The biggest difference between today and 10 or 20 years ago when it comes to identity and access management (IDAM) is how it has become critical infrastructure.
“We’ve been more focused on it as a capability to get into something versus how we think about it to leverage and protect data and prevent people from getting into something,” said Sean Frazier, federal chief security officer at Okta, during Federal News Network’s Zero Trust Cyber Exchange.
...We’ve been more focused on it as a capability to get into something versus how we think about it to leverage and protect data and prevent people from getting into something.
Federal Chief Security Officer, Okta
The biggest difference between today and 10 or 20 years ago when it comes to identity and access management (IDAM) is how it has become critical infrastructure.
“We’ve been more focused on it as a capability to get into something versus how we think about it to leverage and protect data and prevent people from getting into something,” said Sean Frazier, federal chief security officer at Okta, during Federal News Network’s Zero Trust Cyber Exchange.
Today, the identity and access management tools and tactics being developed lend themselves better to how people work and live now — in a mobile world, in a cloud world, Frazier said. He pointed to examples like using TouchID or FaceID to pay for a purchase in person or to conduct ecommerce on a mobile device. “All the new applications coming out are all going to adopt the new model and not adopt the old model,” he said.
Previously, IDAM focused on on-premise applications using a virtual private network and perimeter security. Agencies relied on the common access card (CAC) and personal identity verification (PIV) cards.
But the move to the cloud and the expansion of mobile devices creating an ever-increasing number of end points requires both a change in technology and thinking.
“It’s more about changing your mindset around security, and I think if you do that and adopt that more holistic approach to security, you have opportunities to simplify and not add complexity to your security and transformation efforts,” Frazier said. “Whereas if you look at the other way, the way we’ve looked at security for the last 20 years, we’re just layering one more thing on top of 10 other things that we’ve got to manage.”
The layers of security on top of the layers of identity and access management tools created a long tail that many agencies are digging out of as part of their move to zero trust. It’s not unusual for agencies to manage dozens of IDAM capabilities across their network, Frazier said.
“Whenever you bought an application, you got one of those for free. So next thing, you turn around, and you’ve got 60 of them — and 60 is not an exaggeration. I talk to agencies all the time that have 60 different identity and access management solutions that they’ve cobbled together as best they could,” he said.
“There’s a lot of expense in managing all those and a lot of expense in figuring out how to tie all those things together. So if agencies can take this opportunity to simplify and again, per the [zero trust] guidance move to a secure single, sign-on service delivery model, that is a way to pay for some of these other things around zero trust.”
One way to reduce the cost of IDAM capabilities is by using software as a service applications that rely on open standards such as Security Assertion Markup Language (SAML), OpenID Connect and WebAuthN.
“These open standards allow an agency that flexibility and allow the security and application ecosystems to thrive,” Frazier said. “One of the things about zero trust is it’s not a one-vendor solution. No one vendor can sell you everything around zero trust. We all participate in this together. The open standards allow us to work together to deliver this capability across all five pillars” of Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model.
What’s more, Frazier said, by relying on open standards, agencies can prepare for the future of identity and access management.
He said identity as a service that uses application programming interfaces (APIs) is where agencies and private sector companies are heading in the near future.
“The benefit of having this interconnected network is that we’re all connected every single day anyway. Whereas if you have these silos of data, it increases complexity. The only beneficiaries of complexity are attackers and never the users,” Frazier said.
By moving more toward to cloud for cyber capabilities, organizations can reduce complexity and lay the foundation for the most important thing in zero trust: protecting the data, he said.
The technology and tools are important, but the bigger change for many agencies as they adopt zero trust is on how they approach cybersecurity from a strategic direction.
That requires adopting a new mindset, Frazier said
“I think the Veterans Affairs Department is a great example where they are making it as seamless as possible and not making users jump through hoops. It’s about making it hard for attackers and not hard for users,” he said. “We have to make sure that users can, within a couple of clicks and maybe even a biometric login, get access to their medical records, get access to the things that are meaningful to them.”
To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED
Federal Chief Security Officer, Okta
