How government agencies can use identity and access controls to modernize IT security

It wasn’t that long ago that perimeter-based security controls, like firewalls, provided the bulk of an agency’s IT defenses.

But as enterprise network environments move toward cloud- and mobile-based platforms as well as interconnected application services, identity and access requirements are taking center stage in security controls.

Read the full report.

Fortunately for agencies, tools for identity, credential and access management (ICAM) have evolved significantly from the days when ICAM mostly relied on siloed gateways managed and stored on-premises, says a new report, produced by FedScoop and underwritten by ForgeRock.

Modern tools which use APIs designed around IAM strengthen how agencies manage identity and access controls. APIs give these platforms the ability to span across on-premises systems, the cloud and even multi-cloud environments.

The report identifies 15 features agency CIOs should look for in modern tools that can strengthen their ability to manage users, devices and applications accessing federal resources, such as: federation of heterogeneous systems, advanced and intelligent authentication, push authorization, single sign-on and adaptive risk, among others.

“Modern IAM platforms make it easier for agencies to establish IT environments that can support continuous authentication, or continuous authorization — giving you protection beyond the perimeter,” said Ashley Stevenson, formerly chief architect for ICAM at the Department of Homeland Security, and now vice president for product and solution marketing at ForgeRock.

ICAM controls mean that “instead of protecting just the front door, you’re protecting every object behind the door individually,” Stevenson explained.

The White House Office of Management and Budget formalized federal ICAM requirements in a May 21, 2019, memorandum. It was a significant update in how employees, contractors and the public securely access government IT systems and services.

“Everyone has responsibility and is put on notice that this is a requirement, whether you’re talking about your internal users or about your public citizen users,” observed David Trzcinski, branch chief for security policy and compliance in the CIO office at the Small Business Administration.

Now, agency executives — including CFOs, top operating and contracting officers and IT teams — are all responsible for ensuring their agencies:

• Improve digital interactions with the public leveraging ICAM technologies.
• Support cross-government identity federation and interoperability.
• Create a single comprehensive ICAM policy, process and technology solution roadmap.
• Shift the security focus beyond perimeter controls and make identity the basis for managing risk posed by users and information systems accessing federal resources.

The memo lays out clear support and authority for interagency federation of authentication processes, and it also gives agencies needed flexibility for getting there, says the report. A modern ICAM platform can offer an effective way to manage those mandates, the report suggests.

Read more about the rise of Identity API Platforms that can help modernize federal IT security.

This article was produced by FedScoop and sponsored by ForgeRock.