Identity and access management sounds simple. As defined by Gartner, it means that “the right individuals to access the right resources at the right times for the right reasons.” While federal IT leaders maintain high hopes for identity management’s potential, there are concerns due to the complexity and requirements of its implementation.
While 58 percent of federal government IT professionals describe access management as “enabling” the digital transformation, 85 percent said their agency still lacks key capabilities, according to research from One Identity. In fact, only two of five said they are “very confident” in their agency’s ability manage access.
Clearly, the obstacles are rooted in both technology and human factors. Yet, with Markets and Markets projecting that the worldwide access identity market is expected to grow to nearly $15 billion by 2021 – compared to just over $8 billion two years ago — federal agencies can’t afford to forego the cybersecurity improvement opportunities that such investment will bring.
Fortunately, there are two key areas of continuing innovation that can help agencies overcome the described inhibitors. They directly address budget constraints by maximizing return on investment while enhancing current tech systems and processes. And, if effectively proposed to top decision-makers and users, IT will successfully prevail over cultural resistance and a lack of buy-in.
For starters, agencies can focus on one of the capabilities that the above graphic reveals is sorely lacking: automation and machine learning. While not one in the same, they’re frequently implemented as a combined effort to dramatically accelerate traditionally manual identity management tasks, enabling more efficient access authentication functions, thus saving on tech spend while more effectively protecting data and systems.
For example, with automation and machine learning, if there is a network outage IT Teams can automate the process of restarting the network device, restarting a specific service and re-enabling a management port. The key is to take automation to the next level. Agencies could use machine to determine every single device on the network that has caused the outage. Using historical data, teams can identify the problem device within a matter of seconds. Machine learning digs deeper and determines the specific device that caused 90 percent of the outages. Now within seconds, agencies can create a dashboard of devices that are most likely the cause of the outage. Yes, humans can determine the above, but at what cost in time and resources?
Agencies can expect to run into cultural and buy-in barriers — much of it coming from IT itself. Engineers realize, after all, that if automation and machines are conducting identity access and patching, then their jobs are potentially at risk. They’ll make the case to leadership that the changes will not be compatible with existing systems or that they’ll disrupt workflows or trigger additional, unwanted outcomes.
To counter this, teams must stress the return on investment and improvements, including the elimination of human errors which lead to unauthorized access and compromises. Then, the jobs discussion can take place, and agencies should offer retraining and retooling to staff who are interested in evolving with the technology to pursue higher level tasks that can’t be automated, such as the deployment of the latest developments in artificial intelligence, the Internet of Things and other emerging innovations. With this, automation and machine learning represent a career growth opportunity, instead of a vocational threat.
Then, agencies must commit to next generation authentication, such as tokenization, biometrics and multifactor authentication. IT teams cannot launch a fully realized identity management program by ignoring these and clinging to antiquated password practices. The risks of passwords are well-known. Employees share them when they shouldn’t. They jot them down on Post-it Notes that ill-intended insiders can steal. They don’t change passwords when they should and, when they do, they favor overly simplistic ones which hackers can easily crack. In addition, new attack vectors are making it easier to potentially read passwords.
Still, it’s difficult to convince agencies to “cut the cord” on passwords, because next generation authentication entails significant change. Federal decision-makers may take issue with tokens, for instance, saying that they don’t want to burden users with carrying around a half-dozen tokens to access everything required for their various roles and responsibilities. Or they could claim that biometric technologies are too invasive.
However, a little education goes a long way. True, certain government professionals need to carry around several or more tokens. But would they rather keep even more passwords in their heads? In addition, tokens update automatically, as opposed to the tedious, manual process of updating passwords. As for biometrics, solutions now enable users to scan and input their fingerprints into an access management database within seconds — a swift and nearly effortless procedure.
Automation, machine learning, and next generation authentication tools are hardly perfect. But perfection, as the saying goes, is the enemy of good and agencies need to ensure they are on the forefront of innovation, especially as modern adversaries have grown more cunning and dangerous.
Robert Schofield is the director of enterprise solutions at NetCentrics.