You’re undergoing a digital transformation whether you planned to or not. Agencies understand that digital transformation offers huge benefits and many recognize security’s role in making it a reality, but why is it so hard to get right? A recent survey of federal IT decision makers found that 58 percent of respondents recognized identity and access management (IAM) is an essential piece of both the digital transformation and cybersecurity puzzle. Yet there is still a clear gap between the understanding of IAM’s value, and the actual realization of its benefits. In fact, 85 percent of respondents report that their agencies lack critical IAM capabilities – and 45 percent even note that their agencies fall short on such IAM basics as multi-factor authentication.
So if agencies are aware of the value of IAM, why do they fail to act? Here are three of the biggest reasons that came to light from the survey data:
They’re Struggling to Make Guidance Work
In recent years, numerous efforts have been made to boost cybersecurity. Initiatives such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Cybersecurity Executive Order have both offered guidance and put pressure on federal agencies to ramp up security. Even so, there are still challenges when it comes to implementation. Since the 2015 Cybersecurity Sprint initiated by former federal CIO Tony Scott, 94 percent of agencies report that their IAM efforts have improved, but two in three admit there is still room for progress. Also, while 91 percent of survey respondents cited that their agencies are using the NIST Framework, only 45 percent use it fully.
Other efforts such as the Continuous Diagnostics and Mitigation (CDM) program haven’t had the intended impact due to implementation challenges. Ninety-four percent of survey respondents reported they faced challenges that prevented them from realizing the full benefit of CDM. Budget represents a large challenge, with 52 percent of survey respondents noting budget constraints as an obstacle preventing implementation. Support for current tools was reported as another significant barrier, with 37 percent noting the lack of support for currently used tools, such as Active Directory, as a challenge. These findings make it clear that while most agencies want to do what’s right for security’s sake, the challenge is making it accessible, especially to protect legacy systems often at the heart of government agencies.
They’re Still Relying on Manual Processes
It’s widely recognized in the government community that automated tools can help manage IAM and users on IT. These tools can help prevent manual error, while also reducing the burden of critical IAM practices such as management of privileged access. However, survey data shows that one in five federal IT security professionals still uses paper-based logbooks for privileged account management, and 47 percent use spreadsheets for tracking privileged accounts. These numbers come in even higher for government agencies than those reported by commercial respondents globally, indicating an alarmingly high reliance on antiquated practices around the most critical accounts that could potentially allow bad actors access to highly valuable information.
Privileged accounts are the keys to the kingdom when it comes to agency data and the primary risk behind damaging cyber breaches such as the 2015 Office of Personnel Management (OPM) hack. Yet, despite making a significant effort to improve privileged access management following the breach, a recently released IG report found that the maturity level of OPM’s privileged account metrics is still at a three out of five. Survey results identified similar challenges, with 37 percent of federal respondents admitting to only monitoring some privileged accounts.
Maintaining a least-privileged approach that provides access only to the level users need to do the job is essential. Basic processes such as privileged password management and monitoring admin activities should be considered standard. And when full admin access is necessary, privileged users should be granted temporary access to limit what they are able to access, the length of time during which access is allowed, and the actions they are permitted to execute on the system. Privileged access should be fully auditable and tracked, to identify misuse and in turn, mitigate potential damage. This approach provides a necessary level of security by assigning individual accountability to admin activity without sacrificing agency productivity.
To succeed in digital transformation, agencies need IAM that addresses familiar security challenges and positions agencies for success. Fully utilizing government guidance, while still supporting legacy systems, taking advantage of automated capabilities and maintaining a thorough approach to privileged accounts that includes recording account activity, can help organizations become more agile, informed and secure. With this in mind, CIOs can begin to approach IAM as a mission enabler central to their digital transformation initiatives and remove the barriers that prevent them from acting on cybersecurity.