Passwords, the go-to for identity management since the dawn of the Internet, don’t prove your identity. They prove that somebody (you...or someone posing as you) knows the password, but passwords alone just don’t cut it anymore. As concern about data breaches in government organizations grows, secure identity management is more important than ever.
Several government efforts aimed at piloting or improving identity management are underway. GAO and USPS recently teamed to create the Federal Cloud Credential Exchange Program (FCCX), a way of using FICAM authorization standards to allow public access to online services at multiple agencies without the need for multiple passwords. Programs like FCCX drive toward the creation of what NIST’s National Strategy for Trusted Identities in Cyberspace (NSTIC) calls the “Identity Ecosystem”— an online environment where users can securely validate their identities across multiple websites using a single secure login.
Government Business Council (GBC) recently surveyed 975 federal managers about their views on identity management, asking how soon they see the identity ecosystem becoming a reality. Peter McDonald, one of the industry's foremost experts on identity access management and Symantec's digital identity practice manager, recently gave his take on the survey results. He shared his views on the challenges ahead for mobile identity management and his belief that a single sign-on identity ecosystem isn’t as far off as many think.
A recent Government Business Council survey found that 72 percent of federal managers are confident in their agencies’ ability to provide physical access to facilities while 63 percent are confident in their agencies’ ability to provide logical access to electronic files and data. What has the government been doing right in the area of identity management that accounts for these high levels of confidence?
I think the similarity between these two numbers is due in large measure to HSPD- 12, which has been around for a number of years now and spearheaded linking physical and logical access. I’m actually not surprised to hear that confidence is higher for physical security than logical security. Culturally, we view security as guards in buildings rather than IT experts monitoring network access and credentials. In time, I believe we’ll view them more equally.
When it comes to logical access, we found security concerns persist, with 58 percent of managers saying security worries prevent the expansion of digital services. How would improving identity management alleviate those concerns?
The challenge is ensuring you can trust whoever is on the other end of the line. At the end of the day, identity management is about trust. What you’re getting with external identity providers is a very accurate validation that a person is who they say they are. As these systems mature they will increase security, in turn addressing the concerns of those 58 percent. Right now the big challenge is assuring leaders we can secure mobile devices.
On that topic, the survey found an interesting contrast in how federal leaders are thinking about mobility. On one hand, 72 percent of federal managers see mobile devices as a boon to collaboration and productivity. But on the other, 54 percent say security concerns are a major obstacle to fully embracing the benefits of mobility. How do you foresee identity management improving mobile security?
There’s no question that mobile requires particular scrutiny right now. It’s going to be very important to tie identity directly into the user experience and manage it very carefully. When we look at mobile device adoption, the first thing we do is ensure access to productivity applications like email. The next step is injecting careful identity management into application usage. For instance, right now SharePoint isn’t something commonly accessed on mobile devices. As we get better at mobile identity management you’ll be able to start accessing applications you previously couldn’t because of security concerns.
Something we found surprising in the survey data was that one-third of federal managers indicated they weren’t familiar with the concept of a common framework for establishing trusted identities. What should federal managers know about efforts to establish a common identity framework?
They should know it’s going to be important. When it comes to citizen-to-government interaction, an interoperable and federally certified identity management system is absolutely critical because it will reduce operational costs and improve ease of use. By having a provider manage credentials, agencies will significantly reduce help desk costs, increase security and bring about a better user experience. Those are key drivers behind the move to electronic government and the identity ecosystem.
For those unfamiliar, what is the “identity ecosystem” (also known as federated identity) and what benefit will it have for government operations?
Have you been to a website where it says you can login using Facebook or LinkedIn? That’s an example of federated identity—it links your electronic identity across multiple websites. When it comes to financial or medical systems access in government, it’s critical we use credentials that verify, absolutely, a person is who they say they are. The identity ecosystem will be a paradigm shift for government to citizen communications, allowing citizens to avoid going to government agencies to request documents in person. “Where’s My Refund,” the IRS program that allows citizens to check their filing status electronically, is a good example of where we’re headed. Federated identity will enable greater access to government systems while still maintaining a very strong security footprint.
For those federal managers familiar with an identity ecosystem, 54 percent think it can be achieved within 2-10 years, which is a pretty substantial amount of time, and 11 percent said it could take more than 10 years. Do those numbers surprise you and what factors do you foresee driving government’s adoption of an identity ecosystem?
It doesn’t surprise me. Historically, new technology adoption is always split between enthusiasts and laggards. This will take time--but it will happen. Two things will get us there. First, people are forgetting their passwords constantly. It’s hard to remember them all. People are growing to like using things like Facebook or LinkedIn as identity credentials on other websites. Second, forgotten passwords are expensive! Government agencies are going to look at how they can reduce operational costs by passing those expenses on to credential service providers who can unify services around a single, less forgettable sign on.
In 2014, where do you think managers should look for the best ongoing examples of forward thinking identity management in government?
Look to the FCCX program running jointly between GSA and USPS. It’s a good preview into the future of identity management. FCCX will unify six different civilian agencies using FICAM authentication standards to allow the public to securely access online services through a single sign-on. There are also terrific examples ongoing in the first responder community and many federal research institutions. These are some of the key groups driving federated identity management in government this year.
This content is made possible by Symantec; it is not written by and does not necessarily reflect the views of Nextgov's editorial staff.