Consolidating access control yields big payoffs

 

Connecting state and local government leaders

Centralizing formerly separate user identity management systems can lower costs, increase security and productivity, and lay the foundation for new online services.

Imagine how tedious life would be if you needed a separate, specially issued debit card for each grocery store, gas station, restaurant, pharmacy, department store or Web retailer that you patronized — and a separate password for each card, too.

It would burdensome. It would also be costly to the businesses involved if each one had to issue those identity credentials to every one of its customers. And who would bear the brunt of those costs? 

That is pretty much the operative situation, though, for government agencies when it comes to managing employees, consultants and contractors, and then controlling which information technology resources and networks they can tap into, whether they are turning on their computers in the morning, updating their personnel records in a human resources system, booking work-related travel, or signing in to an information-sharing wiki. Those IT access security mechanisms, essential as they are, are hardly ever a single system. Instead, each application or system typically has its own access control system.

As a result, users must remember multiple passwords and log-in methods, while IT departments must handle the grunt work of manually managing duplicative systems.

At the Agriculture Department, for example, it takes 200 employees to manage user accounts and roles and another 73 employees to focus on compliance, auditing and reporting tasks related to access control, according to USDA's Office of the Chief Information Officer.

It wasn’t so bad years ago when IT played a more limited role and there were far fewer systems to manage. But times have changed. Computers and software applications have proliferated and are now essential cogs in almost every government operation.

The old fragmented, one-off model for identity management and access control just won’t fly anymore. It will be increasingly costly — and risky from a security perspective — to allow things to continue. Fragmented identity management systems are also a drag on agencies’ ability to quickly tap new online opportunities, whether they are homegrown, fielded by another agency or offered by a cloud provider.

"Access control is one of our key defense mechanisms," said Dennis Heretick, a security consultant and former Justice Department chief information security officer. "We need to share [information] across agencies and industry, but you don't want to share that if you think it will get to the wrong people."

Besides bolstering security and helping to clean up an agency’s internal practices, a streamlined approach to identity management also provides a foundation that can dovetail with efforts to simplify access to government data and online services.

Therefore, for budgetary and strategic reasons, government IT leaders are seeking to make the business case to agency leaders for the construction of unified and standardized identity management infrastructures. The CIO Council has taken up the cause and released a preliminary road map and implementation guidance for agencies in November 2009, and it promised that more help will follow.

Some agencies have already started to move. USDA, for one, has launched a project to centralize 70 identity databases. The duplication of identity stores and access control mechanisms drives up the number of employees needed for those jobs, said Owen Unangst, director of innovations and operational architecture at USDA's Office of the CIO.

Unangst, who is shepherding USDA's identity management overhaul, said the effort will slash IT administrative costs and give the department's workers one set of credentials — a smart card and personal identification number — to access multiple applications. But it won’t be a one-and-done deal.

“This is not a short-term project,” Unangst said. “This is something that is going to be a permanent new function, a permanent new responsibility in USDA.”

Security experts say many agencies share USDA’s experience with fragmented identity and access management systems. When the full costs of doing nothing are considered, it seems clear that some form of centralization is not only desirable but even necessary.

Problems of ID Fragmentation

Fragmented identity management causes a number of problems for organizations beyond just cost and time.

Such an approach raises several security issues, said William MacGregor, a computer scientist at the Information Technology Laboratory at the National Institute of Standards and Technology’s Computer Security Division.

The cost of enrolling users — establishing identity, assigning roles and access rights, and issuing credentials — becomes costly when multiplied across scores of applications. For that reason, organizations might wind up with a less-than-robust process for identity proofing and credentialing.

Similarly, organizations might also gravitate toward low-cost, low-assurance authentication approaches — user name/password as opposed to two-factor authentication. The latter approach involves something a person knows, such as a PIN, and something the person possesses, such as a smart card or other security token device.

“Lots of silos of identity management force the practice in an individual silo to be on the low end of the cost and capability spectrum,” MacGregor said.

Fragmentation also leads to password vulnerabilities. Users obliged to maintain multiple passwords might be tempted to keep them short and simple, which makes them more vulnerable to brute-force attacks in which hackers use powerful computer programs to try thousands of different possibilities to crack passwords. On the other hand, users who choose longer, more complex passwords might need to write them down, introducing another security risk.

“Many people, because they have so many passwords, will use simple passwords, and many systems don’t enforce strong passwords,”  Heretick said.

Account deletion presents another vulnerability in highly fragmented security settings. When an employee leaves an agency, that move must be reflected across all of the systems to which he or she formerly had access. But when access control systems abound, there’s a greater chance of an account remaining active after the user departs.

And then there are the administrative costs that mount when identity stores and access controls proliferate across an agency. Redundancy requires a larger IT staff to maintain systems. And having a multitude of passwords keeps help desks busy resetting forgotten ones.

Many users also have a desktop and laptop PC assigned to them, which further multiplies costs. Heretick said organizations incur systems administration costs for two seats plus all the applications users access. “It becomes tremendously expensive,” he said.

Disparate identity systems also drain time. Multiple log-ins, for example, steal minutes and affect productivity. Jamie Sanbower, director of security solutions at Force 3, a solutions provider that focuses on security, unified communications and data center technology, suggested that agencies “look at the end-users and determine how their day-to-day productivity is affected by multiple sign-ons.” 

