COVID-19 Prompts Agencies to Accelerate Identity Management

With the rapid evolution of technology and hybrid work environments, organizations are accelerating identity management solutions to protect critical infrastructure and data.

The COVID-19 pandemic has raised the stakes, increasing cyber risks following the widespread transition to remote work environments. Kenneth Myers, chief federal ICAM Architect at the General Services Administration (GSA) explained during ATARC’s Identity Management virtual summit Tuesday that the pandemic prompted a massive shift in network traffic.

Previously, all the traffic and assets were either in an office or through a virtual private network (VPN) because that’s where security staff and data were located, and individuals had to be on an agency network to access that information.

“What the pandemic showed was that we could no longer be in the office, or maybe agencies hadn’t even planned for remote use cases,” Myers said. “Agencies had to immediately make changes to ensure they could continue their mission, even in the remote environment. That’s really the direction of the Federal Zero Trust Strategy. It will help agencies move their technology along and get out of the moat approach to defense.”

James Medlock, CDM program support manager with the Department of Veterans Affairs, explained that his agency was well positioned to combat emerging cyber threats following the pandemic.

“We’d already implemented personal identity verification (PIV) cards and multifactor authentication (MFA),” Medlock said. “We were far along with that for all our employees and contractors. I think the statistic was around 94% fully compliant with PIV at that point in time, and that differential was approved exceptions or exemptions for like sterile environments, things like that.”

The larger challenge at VA was growing its capacity to support a fully telework environment. VA focused its efforts around expanding its infrastructure to support the new surge and volume. The agency was also responsible for providing remote care services to veterans through tools like telehealth.

“We did have a period where facilities were closed, and we had to really begin to loosen some of those processes and some of those securities to allow for operations and continue customer support for our veterans,” Medlock said. “That’s our primary mission goal.”

The Army is focusing on identity governance, improving provisioning processes and ensuring applications have a single master user record to centralize all identities into one directory.

John Pretz, U.S. Army’s technical director and project officer for Identity Access Management, noted that data is one challenge many organizations don’t take into consideration. When implementing zero trust and identity, credential and access management (ICAM) solutions, data must be organized to effectively secure assets and information.

“We’re doing several efforts, but the main portion is zero trust,” Pretz said. “I think we’re on a good path on zero trust when it comes to MFA.”

Myers noted that his team is currently working on more than 117 use cases for identity access management. Looking ahead, these agencies will continue to collaborate with vendor partners to better define requirements and advance identity management solutions.

“It’s taken us time to define all our requirements, put use cases and build stories around them, so that we really understand what our requirements are,” Meyers said. “Then we start working with the vendors to address those requirements and capability gaps and then rationalize the ones we don’t need that have just built up over legacy.”