Federal Access Control Policies Require Holistic Approach
Posted by Courion Corporation on Mon, Aug 24, 2009
A few weeks back in a post on our blog, we discussed the shocking increase in the lack of compliance by government agencies with FISMA, as reported to Congress in a report from the U.S. General Accounting Office (GAO). That report showed that the number of information security incidents had more than tripled to over 16,000 in the past 3 years alone, directly pointing to access control weaknesses and poor password management as prime factors.
Why are these numbers increasing when security technology has advanced and awareness has risen about the potential disaster that data breaches can cause? For one, the ongoing search for a national cybersecurity coordinator hasn't helped matters. Recently, Mischel Kwon, the director of US-CERT, the Department of Homeland Security's research and response unit, resigned to take a position at RSA. That move was apparently in response to the cybersecurity leadership vacuum that has been growing since the resignation of Melissa Hathaway, formerly the top adviser on security and the architect of the administration's current policy on cybersecurity. The position has become so nebulous, wide-ranging and open-ended, that many top security experts and public officials have turned down the role, viewing it as a no-win situation. It is not clear when the leadership will come and from where.
Meanwhile, the General Services Administration's (GSA) e-Authentication Partnership that was initiated in 2004 was taken over and re-tooled by the Office of Governmentwide Policy last October, and the most recent advice from that office has been for federal agency leaders to "consider projects to keep pace with government-wide identity management initiatives." Not very specific guidelines, are they? In fact, there are several government consortiums (at least six according to a recent article by Alice Lipowicz for Federal Computer Week) that are currently working to create a blueprint for how federal agencies should be controlling access to shared data, and terms like "trusted federation," "authentication" and "credentials" are often used to describe the plans.
While cybersecurity leadership is clearly needed to drive security reform and get everyone on the same page in terms of how data should be shared responsibly, there is a major issue that agencies can address now, and that is the way in which access control and identity are viewed at the federal level.
Currently, identity management is tackled from an authentication perspective - meaning access to applications or systems is granted based on whether an employee is authenticated as being him or herself. However, this is really only the first step in a true Access Assurance strategy. Proving that an individual is who they say they are only provides one layer of security. It doesn't take into account many other factors, including whether someone's role in the organization or agency makes it necessary for him or her to have access to certain information at all. Also missing from a basic authentication strategy is the remediation of open access that should have been closed due to an employee leaving the organization or changing roles. Authentication or verification of individuals, while needed, does not provide a full access profile.
There is a need for a more overarching Access Assurance strategy across agencies, which will enable access compliance and transparency with regard to access control, ensuring that the right people have the right access to the right resources and that they are doing the right things. Agencies should seek to widen their view of Access Assurance now while the wait for cybersecurity leadership continues, so they'll be ready to tackle the many inevitable changes that will be on the horizon.