WIXLIB

CREATE & MAINTAIN AN IDENTITYSource: idmanagement.govWhen an employee or contractor onboards at an agency, their identityinformation is collected and stored to act as their digital proxy in ITsystems. This information is stored within an identity record, which maybe modified or deleted as needed.Once this digital identity record is established, it may be pushed to othersystems from an authoritative source and provisioned access permissions.Employee sourceDatarepositoryChange to theidentity record1. INFORMATION POPULATEDPersonnel information is populated into theauthoritative source. Sources for this informationcould include onboarding documents or HR systems.2. NEW IDENTITY RECORD CREATEDThe authoritative source sends the information tothe system’s data repository.3A. MODIFY RECORD3B-1. MODIFY RECORDMANUALThe administrator receives a change requestand updates personnel information in theauthoritative source.The individual uses an agency application toupdate their personal information.3B-2. MODIFY RECORD3C. DELETE RECORDThe administrator deletes the identity recordwithin the authoritative source when notifiedthat deletion is required.SELF-SERVICESELF-SERVICEThe agency application updates theindividual’s identity record within theauthoritative source.X4. DATA REPOSITORY UPDATEDThe authoritative source updates the availableidentity information to the data repository.Your Guide to Identity and Access Management7

Carahsoft Solutions PortfolioIdentity and Access ManagementIdentity and Access Management have become crucial to organizations’ security, helping themstay secure and compliant at the same time and never compromising one for the other. Carahsoftrepresents best-of-breed solutions, providing agencies with a multi-faceted approach involvingsecurity, governance, automation and controls, and federated identity based on virtualization.See how agencies are benefiting from these solutions in the use cases featured below, and learnmore at carahsoft.com/identity.Carahsoft’s Identity and Access Management solutions are available through its reseller partners on a variety of contractsincluding Carahsoft’s GSA Schedule 70, SEWP V, NASPO ValuePoint, National IPA, and numerous state and local contracts.CyberArk: Managing Privileged Accounts & CredentialsA federal government agency was struggling with balancingsecurity with productivity as well as rampant passwordreuse across multiple accounts. They found that their ITadmins had more privileges than they truly needed, andthere were too many endpoints with local administratorprivileges. The agency knew they needed to be betterprepared for an audit, and they were also driven by anexecutive mandate.The agency wanted a solution that could provide forprivileged access security to limit the exposure ofprivileged credentials; enforce strong passwords, storethem in an encrypted vault, and rotate them; and secureinfrastructure and assets in the cloud.They turned to CyberArk to protect their highest-valueinformation assets, infrastructure and applications,8deploying CyberArk to secure privileged credentials in avault, rotate credentials based on policies, and secure androtate shared service accounts.The agency also plans on managing the following types ofprivileged accounts, credentials and secrets with CyberArkin the next 12 to 18 months: Domain admin accounts;Microsoft Windows admin accounts; NIX admin accounts(UNIX and Linux); and database or application adminaccounts.Since adopting CyberArk, the agency reports that they arenow more secure, that the time and cost of audit reportinghas been reduced, and that the time required to manageand maintain privileged account and credential security hasbeen reduced significantly.A GovLoop Guide

