2020 marks the start of a new era in government IT, with talks of a Zero Trust Architecture. Federal, state, and local government IT leaders are quickly scaling work from home support levels, despite many organizations lacking needed infrastructure and security controls for a perimeterless work environment.
To learn more about how telework is changing the government landscape, and our
approach to security, MeriTalk connected with Kelsey Nelson, Senior Product Marketing Manager, Okta.
MeriTalk: Tell us a bit about your experiences over these past weeks, as you’ve supported government agencies’ efforts to meet telework needs.
Kelsey: Government agencies are on the front lines of this crisis. Not only has the public sector needed to enable remote access, but they’ve also had to enable interoperating and collaborating across different agency teams and partners – and they’ve needed to do it fast.
There’s an immediate need for an approach to security from agencies to provide employees with remote access to the resources they need. For some agencies, it was not such a daunting task to roll out telework, as they’d spent the last year or two modernizing their core IT infrastructure and putting fundamental building blocks in place. Others found themselves challenged as they did not have the capacity to support the expanded remote work.
Even those agencies that were able to scale telework quickly faced challenges given the duration of the current situation. Weeks and months of remote work will require previous capabilities reserved for on-premises to become available in the cloud – securely.
MeriTalk: What challenges are agencies continuing to face with securing the remote environment?
Kelsey: Many government employees may now need to use personal, non-managed devices to access agency resources, such as on-premises applications. And, to collaborate in the new environment, government employees also need new tools such as those for video conferencing, messaging, etc. Agencies need to enable secure, remote access to tools already on-premises, as well as identify how to approach these new tools that employees might need to access.
Right now, the traditional perimeter doesn’t exist – and federal agencies need a better understanding of risk. The first step is understanding and enhancing the security model around who is trying to access those resources. This feeds directly into building a Zero Trust strategy. Okta and MeriTalk partnered on new research last fall, Zero Trust Maturity Across the Federal Government, finding that while the majority of agencies didn’t have a robust Zero Trust plan in place at the time for building a Zero Trust Architecture, many agencies have deployed a solution that maps back to a modern Zero Trust framework.
Government remote security stretches beyond telework. We also must prioritize a secure, seamless experience to constiuents. Okta’s been working with agencies to manuever the sudden dramatic increase in citizen demand for documents and information that were previously only available in-office. We are scaling capabilities for driver’s licenses, social services, etc. for citizens who are relying on smartphones, tablets, and laptops for public services.
MeriTalk: In January 2020, the National Institute of Standards and Technology estimated that the Federal government and its base of contractors combined use nearly 5 million personal identity verification (PIV) cards. One contractor estimates that the Department of Defense has approximately 4.5 million common access cards (CACs) in use at any given time. Why has this become an issue while ramping up telework? What alternatives to PIV and CAC are agencies exploring?
Kelsey: In order to use PIV or CACs, there must be a tool to read the card. While government is at almost 100 percent telework, the challenge is integrating the authentication process into employees’ new workstations. To put this into context, if there are five million PIV cards in Civilian agencies and 4.5 million CACs in DoD, there needs to be a reader for each.
Some agencies have begun to explore an alternative that still provides the same, strong assurance as PIV cards or CACs, but isn’t a physical card. The FIPS 140-2 Validated Okta Verify offers a mobile application with a compliance validated authenticator. It gives agencies flexibility to determine whether resource access can be authenticated by a mobile factor, or whether it still requires a PIV card or CAC for that particular resource.
By bringing in more context, such as what device the user is authenticating from, whether it’s a government-assigned device, or if it is a government network, agencies can build a more holistic approach of to security and picture of risk with a diversity of high assurance factors.
MeriTalk: What immediate steps should agencies be taking to secure the expanding perimeter? How can these short-term investments play into the long-term security strategy?
Kelsey: For near term solutions, we’re seeing agencies use VPNs with added multi-factor authentication to securely access on-premises resources and monitor traffic. Okta’s Single Sign-On (SSO) and Multi-Factor Authentication (MFA) can help agencies use VPNs quickly and consolidate all of their cloud applications, by giving the IT team visibility into what users are accessing.
To further reduce risk, agencies can start to automate functionalities, such as granting privileged access to new applications, on-boarding and off-boarding, and provisioning applications. Automatic off-boarding and de-provisioning helps ensure that users don’t have indefinite access to an application or information. It’s especially critical to automate the provisioning and de-provisioning of user accounts as we continue interagency collaboration and add new tools for information sharing.
Starting with identity and access management will help agencies lay a strong foundation for other components, such as a Zero Trust Network Access vendor or device signals, which can allow shift from reliance on VPN.
MeriTalk: Eventually, we will go back to our offices. How do you predict this unique situation will change how agencies approach identity management in the future?
Kelsey: It’s now more important than ever to prioritize IT and security modernization. Forrester’s “A Practical Guide to A Zero Trust Implementation” from January 2020 suggests that identity and device serves as the foundation as agencies establish a Zero Trust Architecture.
With today’s reality where everyone is outside the perimeter, Zero Trust is not just what we’re building towards, but it’s here. In this perimeterless environment, I predict as we move forward, identity will emerge as a priority across the public sector.
I also believe that citizens will come to expect a more digital customer experience, without sacrificing the security of their documents. To keep pace with these rising expectations, agencies will need to update legacy Customer and Identity Access Management (CIAM) strategies to a modern, cloud-based CIAM approach
MeriTalk: It can be difficult to see the little wins these days. Have you seen or heard any tales of positive gains in identity management that might help inspire our readers?
Kelsey: Personally, I think the key to continue this momentum is keeping the citizens at the heart of what we do.
Together, government agencies on the frontlines have been able to work together and continue serving citizens during this crisis. And, the key foundation to enabling that collaboration is identity and access.
As government works to better understand what the future looks like, we’ve seen Federal, state, and local agencies collaborate to understand the best ways to provide not only remote access, but a path forward on how we can come out from this even stronger.