The quest for seamless, secure identity and access management

When FCW convened identity and access management leaders from across the government on Oct. 12, they agreed that authenticating users is the new frontier in cybersecurity, with one saying the latest attack vectors "are all about identity." Agencies have made significant progress in moving beyond simple username and password constructions, but the work is far from done. Challenges include educating senior managers, convincing a wary public and finding ways to securely share the burden of identity-proofing.

The discussion was on the record but not for individual attribution (see below for a list of participants), and the quotes have been edited for length and clarity. Here's what the group had to say.

Reframing the discussion

"My day‑to‑day focus is making sure that the identity infrastructure is working well and keeps the lights on," one participant said. "At the same time, we've done a pretty good job of deploying smart card technology, but just as we got that settled down, we're moving into the cloud, we're moving into mobile."

Another executive agreed that the increasing complexity of the IT environment is making identity management even more challenging, and agency leaders are not necessarily keeping up. "This space is inscrutable to a lot of people, especially those in leadership roles," he said. "They've got some experience with username and password for logging in. That's what they think of when they think of identity."

A third said his No. 1 focus has been moving users to certificate-based access via personal identity verification cards, but despite his agency's progress, "there are a few folks out there still — and most of them are very important people — who are sticking to username and password."

The importance of management buy-in struck a chord, but the discussion centered on the IT team's responsibility.

"We need to change the conversation from a defensive cybersecurity-focused conversation" to identity management as an enabler, one participant said. "If I were an agency head today and I'm worried about better serving my constituents, my citizens, identity management should be in the top three on my agenda. I'm not sure that's the case across the board. Changing the conversation — being crisp and clear with communication to the leadership — is going to be key."

Another executive added that "the big challenge of everything we do governmentwide is how do you make a compelling business case to the mission owners versus trying to foist it on them. How am I going to make a compelling case that this is the right thing for the mission — maybe not in the short term, but in the long term they're going to be better off?"

Others, however, said two factors make the conversation about long-term benefits difficult in government. "One is we're all human, and we all really want short‑term benefits," one participant said. "Two is that we're just not good at selling within government. It's not natural, it's not a skill set we recruit for. We hire people in our programs who are highly technical, but we don't really think about how important that kind of business acumen is and how important it is to be able to sell concepts and ideas and to market internally."

Another participant cited the enormity of the challenge. "Identity management projects get so big that you boil the ocean rather than focus on some areas where you can really see some near‑term success that leadership understands and can then continue to fund those programs," he said.

When asked how IT professionals could accelerate the push for identity management, another participant emphasized the need to make it frictionless. "Do the obvious stuff. Make a day in the life of your management easier, and you will get their attention."

But another said, "There's nothing like a good disaster to get management's attention. That could be the OPM breach. It could be the hurricanes. That really starts to move things in a very rapid way."

In other words, agency leaders often see identity management as a hassle and added cost until there's a problem that opens their eyes to the negative impacts.

"We all look at the downside," a participant said. "It's all risk. It's all punishment. What's really missing in these equations is incentivizing good behavior. We have never really cracked that nut as a government."

The group acknowledged that the government's long budget process is also an ongoing challenge, but many said they see hopeful signs that the mindset of federal leaders is evolving.

"This changing conversation of identity and access management as part of cyber to reduce risk to your mission is the way the conversation is emerging — not so much did you comply with some memo that was written seven years ago," one said. "That's a big change in the conversation."

Identity-proofing and interoperability

When the discussion turned to specific ways to tackle the challenges, interoperability was a key solution.

One participant whose agency provides biometric identity services for a range of internal and external users has developed bilateral agreements with other organizations, but said, "I don't think we do federated services enough. There are people [for whom] it would take an act of Congress or the president for them to give up their data. We're not going to copy the data. We're not going to take over the data. But as we scale up from a million transactions a day to, I foresee pretty soon, 3 to 5 million a day, and to meet the time requirements with increased accuracy and more complete reports, we're going to have to do it using a federated approach."

"The technology is there, the design patterns are there, but the policies aren't there," another said. "We don't need to be able to share everything with everybody, but when we do, we need it to be frictionless."

