How government is tackling the identity access challenge

Lloyd McCoyWritten by | Uncategorized

You’ve likely heard by now that the federal government recently passed a budget that secures funding through the rest of this fiscal year. Coupled with the FY19 budget request, we now have a pretty good view of what the public sector’s IT priorities are for the next couple of years. Fortunately for cyber vendors, security remains at the apex of what the government cares about and we see that reflected in the steady increases in cybersecurity spending.

The federal government requested about $15 billion in security spending for FY19, about $500 million more than what was requested for FY18. Over $2 billion of additional security spending occurs at the state and local levels.

Much of the billions the government is set to spend on security will be connected in some way to Identity Access Management (IAM) with over half of the funding dedicated toward ensuring the defense and civilian sectors’ sensitive networks have the right protections in place.

This doesn’t come as a surprise because after all, government agencies aren’t immune to breaches, both external and internal. And we all know what can happen when government databases are breached. Also, the stakes have never been higher given the rise of ransomware and IoT attacks.

So much of what we’re reading in the news about government surveillance and data leaks and breaches has so much to do with security, privacy and access. Despite all the incidents, security is going to continue being a major concern given that people love the freedom and convenience of things like mobile devices and being able to work wherever they want.

At the same time, businesses are just now seeing the promise of internet of things solutions, especially in government agencies. But security in IoT is still a major hurdle, causing some agencies to pump the brakes a bit.

There may be a continuing stream of risk, but there’s also opportunity, especially for companies with Identity Access Management (IAM) solutions that can address some of these valid security concerns.

Here are three challenges to think about as you create a strategy for selling IAM solutions to the public sector:

Identity Access is Getting More Complex
The next couple of years are set to see major cloud contracts awarded and more decentralized cloud adoption. Hybrid cloud environments will increasingly become the new norm, complicating IAM requirements. From the citizen facing services we see at the local levels to classified networks, increasing cloud adoption, and complementary regulations, bring with it complexities and thus opportunities for you.

Security risks will always be a part of our lives with technology. Especially since consumers and corporate users aren’t willing to cut out smart and mobile devices despite the continued threat of hacks and surveillance by government agencies or even competitors.

So what’s the solution? Government agencies now realize that the focus is better suited to reducing risk, versus the pipe dream of totally eliminating cyber threats. For consumers, passwords on smart TVs, cameras and other connected devices should be changed as often as they change computer passwords.

For government agencies and enterprises, the solution could be as simple as workforce training on passwords and covering laptop cameras to IT solutions that create a layer of protection somewhere in the connected device’s gateway.

Where industry can help is with getting the government to achieve, or at least approach 100 percent multi-factor authentication and single sign-on. Network segmentation, just-in-time privilege access and recuing the need for VPN access are other areas of risk reduction where government agencies have said they need assistance from industry.

Mobile workers increase risks

President Trump’s federal budget proposal includes IT spending increases, and overall funding boosts to most government agencies. What this means for the federal workforce is unclear but there remains momentum toward bigger telework programs to reduce real estate costs.

With telework comes bigger risk for breaches and other security concerns. Many remote employees have security software set up on their computers and devices, but how effective are they? Are they too cumbersome or do they protect enough?

This is another insertion point for IAM tools that protect mobile devices. As government agencies seek to take distance out of the equation, they will need uncovering and protecting against all the threat vectors that come about as agencies move their networks further out and into people’s homes. The growing use of classified mobile computing, particularly in the Department of Defense, makes the importance of credentialing and privileged access greater than ever.

IoT is great, but is it secure?

The public sector has slowly been implementing IoT projects even though the technology has been deployed without thinking of security first. The truth is anything with a chip that’s connected to the internet is vulnerable to hacking.

State and local governments seem to be further along than the federal government in implementing IoT solutions and tackling the security implications. Some states like Washington are migrating to IPv6 to be able to centrally manage its internet protocol addresses. That step will open the door for a more secure IoT strategy for the state.

But Oakland County, Mich., has been extremely cautious when it comes to IoT because of the risk of hacking. State and local governments worry about a range of potential threats, from a hacker shutting down the air conditioning in a data center to an adversary taking control of a city’s internet-connected lights. Oakland County is installing a new building management system that will be centrally controlled, with the connection over a secure fiber-optic network. IT managers can dial in remotely via the internet but it will be through a secure “tunnel” connection requiring two-factor authentication.

State and local IT leaders are admittedly nervous about IoT because of the security aspects. Many industries like HVAC for instance, have little experience dealing with the cybersecurity threats that IoT can pose. State and local governments need better engagement with industry to ensure the right security is in place.

Want more insight on public sector and commercial IT trends? Learn more about what Arrow ECS’ market intelligence organization

Editor’s Note: This post originally appeared March 21, 2017 and has been updated for accuracy and comprehensiveness.

By Lloyd McCoy
Manager, Market Intelligence
Arrow ECS and immixGroup, an Arrow company

Last modified: May 2, 2019