As Federal agencies continue to keep a majority of their workforces teleworking – and may continue to do so for the longer term as the coronavirus pandemic heats up again – keeping identity management practices a top priority has been a key ingredient in Federal agency cybersecurity efforts.
Identity management and understanding new vulnerabilities in evolving IT environments were among the primary messages from Bo Berlas, CISO at the General Services Administration (GSA), and Dan Conrad, Identity Access Management (IAM) Strategist with One Identity, at MeriTalk’s Threat Mitigation webinar on Nov. 17.
When it comes to understanding new threats in the IT environment, Berlas said the process starts with coming to terms with the “tectonic shift” of telework during the pandemic.
“I think it fundamentally begins with understanding that we’ve actually had a tectonic shift, and that data and access are democratized and no longer confined to our network spaces,” Berlas said.
The new environment is “likely to require a reimagining of how we effectively achieve good security outcomes,” the GSA CISO said. “This may seem rather obvious, but that realization, I think, is really key to what comes next, and that is the valuation of basic cybertech capability to really determine whether related people, process, technologies— like security— are effectively equipped to secure our users, our devices and our data, and a new work model.”
Conrad explained that the advent of widespread and persistent telework has accelerated a lot of work-from-home programs more quickly than agencies had planned. He said that agencies can prioritize data protection by making sure that as program roadmaps accelerate, they also ramp up necessary security steps along the way – whether that’s a shift to cloud, or multi-factor authentication.
And he added that the Federal government is actually years ahead of other sectors in the adoption of multi-factor authentication.
“The Federal government is … years ahead of many of the organizations in the world that didn’t embrace multifactor,” Conrad said. “It has been a huge enabler of the Federal government to enhance security protocols across the board, whether it’s standards or privileged users in an Active Directory environment.”
Active Directory, he said, “at its core is a single sign-on solution. Getting into that single sign-on solution is great, but now, once you’re in there, there’s a lot throughout the application or the system itself, that enables without regard for security, and things like multifactor enabling can get you a very secure front door and that authentication mechanism has done wonders for the Federal government.”
Active Directory, Berlas said, is used by 95 percent of enterprises, which makes it both a great tool and an attractive target for cyber actors. Perimeter security can only go so far in protecting telework environments, and GSA is making sure security is built from the core out, and that employees are properly trained on security.
“I think our users are incredibly important and perhaps one of the most important, effective means of control,” Berlas said. “And from a training perspective, that’s sometimes overlooked.” He added that “as practitioners, especially from a technology and cyber standpoint, we tend to focus on the tooling, but making sure that we have robust capabilities around training is incredibly important.”