Benefits of ID Integration

Security executives point to a number of benefits in transforming identity and access management into a more centralized activity. A consistent approach to security is one key advantage. Organizations that try to enforce IT security directives — password policy, for example — across multiple points are bound to find that some systems fall between the cracks and fail to comply.

For agencies, Sanbower said, the biggest business benefits of tighter integration stem from reducing the risk of uneven policy enforcement and mishandled passwords.

On the cost-savings front, consolidation of identity systems reduces administrative expenses. Features such as single sign-on reduce the number of passwords in circulation and the number of password reset calls to the help desk. Some industry estimates put the cost of a reset at $25 or more per call.

The Homeland Security Department is among the agencies working to reduce passwords with a common credential, a smart card. The cards “will replace multiple PIN and password log-ins for multiple applications with a single log-in,” a DHS spokesman said.

MacGregor added that a consolidated identity store and multipurpose credential can help agencies rein in user enrollment costs. Those components can spread the cost of enrollment across numerous applications. “Enrollment is always a large fraction of the overall credential life cycle cost,” he said. “It’s not unusual to see it as a quarter to 50 percent of the cost of [issuing] credentials over the life cycle.”

Improvements in identity management could also help agencies deal with emerging trends such as cloud computing.

“As the federal government evolves to cloud computing — and services that go across federal entities not just across departments — access to those services really needs to be authenticated with strong credentials,” said George Schu, a senior vice president at Booz Allen Hamilton.

Schu also pointed to information-sharing technologies that fall under the rubric of cross-domain solutions. Those solutions aim to let government organizations exchange information across multiple security domains, either horizontally across federal agencies or vertically from the federal sector to local government entities.

“Access to these systems...[has] to be backed by strong credentials that you only get through a unified, standardized identity management process,” Schu said.

How to Get to an Integrated System

An integrated identity and access management system involves a number of elements. They typically include a system for issuing a unique credential to every user, a central directory for storing users’ identity data, a solution for provisioning and managing user accounts, and an access component that includes single sign-on capabilities.

Government agencies have made the most progress on the credentialing end because of Homeland Security Presidential Directive 12. Signed in 2004 by President George W. Bush, HSPD-12 calls for the federal adoption of a common credential for accessing government buildings and information systems. The directive also requires credentials to be issued based on sound criteria for verifying a user’s identity. NIST standard FIPS 201 spells out the requirements for the credential, the personal identify verification card.

Governmentwide, nearly 4 million PIV cards have been issued to employees for 86 percent coverage. Seventy-two percent of contractor personnel have received PIV cards.

USDA has issued 98,800 PIV cards, covering 87 percent of its employees, according to an Office of Management and Budget report on HSPD-12 status released in December 2009. USDA has also purchased products from CA that will let the department centrally manage identity and access management. The product lineup includes an enterprise directory that houses all user identities in one location. With that component in place, USDA can look for opportunities to consolidate its 70 identity stores.

When it comes time for an agency to start enabling various software applications to capitalize on the user information from a common credential or identification system, the first step is to get an inventory of all applications, said Phillip Loranger, chief information security office at the Education Department.

With that information in hand, officials can find out from application owners whether they intend to keep their systems around for the next three years or so. There’s no sense in enabling applications that will soon be unplugged, which means agencies will need to rank the priority of individual applications.

Agencies have three options. They can modify applications to accept FIPS 201 credentials, they can modify them so they can interface with a portal that accepts the credentials, or they can discontinue the applications if they are too expensive to modify.

At USDA, applications will be integrated in the next couple of years. The first batch of five applications will be linked to the agency’s new identity management infrastructure by midsummer. They include agency-specific applications and enterprise-level systems, such as USDA’s AgLearn e-learning system.

USDA picked applications that will be relatively simple to integrate and would be at risk if accounts and roles were managed incorrectly, Unangst said.

This summer, UDSA will begin to prioritize additional applications for inclusion, identifying those with the highest risk. By March 2011, Unangst said he expects to have 60 to 100 applications integrated, with more to follow.

MacGregor said setting integration priorities might be among the toughest challenges in achieving integrated identity management. But agencies might be on their own when it comes to bringing applications into the world of centralized management and PIV cards.

Tim Baldridge, a computer scientist at NASA, said agencies that want to enable applications for PIV cards lack formal guidance. “There’s no document or written work that I’ve seen that would give somebody a clear path to that solution space,” he said.

The CIO Council has been working on implementation guidance. The Federal Identity, Credential, and Access Management road map and architecture the group released last year will be updated with a collection of lessons learned from early agency implementations.

A strong, internal focus can smooth the implementation task. Neville Pattinson, chairman of the Smart Card Alliance’s board of directors and an executive at Gemalto, advised agencies to appoint a program manager and, possibly, establish a program management office to oversee an identity management overhaul.

“It is a nontrivial transition, going from disparate systems to a centrally managed system,” he said.

But that shouldn’t come as much of a surprise. After all, it took more than a few years to deploy the dozens of identity management systems that most agencies wrestle with today.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.