Okta: Improving Security, Reliability, Scalability & User ExperienceOkta helps governments around the world serve citizensbetter with increased security and reduced cost. Lately,they’ve been noticing a trend in the government agenciesthey work with.“We are seeing agencies that hope to modernize citizenand public-facing properties,” said Ted Girard, VicePresident Public Sector, Okta. The Centers for Medicareand Medicaid Services (CMS) selected Okta to transitionthe agency to a modern and flexible identity architectureand to build the Quality Payment Program (QPP) interface,centered around shifting U.S. healthcare to a value-basedpayment model and away from traditional fee-for-service.“They chose Okta’s Identity Cloud to improve the security,reliability, scalability and user experience for its QPP webpresence,” Girard explained. The QPP is the external facingsystem that interacts with all healthcare professionals whoprovide Medicare and Medicaid services.“CMS and their users had such a good experience after theportal was modernized, that they have now brought us in towork on internal-facing portals for them,” Girard said.The State Department’s Directorate of Defense TradeControls had a similar experience when they modernizeda paper-based system that interfaces with aerospace anddefense contractors. They chose Okta as the IAM solutionfor their custom applications.“In short, we’ve noticed that the first things gettingmodernized are public-facing properties, and then thatpositive experience leads an agency to want to do this fortheir employees and contractors too.”Radiant Logic: Building a Modern, Flexible Identity ArchitectureThe Department of Homeland Security (DHS) consistsof numerous different programs and agencies such asFEMA, TSA, and the US Borders and Protection Agencies.Its employees needed fast and secure access to theDHS network for email, facility control, training andattendance systems. However, identity and attribute datawas fragmented across multiple data repositories, andincorporating change required manual, repeated steps. Inaddition, every internal system used a unique collectionof the user’s digital identity and credential data. Keepinga high degree of access control over this wide array ofapplication types and points of entry presented a constantchallenge to the DHS’s IT personnel.To help aggregate all identities for proper authenticationand authorization, DHS set up the Trusted IdentityExchange (TIE), enabling and managing the digital flow ofidentity, credential, and access-management data for DHSemployees and contractors. TIE is powered by RadiantOne,a federated identity and directory service based onvirtualization. It establishes connections to variousinternal authoritative data sources and provides a secure,digital interface to other DHS consuming applications —essentially a ‘one-stop-shop’ of trusted identity information.This cross-agency federal identity infrastructure canproduce the specific composite views required by eachapplication. RadiantOne is now a key enabler for manyimportant DHS initiatives, including the DHS DataFramework, Personal Identity Verification (PIV) Smart Cardusage, Single Sign-On (SSO) and fine-grained, attributebased authorization.SailPoint: Providing Identity Access Management for Custom ApplicationsOver the past year, Karen Wrege, CIO, Department of State’sDirectorate of Defense Trade Controls (DDTC), led a major“cloud first” IT modernization effort to improve efficiency andsecurity for DDTC employees and external customers.Tasked with modernizing DDTC’s IT platform, Wrege’s teamlaunched the Defense Export Control and ComplianceSystem (DECCS) in February 2019. This online portalprovides industry with consolidated access to neededDDTC applications, and significantly streamlinesoperations. It also gives thousands of external users accessto a system housing millions of Controlled UnclassifiedInformation documents.After attempting a custom solution, the team explored aCOTS IAM solution, looking for one that would providesecurity for users within and beyond their network,Your Guide to Identity and Access Managementintegrate custom and SaaS applications (new existingtechnology), and could be procured quickly. Based onmeeting the wish list objectives and other governmentsuccessful government uses cases, Wrege selected Oktaas the IAM solution for their custom applications andServiceNow implementation.DDTC’s new IAM strategy has reduced customer wait timesand improved the customer experience. After a successfulimplementation, the Department of State recently assessedIAM requirements to satisfy the need for on-premisesIAM for thousands of domestic employees — and an evengreater number of personnel serving overseas. Based onthe assessment, the team identified criteria, ultimatelyselecting Radiant Logic, SailPoint, CyberArk and Okta tosupport all users internal and external.9

