Over the last year, the surge in government workers remotely logging on to agency networks has been shadowed by concerns about how well agencies are able to strictly control and audit this access. In other words, ensuring the right user has the proper credentials to access the right data, and only at the right time, and for the right purpose.
But even before the COVID-19 outbreak sent hundreds of thousands of government employees and contractors scrambling into an extended teleworking experiment, the federal government has been focusing on modernizing and strengthening its Identity, Credential, and Access Management (ICAM) policies.
Updates issued by the Office of Management and Budget (OMB) to the federal government’s ICAM policy exhort agencies to embrace a risk management approach to identity management. This aligns with the National Institute of Standards and Technology (NIST) guidelines, as well as related identity management guidance issued by the Office of Personnel Management and Department of Homeland Security. The goal is for agencies to establish a comprehensive approach to identity-proofing that safeguards privacy and security.
Privileged Access Risks
While identity-centric security is more important than ever in this era of increasingly distributed workforces and dissolving perimeters, many agency IAM/IT managers lack a clear sense of who has access to their systems, and what is being done with that access. This is a particularly dangerous blind spot when it pertains to privileged users.
A BeyondTrust research study found that, on average, public sector organizations have 124 third-party vendors logging into their systems/networks in a typical week. Government organizations overwhelmingly recognized that vendor access presents a serious security threat—in fact, only 10% of government did not see it as a threat.
There is copious data from Verizon DBIR and other reports over the years showing that credentials are one of the top vectors exploited by threat actors. Forrester Research has estimated that more than 80% of IT breaches involve privileged credential abuse or misuse.
COVID-19 has galvanized the digital transformation journey for many government agencies. Technology stacks are undergoing rapid modernization, conferring many productivity benefits and improving the ability to adapt to work-from-home and other environmental changes. These changes—along with the increased remote workforce itself, BYOD, and shadow IT—are all creating new pathways for malicious actors to exploit.
Given the current threat environment, agencies must have solutions that demonstrably reduce the threat surface and the risk of data breaches. The SolarWinds Orion supply chain breach was just the latest wake up call, but it won’t be the last.
Addressing Credential & Identity Risks & Government Mandates
BeyondTrust Privilege Password Management provides broad and flexible privileged credential management capabilities to address the specific risks and use cases of government agencies. The solution discovers and onboards all privileged accounts, enforcing password security best practices, such as complexity requirements, rotation/one-time-passwords/dynamic secrets, and more. It also enables just-in-time access models, to help remove the risk of standing privileges, further reducing the threat surface.
BeyondTrust Privilege Password Management helps address OMB ICAM directives in several ways:
- As OMB notes, Homeland Security Presidential Directive 12 (HSPD 12) requires federal agencies to use a standard smart credential to verify the identities of all employees and contractors accessing federal buildings and information systems. The directive also mandates that all government personnel obtain Personal Identification Verification (PIV) cards.
BeyondTrust supports HSPD 12 by enabling smart card authentication for Common Access Cards (CAC) and PIV cards with our privileged access management solutions.
- Agencies must implement processes to manage access control, including the ability to revoke access privileges, when no longer authorized, and to revoke or destroy credentials in a timely manner. This is necessary to prevent unauthorized access to information systems when the employee or contractor separates from the agency, or the credential has been lost. Additionally, this serves to mitigate insider threats associated with compromised or potentially compromised credentials.
BeyondTrust Privileged Password Management enables agencies to scan, identify, and profile all assets and applications with auto-onboarding of privileged accounts. Additionally, customers can store, manage, and rotate privileged account passwords, eliminating embedded credentials, and ensuring password strength.
- Agencies must manage the digital identity lifecycle of devices, non-person entities (NPEs), and automated technologies such as Robotic Process Automation (RPA) tools and Artificial Intelligence (AI), ensuring the digital identity is distinguishable, auditable, and consistently managed across the agency. According to OMB, this includes establishing mechanisms to bind, update, revoke, and destroy credentials for the device or automated technology,
BeyondTrust Privileged Password Management secures and manages privileged identities – whether they belong to humans, applications, service accounts, or other machine / non-human accounts. Our solution eliminates the need for hardcoded or embedded RPA credentials and secures the agency from automated exploitation via an extensive API that is compatible with RPA technology.
Next Steps for Protecting Agencies Against Credential-Based Threats
To ensure secure and efficient operations, agencies must be able to identify, credential, monitor, and manage all entities that access government resources. BeyondTrust is in lockstep with the OMB strategy.
To learn more about how BeyondTrust solutions can help you address the most pressing cyber risks, and also improve your compliance posture, check out these resources:
Craig McCullough, Regional Vice President, Public Sector
Craig has over 20 years of experience in the technology industry, having started his career as an intellectual property attorney in Washington, DC, and then moving into leadership roles growing technology businesses that support federal, state and local governments. He is a visible industry leader and frequent spokesperson, giving interviews in various media outlets and participating as a panel speaker at multiple industry events. Craig joined BeyondTrust in 2018 and created the Public Sector Team.