Gerald Caron, chief information officer (CIO) and assistant inspector general (IG) for information technology at the Department of Health and Human Services (HHS), said this week that sustainability and continuous authentication are two of the keys to creating a robust identity and access management (IAM) strategy as part of how Federal agencies move to comply with President Biden’s 2021 cybersecurity executive order that requires migration to zero trust security architectures.
During ATARC’s Identity and Access Management Virtual Summit on Aug. 2, Caron explained that automation is a key driver for sustainable identity management and zero trust. But at the same time, Federal agencies are “dealing with legacy applications… and breaking through that is a task, and it’s no easy feat,” especially in the hybrid work environment, he said.
“There are some great things that can be happening around this area, and the technology is getting even better all the time. We want to be able to automate as much as possible,” Caron said.
He also warned that agencies seeking to improve security and identity management cannot rely on an IT network as the enforcer of security. Zero trust, he explained, has changed the role of the network to a “transporter” – moving a user from point A to point B – and that there should be continuous authentication throughout that process.
The HHS OIG, in particular, has turned its focus to sustainability and automation as it continues to build out authentication tools and move toward zero trust, he said.
Caron also explained that there are different methods of identity proofing that can lead to varying levels of risk.
“[It] depends on what I’m going to allow you to do once you get to that authoritative identity,” he said, adding that in that context agencies “can start to look at automation of the provisioning and de-provisioning.”
Then, agencies can “take in all these factors and understand all this information, then bring it into this engine to create a confidence score [dynamically],” Caron said. “We have to bring all this telemetry in, so it’s important to do a lot of integration throughout this journey.”