Identity and Access Management inthe Federal Government TodayCURRENT LANDSCAPEIAM is not just about doing security to comply withgovernment requirements. Instead, it’s a meansto ensure the consistency and trustworthiness ofgovernment services, especially as digital optionsexpand.This expansion means that office walls no longerdefine agencies’ perimeters because employeesare increasingly accessing resources and dataremotely from various devices. In light of these andother changes, OMB issued updates to the federalgovernment’s ICAM policy in May 2019. Among otherthings, the policy calls on agencies to take a riskmanagement approach to identity management andalign with NIST guidelines.Gone are the days when simply adhering to achecklist of security mandates was enough to defendagainst online impersonators, fraudulent claims andother attacks. Agencies must understand the uniquerisks they face and use that information to drivewhat technologies and mitigation strategies canreduce them, according to NIST Special Publication800-63 revision 3, which establishes digital identityguidelines for federal agencies.The policy update also calls on agencies to shift frommanaging who has access inside and outsidetheir perimeter to using identity as the foundationfor managing risks resulting from attempts to accessfederal resources. Having stronger authenticationmethods in place requires malicious actors to havebetter capabilities and expend greater resourcesto successfully subvert the authentication process,according to NIST.Following the massive Office of PersonnelManagement (OPM) breach in 2015, the Obamaadministration launched a 30-day cybersecuritysprint to assess and improve the health of federal IT.That decision set into motion an accelerated effort toensure all users, especially privileged account holderssuch as system administrators, use PIV cards toaccess federal networks and systems.Those efforts are still being felt today, accordingto Sabari Gupta, an IAM expert. Even if agenciesare not fully compliant with the federal directiverequiring PIV cards, they areprioritizing the use ofthese credentials forFederalaccount holdersagencieswho couldenforce the use ofdo the mostPIV cards among 93 percentharm to theof their privileged users, ororganization.those who have access tolarge amounts of sensitiveagency and citizendata.93%

WHY IS IAM ESPECIALLY IMPORTANT NOW?The number of digital transactions between thepublic and government agencies is rapidly increasing.Citizens can skip in-person visits, and with a fewclicks or swipes, they can file taxes, apply for foodassistance and renew a license.Although the rapid expansion of digital services hasgiven the federal government faster, more reliableoperations and connections with the public, it hasalso shed light on IAM’s critical role in providing aseamless digital experience.IAM is particularly important now as technologiessuch as cloud mature and older IT systems becomeobsolete. “A new set of challenges has emerged,because information about individuals has becomemore widely available through social media andbreaches of personally identifiable information (PII),”according to the OMB memo on ICAM. “Identitymanagement has become even more critical to thefederal government’s successful delivery of missionand business promises to the American public.”Agencies must adopt identity validation solutionsthat enhance privacy and mitigate negative impactson the delivery of digitalservices and maintenanceof online trust.64%HOW DOES IAM SUPPORT IT MODERNIZATIONAND OTHER EFFORTS?As noted earlier in the guide, IAM underpins manygovernment efforts, including conducting backgroundinvestigations, managing access to federal IT assetson-premise and in the cloud, and deploying emergingtechnologies such as RPA.IAM allows for secure and frictionless informationsharing with the right people at the right time, andthis is especially important as more governmentservices move to cloud-based models. To support theincrease of mobile technologies, OMB has made clearthat agencies should use derived credentials, whichprovide strong authentication for mobile devices.With the rise of automated tools that can take onidentities of their own, agencies must be capable ofmanaging digital identities for RPA tools and AI.Your Guide to Identity and Access Managementof U.S. federal ITleaders view identitymanagement as criticalto cybersecurity.For example, softwarebots can run unattendedand work round-the-clock, meaninga person does not have to physically oversee all thework a bot is doing. This is great for productivity, butautonomous bots can raise security concerns.That’s why OMB requires agencies to ensurethat digital identities for automated tools aredistinguishable, auditable and consistently managedacross the agency. “This includes establishingmechanisms to bind, update, revoke and destroycredentials for the device or automated technology,”according to the memo.11

Modernizefasterwith OktaAgencies need innovative solutions tomodernize infrastructures, increase security andreduce cost while serving citizens better.Identity Management is the hidden acceleratorfor secure digital transformation.Okta provides FedRAMP compliant cloudidentity solutions that help governmentagencies do more faster.www.okta.com/solutions/government10 A Govloop Guide

