How Zero Trust Solutions Stop Fraud at the IRS

The Internal Revenue Service (IRS) and the U.S. Department of Health and Human Services (HHS) are seeing major benefits from deploying identity, credential and access management (ICAM) solutions, which are foundational for a zero trust cybersecurity approach, to prevent fraudsters from gaining access to user identities and other vital information.

“They know we are trying to actively restrict their ability to get access to these accounts so one thing they will do they will collect those credentials in the phishing site and replay those credentials to potentially gain access to IRS resources,” said Mark Henderson, security specialist with Online Fraud Detection and Prevention at IRS, during ATARC’s Feb. 23 Fraudulent Behavior and How ICAM Can Assist Webinar. “Having an ICAM solution in place can verify the identity of an individual. It provides multiple options including using an authenticator app on their phone which adds a technical barrier that scammers must go above for them to perform fraud.”

ICAM helps prevent fraud but also expand the availability of services to populations who previously were unable to digitally verify their identity.

Henderson said phishers will ask individuals to provide information on a phishing website or install malware to collect personal information. Additionally, phishers use compromised information from a breach to replay those credentials.

“If we can continue to protect accounts with strong multi-factor authentication (MFA) options, including phishing-resistant MFA, we can have a better user experience and achieve higher success rates for the general users,” Henderson said. “Trafficking credentials is common, so having something where we can do identity proofing and make sure the person we’re talking to is the right person is going to help reduce fraud.”

While ICAM provides a host of benefits, integrating the framework comes with its share of challenges.

HHS Office of the Inspector General’s Deputy Director for the Architecture and Transformation Division Jane Zentmyer said one of the biggest implementation challenges with ICAM is data, particularly managing employee data in a systemic, controlled way  across the organization. As HHS develops more robust user profiles over time, the agency is trying to figure out how to integrate ICAM into all of its systems.

“As we continue to mature in this area, I think that we will grow better in our concept of what counts as an identity. Identity isn’t just your name and address anymore,” Zentmyer said during the ATARC webinar. “What computer, what device are you coming from? How do we work this into our identity profiles in a robust manner so we can keep it up to date so that we know when people are accessing it, who they are, what they’re accessing and why?”

ICAM integration has also highlighted data management challenges for the IRS due to the large volume of tax returns and other documents the agency processes every year. In addition to volume, the IRS wants services to be convenient and secure.

“We want to make sure there is ICAM put in place that provides service to a wide range of the public that also meets federal privacy and security guidelines,” Henderson said. “The ICAM that we use now is secure access digital identity (SADI), and migrating to that should be relatively comfortable because taxpayers likely already use their phone to access apps. By setting that up, you will be able to access a variety of IRS services.”

Zentmyer encouraged organizations to include security as a part of their culture. She said the concepts of identity management should be at the forefront and not an afterthought.

“As you’re building applications or providing access to your cloud environment you need to think about security around that who should have access and do we have the right technology,” Zentmyer said. “We’ve been working on our culture to make sure that security is part of our process. Your developers need to be thinking of building a DevSecOps pipeline not just a DevOps pipeline, and combining ICAM into the security posture of the organization.”