In most cases, that's easier said than done. "The expense or problem usually comes in the identity‑proofing of that individual because they're remote," said one participant, who pointed out that the face-to-face process for an employee or contractor can take hours.

Another executive agreed. "The proofing is the big conundrum, and it sits in identity." He added that during the Obama administration, the National Strategy for Trusted Identities in Cyberspace conducted a number of pilot tests, some of which informed the National Institute of Standards and Technology's Special Publication 800-63-3 on digital identity guidelines.

But the recent massive breach at Equifax has raised new concerns. "How are we going to proof online when tough questions are now being asked about how the credit bureaus, for example, and the data brokers have been doing things?" he asked.

Another participant added that, "without strong proofing, you can't offer more services that the citizens really want."

Some said partnerships are the only viable answer. For instance, the IRS cannot identity-proof every taxpayer, but it could partner with state departments of motor vehicles to do so. One participant said federation could also work by letting people use an existing credential issued by a financial institution, for instance.

More than one participant referenced the cybersecurity sprint in 2015 after the massive breach at the Office of Personnel Management, with one executive saying its focus on privileged-user access could be a model for future efforts. "In a very short period of time, it turned the numbers around in a big way and probably had a pretty big impact on the overall security structure," he said. "That's not agency-specific. That's actually a good example of how we can do this governmentwide."

"Insider threat is the chief risk, so we need to do a better job of knowing who's on our networks, who has access, especially privileged access, and better managing that," another executive said. He added that it requires performing basic tasks such as deprovisioning users after they leave the organization.

The future of identity management

The holy grail is creating services that are secure yet seamless for the user and save money for the agency on the back end. As one participant put it: "It's all about the user experience. We're trying to make sure that from start to finish they feel like they've gotten a good experience and a safe experience interacting with our agency."

But achieving that frictionless experience for the public has proven to be a challenge because, as one executive put it, "People will give up to Facebook in a heartbeat what they would never give up to the government."

A participant told the story of visiting his daughter at college and discovering the depth of the students' animosity toward the college's requirement for two-factor authentication. "Her friends said, 'It stinks. We've got to log in twice to download our stuff.' They're willing to give out all of their information to everybody, and security doesn't even seem like it's a factor. Asking them to secure something was like, 'Whoa, why would we do this?' It was really a shock to me."

"That sounds like a classic usability scenario to me," another participant said. "I bet if you asked her if she minds using her fingerprint on her phone, she's not going to say a word because it's a better‑designed approach. Now with facial recognition coming on these devices, it looks even more interesting from a usability perspective."

Another participant said meeting the demand for secure, seamless access involves having the right level of security for the time and place.

"It's ultimately about context," he said. "Who is that person, what's their device, what do we know about it? Where are they coming from, what are they doing, how does that match their pattern? And how do we use all that data in near-real time to make a decision on the risk of this particular transaction and do it in a seamless fashion? This is what identity management has to be focused on now."

Another colleague agreed, saying: "The irony is that millennials are using a PIV card every day because the mobile devices have become more capable and sport these features and capabilities baked into the user experience. These devices or other mechanisms that become part of the identity chain are unobtrusive, invisible, yet present. They themselves have an identity."

Many participants said they were looking forward to the General Services Administration's login.gov shared service as a way to make credentialing initiatives interoperable. One noted that the government had unsuccessfully tried to shift the burden to third‑party credential providers in the past.

Unfortunately, "the credential providers that everyone uses — Facebook and Google — didn't meet the government's standards, and the ones that did meet the standards no one had ever heard of or used," he said. "So that fizzled out, and now we're back to what seems like a government‑centric login.gov approach."

He predicted that the next step will be incorporating users' existing mobile device credentials issued by any trustworthy party. "That's where it's going to go, but we can't invent it. We can cooperate in moving it forward."

In response to some concerns about the government's ability to manage credentialing in a seamless way, another participant said, "To login.gov's credit, they do care a lot about the frictionless experience and the usability of the solution. They are addressing that in a way that maybe some of the previous initiatives didn't."

In the end, one executive said, "you cannot overstate the importance of that friction in preventing doing the right thing. Now that we are moving out of biometrics to the place where your authentication is you versus something that represents you, I think we're going to see a huge upswing in better identity management."