Over the past year Karen Wrege, CIO, Department of State’s Directorate of Defense Trade Controls, (DDTC) led a major “cloud first” IT modernization effort to improve efficiency and security for DDTC employees and external customers.
DDTC regulates U.S. defense trade, working to ensure alignment with U.S. national security and foreign policy interests. This includes establishing defense trade regulations, issuing defense trade licenses, and enforcing compliance.
Wrege described DDTC’s legacy systems in a recent webcast hosted by FCW. “We have a lot of data. It’s in a lot of different places. It’s duplicated. It’s not easy to access…”
Tasked with modernizing DDTC’s IT platform, Wrege and team launched the new Defense Export Control and Compliance System (DECCS) in February 2019, an online portal to provide industry with consolidated access to needed DDTC applications.
“By the end of the year [we] will launch the entire suite and transform all the disparate systems into a single system,” says Wrege. “A single online access point for industry and a single set of tools for our internal users to be able to more quickly and more efficiently process registration applications, licenses, etc.”
Re-Thinking a Custom Build
DECCS significantly streamlines DDTC operations, Wrege explained. It also gives thousands of predominantly external users access to a system that houses millions of Controlled Unclassified Information (CUI) documents.
Wrege said they would typically build a custom Identity and Access Management (IAM) solution into the new platform, and the team initially took this approach with IAM for DECCS.
Wrege acknowledges this was a mistake, and they were not happy with the user experience. Once the team decided to explore a COTS IAM solution, the wish list included the need to provide security for users within and beyond their network, the ability to integrate custom and SaaS applications (new + existing technology), and the ability to procure quickly and easily – a FedRAMP ATO was important.
Protecting the New Perimeter
“I was at a ServiceNow conference and learned about the Federal Communication Commission’s use of SeviceNow and Okta,” Wrege said. She knew if it worked for FCC, it would work for the State Department.
Based on meeting the wish list objectives and the fact there was a proven case that was so similar to their needs, Wrege selected Okta as the IAM solution for their custom applications and ServiceNow implementation.
“The Okta Identity Cloud is a FedRAMP-certified platform that is built on independent identity services,” explained Ted Girard, vice president public sector, Okta on the FCW webinar. “For example, single sign- on, multi-factor authentication, provisioning and de-provisioning of users, ability to manage secure identities across APIs, and the ability to use a software development kit where you can embed Okta into custom applications.”
Faster, Better, More Secure
Wrege estimates that it took DDTC nine to ten months to custom-build and integrate IAM into their application, but it was complicated and did not provide an optimal user experience. Using Okta, DDTC replicated the custom builds in about two months.
Once deployed, the DDTC leveraged a set of plug-and-play digital certifications allowing them to easily incorporate use cases into the platform. Because Okta had worked closely with the Department of State and other Federal agencies with similar use cases, agencies can use anything in the federated bridge as part of the identity management process.
DDTC’s new IAM strategy has reduced customer wait times and improved the customer experience. The previous process for onboarding a super-user account involved faxes and letters, potentially taking up to a week. The modernized process enables the DDTC to migrate legacy users and even create a new super user account in seconds.
“We’re talking days to seconds,” said Wrege. “That’s the most impactful metric I can think of that brings it home to how simple this process is.”
The new approach is also reducing support requirements. “Identity can create so many help desk tickets and so many problems in terms of permissions,” Wrege said, “it’s really nice to have a company that is focused solely on that particular part of these applications.”
The Department of State recently assessed IAM requirements to satisfy the need for on-premises IAM for thousands of domestic employees, and an even greater number of personnel serving overseas. Based on the assessment, the team identified criteria, ultimately selecting Radiant Logic, SailPoint, CyberArk, and Okta to support all users internal and external.
“Yesterday the network was the perimeter,” said Girard. “We put everything we had in our data centers, protected the perimeter with firewalls and VPAs, and we got our identity as part of the application stack…”
“What we see today, is that this no longer works. Trying to extend this into mobile, cloud, SaaS environments is complex, time consuming, and doesn’t work as elegantly as systems purpose built for this modern compute era. Identity needs to be an independent, neutral platform,” he said.