United States Federal Government’s Shift to Identity-Centric Security

Thursday, December 17, 2020

Frank Briguglio

591f195449c4d535c681a49fdf35ace0

Across the globe, government agencies have begun transformation and modernization of their IT ecosystem to deliver services in an agile, secure, and timely efficient manner, this means broad and rapid adoption of cloud infrastructure and services at pace we've never seen, and now, we are now thrust into adopting changes to how we interact and connect to business applications, systems and data remotely.

Governments are increasingly facing new legislation, standards, frameworks, and policies to protect critical and sensitive information. Such as, NIST and amongst others.

The adversary continues to become more advanced - we must protect our organizations from a broad array of threat actors – with increasing complexity, resources, and persistence.  This increasing number, and overall impact of cybersecurity breaches is staggering and has shown us the identity is the new attack vector.

Federal agencies maintain critical information that could do grave harm to – the country, national security, and more importantly its citizens, if accessed by the wrong person.

User communities have expanded beyond humans to machine identities and process, the amount of data being created is growing exponentially. It is no longer feasible to protect our most sensitive assets behind a single network wall and as identified the fast path for a threat actor to steal data is through a compromised identity.

These challenges leave the agency open to the risks and costs of cyber-attacks, non-compliance, and simple human error. It’s time for a shift in our approach to security.

Taking an identity-centric approach to modern security architecture helps organizations protect the weapons that are being used against us – the identity itself - But are federal agencies ready to shift to an identity-centric security model?

Nearly half of the US federal government agencies are substantially on their way to adopting an identity-focused approach to protecting access to agency resources, but many agencies still rely heavily on perimeter defense tools or policies.

The Zero Trust concept is forcing them to evolve to a model made up of many micro perimeters at each identity domain – Behavior, Data, Credentials, Privileges, Roles and Entitlements – Analytics and Behavior. Instead of building many layers of security from the outside in, it proposes the idea of protecting data from the inside out and building out security controls only where you need them.

In 2019, the United States, White House’s Office of Management and Budget (OMB) released M-19-17, the ICAM Modernization Strategy – the memo outlines the objectives for securing federal IT systems, including a common vision for using identity and access management controls. Some agencies are still developing their approach, many are focusing on creating a baseline of users, objects, and access. Some have started to look to modern security architecture – rooted in identity and device security – extending what has been done in HSPD-12, Derived Credentials and Assured Identities and Credentialing.

Thanks to the US Department of Homeland Security - Continuous Diagnostics and Mitigation Program, and the 2015 governmentwide "cyber sprint" and other recent efforts, US federal agencies now have much better data on their users, devices and network traffic than just a few years ago.

These programs and activities have provided agencies with key objectives, tools and support to establish a baseline of what is connecting to the network, who is connecting to the network, what data is on the network and how access is being used – its providing continuous monitoring of who has access to what? And what they are doing with that access. Building that picture of Privileged and Non-Privileged users alike, as well as Non-person Entities. A lot of the discovery, correlation and visibility is a result of Identity Governance controls and practices they have implemented in the SailPoint platform.

As US federal agencies continue to support large numbers of remote workers, IT leaders have started to evolve their thinking on zero-trust security architectures. Increasingly, they are becoming more comfortable with the concept and are seeking to lay the foundation for deployments.

"The new normal" has become an overused term since the global pandemic upended workplaces, but the surge in telework has indeed changed security conversations - It's been a catalyst for people to think about how that strong network perimeter isn't what they thought it was. 

New or old, however, establishing what is normal in a network is essential to a zero-trust approach.

The Zero Trust concept represents this paradigm shift in cybersecurity – from perimeter-based to identity and device -centric, in which every transaction is verified before access is granted to users and devices. In the US federal government, it is still a relatively nascent approach, with some mature agencies implementing and conducting pilot programs. However, IT leaders seem to recognize that cybersecurity models are increasingly going to be defined by a zero-trust architecture.

In other words, rather than focusing on a perimeter-based defense, practitioners are focusing on the controls on sensitive data stores, applications, systems, and networks themselves; thereby directly guarding assets that matter. Identity-defined Zero Trust is a complex topic and touches almost every aspect of an organization’s IT and security infrastructure. Forward thinking organizations are achieving Zero Trust through the integration of existing identity and security technologies, and, they have implemented architectures that share identity context and provide risk-based access to critical resources, improving security without compromising compliance with government directives, standards, and frameworks.

The Identity is the new perimeter and has never been more important in protecting a nations secrets and citizens. Cybersecurity has become a team sport – requiring many disciplines, stakeholders, and vendors to work together. Is your Identity Governance program ready for modern security architecture?

About the author: Frank Briguglio, Public Sector Identity Governance Strategist at SailPoint, specializes in Government Security and Compliance.

Possibly Related Articles:
62262
Cloud Security Policy
Zero Trust federal agencies Federal Government standard
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.