As agencies continue to build out zero trust architectures, they have been honing in on a critical component to any zero trust strategy: identity, credential and access management (ICAM) solutions.
Zero trust involves moving beyond a network perimeter-based approach to data protection to one that requires constant user credentialism and authentication.
"Without secure, enterprise-managed identity systems, adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks," according to a Jan. 26 Office of Management and Budget memo outlining the federal zero trust strategy. "This strategy ... directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied."
What is ICAM?
According to an ICAM fact sheet from the Department of Homeland Security, ICAM is a "framework of policies built into an organization’s information technology infrastructure that allows system owners to have assurance that the right person is accessing the right information at the right time for the right reason."
Agencies across government are standing up or building upon existing identity management strategies. One of the most challenging initiatives is at the Defense Department, which operates at different classification levels that might require different means of access for both networks and physical localities. This can include access to different services within the Defense Information System Network (DISN), the DOD Information Network (DODIN), NIPRNet, SIPRnet and access to physical military bases around the globe.
The Department of the Navy plans to launch a new identity management initiative in 2022, which will pave the way to zero trust.
"The Navy, like the rest of DOD is pursuing an ICAM strategy right now, and we were pursuing this prior to zero trust being a big thing," Navy Principal Cyber Advisor Chris Cleary said in a recent interview.
"Identity is fundamental to a zero-trust strategy. If you don't have a good identity strategy or architecture, you're never going to get to a zero-trust architecture. They're codependent. Zero trust has further accelerated our need for identity; it's not a pet project anymore," he added.
Navy CTO Jane Rathbun said finding identity solutions that work in a zero trust environment can be extremely difficult, but a federated approach can ease the process across DOD.
"When it comes to executing identity and managing identity and managing identity solutions for our customer base, we need to federate that down to the service level so they have the freedom of maneuverability for their mission sets,” Rathbun said at GovCIO Media & Research's 2022 CyberScape: ID event.
DOD is also hoping to use ICAM to help secure communications across 5G networks via satellite.
“In the future, every capability on the battlespace becomes a sensor, whether it's a SATCOM sensor and can report activity on the spectrum and report that back,” said Army Maj. Gen. Robert Collins, who leads the service's Program Executive Office for Command Control Communications-Tactical (C3T), at the Satellite 2022 conference in Washington, D.C.
“We continuously underscore cyber hygiene. Directionality, spreading the spectrum … we're taking a look at, how do we obscure spectrum? As you look at 5G, how do you blend in with other 5G users and hide within the spectrum?” he added.
Benefits of ICAM
The American Council for Technology and Industry Advisory Council (ACT-IAC) cites several benefits of ICAM including cost reduction, simplified user management, secure access to information, and protected resources across organizations.
ICAM solutions are also ideal for securing data and devices in cloud-distributed, remote-work environments, which proliferated during the COVID-19 pandemic. The U.S. Office of Management and Budget (OMB) said the shift toward cloud-first work environments requires an identity-focused approach to privacy and security in a 2019 memo outlining the Federal ICAM policy.
"This is necessary to prevent unauthorized access to information systems when the employee or contractor separates from the agency, or the credential has been lost," according to the memo. "Additionally, this serves to mitigate insider threats associated with compromised or potentially compromised credentials."
The Federal CIO's office also notes federal agencies "must be able to identify, credential, monitor, and manage subjects that access federal resources" in order to achieve maximum cybersecurity and operational efficiency.
IDManagement.gov includes implementation playbooks and approved vendor lists to help federal agencies deploy ICAM solutions and work toward fulfilling the White House's 2021 Executive Order on Improving the Nation's Cybersecurity, which mandated agencies adopt a zero trust approach to cybersecurity following major cyberattacks such as the Colonial Pipeline ransomware incident and the SolarWinds software supply chain breach.
Still, ICAM is just one part of a comprehensive zero trust strategy.
“ICAM doesn’t work in isolation. You can come up with a strong ICAM solution, but without things like policy enforcement points, you haven’t gotten across the interim finish line for zero trust,” said Fortinet Federal CISO and Vice President Jim Richberg at GovCIO Media & Research's 2022 CyberScape: ID event.
Last year, CISA Executive Director Brandon Wales said federal agencies must modernize their IT systems and how users access them simultaneously. That starts with ICAM.
Zero trust must transition from buzzword to "the baseline standard for network design and configuration," he said. "It will not be easy, simple, or cheap, but the cost of not doing so is simply too high."