Identity and Access Management Must Extend Beyond Technology

The federal government has done a good job implementing identity and access management (IAM) technology, but now comes the hard part—overlaying the technology with governance. The challenge is more than just management, and requires a firm grasp on all the various identities people have, their access and privileges, as well as the assignment and removal of those privileges.

It demands what Monica Sagrario, managing director at Sila Solutions Group, calls a “holistic” approach to IAM.

“Progress made in advancing authentication and PIV (personal identity verification) implementations has been tremendous,” she said. “But it’s not just about getting through the door; it’s about managing access once people are through the door, whether that’s through administration, authorization, audit and other controls of that nature. It’s the broader picture.”

Sagrario was speaking as part of the monthly WTOP/Federal News Radio Federal Executive Forum, which in November focused on issues surrounding IAM—specifically lessons learned, major challenges and future issues. Besides Sagrario, other speakers included: Tom McCarty, director, enterprise IT services at the Department of Homeland Security (DHS); Colonel Thomas Clancy, lead for identity and access management and public key infrastructure in the Office of the Secretary of Defense’s deputy CIO for cybersecurity; and Mike Garcia, director of the National Strategy for Trusted Identities in Cyberspace program at the National Institute of Standards and Technology.

McCarty described how governance is already playing an important role at DHS. He cited the Trusted Identity Exchange (TIE) and Application Lifecycle Management (ALM) programs that combine identity management and access lifecycle management. For those programs, DHS partners with SailPoint for the software and Sila for the implementation.

“Those two projects are really having an impact in the department, and impacting in ways we didn’t expect,” said McCarty.

Under the TIE program, identity data that is spread across many places at DHS such as the security database, human resources database and training database can be retrieved via a single point so access decisions can be made more effectively.

The ALM program manages people as they move through the lifecycle of being a DHS employee or contractor, making sure their ability to access certain systems is permitted or denied as their jobs change.

“That’s been very impactful, and we’ve had unexpected uses of that,” said McCarty, citing the Transportation Security Administration’s Pre✓ program. “DHS employees and contractors are already vetted, so they can enroll.”

That work at DHS demonstrates how much more effective IAM strategies can be when adding governance to technology.

“From both commercial and federal sides, the continuous lesson learned is that solving these problems is not just strictly a technology play,” said Sagrario. “Helping our customers continue to emphasize the people-centric aspect of the threats, while being able to facilitate governance through process improvements, can’t be undermined. It’s the people and the process, not just the technology.”