Government data security has never been more crucial than now in the age of the cloud and digital modernization across federal agencies. But it’s a tall order to make network and cloud access resilient and safe from data loss for a global and mobile workforce across countless federal agencies.
The challenge lies in providing a streamlined access and secure communications solution for access to applications, the network and facilities that doesn’t have inherent flaws or gaps. The VA’s lack of resilient password/access management and strong authentication identified in the 2018 FISMA Audit is just one example.
There are, however, several initiatives and approaches taking root to combat these problems. The overriding goal is to achieve the network resilience and data security that government and military environments must have in the digital age.
Moving to Zero Trust in Federal Agencies
There has been a great deal of discussion and planning for implementation of a Zero Trust (ZT) approach in federal agencies. The timing isn’t a coincidence as cloud and mobility take center stage during current Federal IT modernization initiatives. Numerous outlets including Federal News Network and GovLoop report that a ZT pilot program could start in the summer of 2019 with support from OMB and others surrounding FISMA.
ZT concepts like public key infrastructures (PKI), common access cards (CACs) and personal identity verification (PIV) cards are not new. More than just a single source of truth for employee identity, ZT is about placing zero trust in people, devices, and applications. Its overall goal is to authenticate and authorize absolutely everyone regardless of location or device.
In a cloud-based world where applications no longer live in a centralized data center, ZT is the ideal approach to global and mobile personnel operating beyond the edge of the network. It decreases the need for complex systems within security architecture and creates a more transparent and manageable identity access authorization process.
Federal Personal Identity Verification (PIV) use cases for access control
Personal Identity Verification (PIV) Cards have become a central building block in government data security and identity access management within federal agencies. It makes countless use cases possible through access to facilities, systems, networks, applications, communication, and desktops. The ability to make PIV a uniform approach throughout all federal agencies in a holistic integration with ZT is the next step in the evolution of identity access management (IAM).
NIST made revision recommendations for SP 800-116 to bring broad and uniform use of PIV in facility/system access. These technical guidelines would go a long way to providing true government data security and access across all government facilities and systems.
Cloud Identity Management and PIV Derived Credentialing
As the cloud becomes a focus of federal modernization initiatives, they must put effective mobile and cloud identity programs in place. A software-only solution with cloud services managing the life cycle of PIV and DPC is being explored by agencies and departments. This SaaS approach goes to the heart of the bond sought between ZT and simplicity in universal access management implementation.
The U.S. Department of Defense’s (DoD) “Deliver Uncompromised” proposal places security on a par with cost, schedule, and performance. This approach to driving defense technology and other acquisitions looks at PIV derived credentialing to eliminate vulnerabilities.
PIV derived credentialing aims to eliminate the need for re-credentialing for separate device access via an issued PIV card. While this may help development of a universal mobile device access approach, it embeds credentials into the device, which goes against the tenets of ZT.
A Holistic Approach to Cybersecurity and Identity Frameworks
There are several missing links to making ZT a workable cybersecurity and IAM approach across all federal agencies. There are however government data security solutions that can overcome all these challenges by doing the following:
- Providing anywhere, anytime, any device access to data and applications
- Ensuring that data never leaves the network or is stored on a device
- Integrated PKI, MFA and other security measures.
- Simple and universal device access solution that also simplifies universal identity access management for IT and administrators.
- Seamless integration with existing and evolving PIV and CAC systems
Federal agencies must find solutions that combine total data access management with a secure communications solution. This remote data access solution will make it possible for federal agencies to achieve government data security that can meet the needs of evolving threats, personnel, and digital transformation.