave a Reply