Pennsylvania rolls out risk-based authentication to agencies
Connecting state and local government leaders
The Office of Administration’s risk-based multifactor authentication service gives commonwealth employees secure access to cloud resources and agency applications.
To bring enterprisewide security to all its agencies, leaders in Pennsylvania's Office of Administration deployed a risk-based multifactor authentication (RBFMA) system for identity management.
To access cloud-based email or Office 365, commonwealth employees working remotely may be required to provide additional information in the form of a PIN sent via text or email. The decision to require multifactor authentication is based on various factors including the sensitivity of the data or application, the geographical location of the request, the nature of the device being used and the number of times that user has sought access in a given time period.
Adding RBMFA to agency systems began with a pilot at Pennsylvania's Department of Human Services in 2015. Once the technology proved itself at the large agency, the state began rolling out to other agencies starting in June 2016. The project won both agencies a 2017 State IT Recognition Award from the National Association of State CIOs.
“When we started moving our services into the cloud, it became more important to reduce the risk of third parties getting access to our data or information,” Chief Information Security Officer Erik Avakian told GCN. “RBMFA provides safeguards to our data because our employees have to go through a second process to get access even if they have credentials.”
The RBMFA service is designed to protect sensitive information by addressing a variety of agency data security needs such as compliance with the Criminal Justice Information Services rules for law enforcement and IRS policies related to tax data. Avakian said it was a struggle to meet the different business requirements of the agencies.
“We went in the direction of taking a risk-based approach because of all the different scenarios that need to be met,” Avakian said. “Most of the regulations to move to the cloud require MFA, so it made sense to work together to reach a common solution that could meet everyone’s needs.”
The RBMFA service has gradually been deployed at most state agencies for email and basic office functions over the past two years; the measured rollout gave the Office of Administration time to respond to users' issues and problems. Additionally, help desk employees at each agency have been trained to guide users through the login process.
The state worked with Deloitte to implement the RBMFA service from CA Technologies. For Deloitte’s Srini Subramanian, principal at Deloitte’s Cyber Risk Services practice, one of the pain points in the deployment process was identifying an MFA implementation that users would not find cumbersome.
To access RBMFA-protected systems, users preregister from a work-issued device located on the commonwealth's network. During this process, workers are authenticated against the enterprise Active Directory and prompted to set-up their challenge/response questions and PIN.
“Users have the ability to choose a preferred MFA method in their risk evaluation, which helped with the user experience aspect of implementation,” Subramanian told GCN.
Besides improving security of agency applications and increasing efficiency, the solution has raised service levels and cut costs. There are plans in the works to adapt the solution to citizen-facing applications so Pennsylvanians can access tax information or state health records through a single sign-on.
“We want to have the tools and services available to meet the customer needs in relation to transactions where you need an extra layer of protection and security,” Avakian said.