Evolving identity management crucial for federal cybersecurity, but budget woes slow adoption
A new survey of federal IT leaders cites identity management as one of the most important methods for protecting agency networks, but slimmed-down budgets make it hard to implement effectively.
The survey, conducted by Market Connections and sponsored by Unisys, queried 200 federal IT executives about agency IT vulnerabilities, challenges and the role identity management — how networks validate the access of the people working on them — plays in those.
More than half of those respondents pointed to sophisticated external threats and possible breaches from increased mobile device use as their top concerns for IT security in the last year. Another 44 percent cited software vulnerability patching as their top worry.
Identity management could help some of those concerns — 68 percent of respondents said better controls on access provides a major benefit to increased cybersecurity.
However, the technology is evolving, and agencies may have a tough time keeping up.
“Without over-dramatizing, I think we now have a crisis of what we call digital trust,” Venkatapathi Puvvada, president of Unisys Federal, said the company’s Federal Digital Trust Symposium Wednesday. “The crisis is because of the complexity of what we are dealing with. IT used to be simple, you used to have a mainframe, you used to have terminals. You had to come to the office to do everything.
“Now in the world of cloud, microservices and digital services probably everywhere, it’s pretty complex,” he said. “So this crisis is because it’s really hard to get a holistic understanding of security risk. There are a lot of attack vectors.”
With the growing proliferation of mobile devices and the accessibility of new technology, experts said that identity management has moved beyond the personal identity verification smartcard technology established by Homeland Security Presidential Directive 12 in 2004 and should now be considered an ecosystem comprised of trusted devices, services, connectivity and identities. To address that, the National Institute of Standards and Technology issued new guidelines for agencies to manage digital identity this past June under its SP 800-63 revision.
But with slim and uncertain budgets, updating the technology needed to meet those guidelines could provide a tough hurdle.
Thirty-eight percent of the survey respondents said budget limitations provided a significant challenge to migrating their networks to an identity-based security management system, and only 16 percent said that current identity-based tools are fully automated and integrated with their networks.
David Temoshok, senior policy adviser for NIST’s IT Laboratories, said that the next step for the agency is to release implementation guidance for the 800-63 guidelines to provide both agencies and industry a pathway forward to procure new technology that is best tailored for their needs.
“The implementation guidance is intended to give not alternatives but guidance on how best do you go about satisfying these requirements in a way that’s going to meet your environment, your control needs, your agency mission needs and also your costs in designing your risk management approach,” he said.
Puvvada also added that artificial intelligence could help facilitate developing the identity management ecosystem, but developing it will take ongoing collaboration between government and industry to make it possible.
“I think there is a lot more that needs to be done in bringing together all of this,” he said. “Whether it’s through an identity center of excellence or making this to be a more new generation [of identity access]. It’s not about the PIV card anymore, it’s not about [public key infrastructure] anymore. It’s about this whole combination of these things.”