When agencies moved to telework, IT departments had to confront the reality that their systems weren’t designed to handle a majority of employees using unmanaged devices from offsite networks. Efforts to configure security workarounds put a spotlight on modernizing authentication and identity technology for 2021.
The pandemic fundamentally changed the way organizations approached how users gain access to systems and data, according to Bryan Rosensteel, cybersecurity architect, public sector at Cisco’s Duo Security.
The shift in security focus also revealed the importance for agency leaders to understand the distinction between authenticators and authentication in granting access to agency resources, says Rosensteel in a new FedScoop podcast and underwritten by Duo Security.
Key lessons from 2020 and where do we go from here
During the initial months of remote work, many organizations had to learn the hard way what identity actually meant, says Rosensteel.
This concept of digital identity is so much more than just an individual, says Rosensteel. It’s a combination of elements: the person behind the keyboard, what account they’re using, what device they’re using and what assets they’re trying to access.
“We are marching towards a future where we can no longer assume to have those types of controls over those endpoints over the network. So, we have to expand our view of identity and build in these checks into the authentication workflow,” he says.
Rosensteel reflects on the last 10 years of authentication which was focused on building the strongest authenticators possible, such as a password, PIV cards and tokens. The next 10 years, thought, he predicts that the conversation will shift to smarter and more dynamic authentication controls which continuously verify an individual, device or application as they access agency resources.
The challenges around authentication
Rosensteel points to a patchwork of authentication tools across the federal government that inhibit agencies from a certain flexibility to work remotely and connect mobile devices to the network.
“There’s one particular agency that I’m familiar with that has no less than four different authenticator issuance systems for the unclassified system alone,” he says. “What we need to do is collapse those down into kind of centralized authentication policy engines that are going to allow us to have a diverse set of authenticators — depending upon different needs — and different allowances for issuance of authenticators.”
2020 hit home to agency IT leaders that applications don’t need to be protected at the same level.
“We took for granted that everyone was on site on the same network,” he says. Setting up proper risk assessments for applications using a data centric approach can help agencies decentralize and build trust stones to protect data based on the sensitivity of the information.
“That’s going to allow us to continue this march toward zero trust,” Rosensteel says.
Agencies get closer to killing the password
“Maybe five years ago, I talked to agencies about alternative forms of authentication to a physical smartcard,” Rosensteel recalls. “They would say, ‘Yeah, we’d love to use the mobile device, but not everyone has one.’”
However, today is a different story altogether, and mobile devices can be leveraged as an authenticator. In order to do that, Rosensteel says agencies need policy that matches those needs with guidance from the National Institute of Standards and Technology (NIST).
“We’re starting to see those changes, and we need to make sure that we have OMB memorandums that allow us to leverage FIDO — alternative authenticators — to the smart card.”
Listen to the podcast for the full conversation on lessons learned in federal IT in 2020 and what’s next. You can hear more coverage of “IT Security in Government” on our FedScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by FedScoop and underwritten by Duo Security.
Bryan Rosensteel has nearly two decades of enterprise IT and security experience, specializing in zero-trust and data-centric approaches to cybersecurity, including dynamic authentication practices.