INDUSTRY SPOTLIGHTMitigating Threats While Enablingthe Citizen ExperienceAn interview with Ted Girard, Vice President of Public Sector, OktaAgencies today are looking to better reach citizens andimprove internal processes, all while staying ahead ofmodern threats.management (ICAM) policy, encouraging the use of moreflexible solutions, supporting pilots for new authenticatorsand requiring agencies to create an ICAM team.But as agencies focus on these efforts, they must bemindful of mitigating dangers to their data.The memo notes: “While hardening the perimeter isimportant, agencies must shift from simply managingaccess inside and outside of the perimeter to using identityas the underpinning for managing the risk posed byattempts to access federal resources made by users andinformation systems.”Credential-based attacks – such as phishing, passwordspraying, brute force and more – are common vectors thatcan be mitigated with strong multifactor authentication,built into the workforce/IT experience and also constituentfacing programs.Whether your agency is building a new citizen-facing portalor unifying a constellation of existing services, there areways to prevent these credential-based attacks and makeweb and mobile access secure, compliant and frictionless.“Today, people are accessing more resources from morelocations than ever before, changing the dynamic awayfrom the previous ‘castle-and-moat’ or perimeter-styleapproach to security and instead centering controls aroundthe only commonality in today’s environment: people – andtheir identities,” said Ted Girard, Vice President of PublicSector at Okta.“By tackling security from a zero trust lens – and we’veheard from a number of customers that identity is oftenwhere they start on their zero trust journey – they’ll bebetter equipped to mitigate today’s threat actors, especiallythose employing the common credential-based attacks.”“The memo aligns really well with how Okta sees identity’srole evolving both from a management and security/privacyperspective in government agencies,” Girard explained.“Okta can play a role in supporting major IT modernizationprojects, as well as in improving security for agencies.Our cloud-based, industry-leading identity and accessmanagement platform comes with all of the tools you needto manage a complex user base at scale.”IT and security leaders recognize the need to adopt new,often cloud-based technologies to better support andsecure their workforces and constituents, but they’realso faced with decades’ worth of legacy technologies,regulations and processes that stifle adoption and growth.“Okta can help make the transition easier and moresecure, which is why today dozens of agencies useOkta to consolidate disparate systems, securely adoptcloud services and find new ways to better reach theirconstituents,” Girard concluded.To this end, the Office of Management and Budget (OMB)recently updated its federal identity, credentials and accessTAKEAWAY:“Today, people are accessing more resourcesfrom more locations than ever before, changingthe dynamic away from the previous ‘castle-andmoat’ or perimeter-style approach to securityand instead centering controls around the onlycommonality in today’s environment: people —and their identities.”Your Guide to Identity and Access ManagementAgencies must shiftfrom simply managingaccess inside and outsideof the perimeter to usingidentity as the basis fortheir security posture.13

IAM FEDERAL POLICIES,GUIDANCE, STANDARDSFEDERAL LAWS THATIMPACT IAMOMB’s “Enabling Mission Delivery through ImprovedIdentity, Credential, and Access Management” memoupdates the federal ICAM policy. (May 2019)The Privacy Act of 1974 covers the privacy ofindividual federal records, including systems thatrequire the retrieval of records based on PII such asSocial Security numbers.NIST Special Publication 800-63 revision 3 providestechnical requirements for federal agenciesimplementing digital identity services. (June 2017)The White House’s National Strategy for TrustedIdentities in Cyberspace enhances the securityand privacy associated with online transactions.(April 2011)The Federal Identity, Credential, and AccessManagement Roadmap and ImplementationGuidance provides a common framework for rollingout ICAM programs across government. It alsoincludes a variety of use cases for managing internaland external identities. (December 2011)HSPD-12: Policy for a Common IdentificationStandard for Federal Employees and Contractorsis a strategic initiative intended to enhancesecurity, increase government efficiency, reduceidentity fraud and protect personal privacy. Itrequires the development and implementation of agovernmentwide standard for secure and reliableforms of identification for federal employees andcontractors. (August 2004)To review other federal policies and standards thatimpact and shape the implementation of ICAMprograms and systems, visit arch.idmanagement.gov/standards.14The Health Insurance Portability and AccountabilityAct protects personally identifiable healthinformation by mandating privacy compliancewith federal guidelines. IAM is crucial to the use offederated identities, single sign-on (which allows foraccess to multiple, in

Source: Identity Management Institute Accounting The process of keeping track of a user's activity while accessing the system resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Source: Identity Management Institute Authentication