Police officers and firefighters, engineers and construction workers, paralegals, program managers, electricians and bookkeepers: It takes a village to run a large city, and Boston is no exception.
According to the latest figures, in fact, Boston employs close to 22,000 people. To ensure that each of those workers can access the applications and digital resources they need to do their jobs, the city employs Gretchen Grozier, director of identity and access management for the Boston Department of Innovation and Technology.
Grozier says she spends much of her time focused on one innovative technology in particular: an online city system called Access Boston that many employees use every day. “It puts the tools and services they’re permitted to use in one convenient place,” she says. “They have one username and password to remember, and everything they need is ready right there.”
Single sign-on solutions “are much more frequently and thoroughly penetration tested than individual apps’ authentication methods” and thus are good security tools for city governments, says Andras Cser, vice president and principal analyst at Forrester Research. He deems the risk of system compromise “unlikely,” and he touts the technology’s proven benefits.
Click the banner below to learn about getting zero trust architecture right.
Consider what happens when someone forgets their password or has it compromised without an SSO system in place. “As people reuse combinations of the same passwords everywhere, you pretty much have to reset passwords separately in all apps,” Cser says.
But with SSO, he points out, the user has to change their password only once. And IT departments stand to gain because the technology simplifies identity and access management overall.
“It reduces the cost of developing and maintaining authentication and coarse-grained authorization in business applications,” Cser says. Administrators have to integrate the app with the SSO framework only once, he says, “instead of developing a one-off, separate authentication solution for potentially hundreds or thousands of apps.”
Identity Management Solutions Make Access Easier
Access Boston is built around two solutions that automate identity governance and access authorization. SailPoint IdentityIQ is an identity management platform that integrates with the city’s human capital management system to allow Grozier’s team to quickly determine which employees should be able to access what resources. Once permissions are established, technology from Ping Identity facilitates user access and security.
“When you log in on the Access Boston page, you’re actually going through Ping,” Grozier says. “The platform is asking our central directory, ‘Is this username and password legit?’”
In certain cases, the system may require multifactor authentication. “If they’ve never logged in from that computer, it ensures they are who they say they are,” Grozier says.
Now, when you’re onboarded as a new employee or a contractor, you immediately have access to a variety of solutions — everything you need to get going.”
John Peters
Senior Enterprise Infrastructure Specialist, Sacramento Municipal Utility District
Employees use Access Boston to access everything from their email accounts to the city’s secure Wi-Fi networks. They can also use its self-service portal to view paychecks and request time off, and they can do so from just about anywhere, as long as they have a connected device.
Previously, department administrators often voiced how difficult it was to manage local credentials, Grozier says. Likewise, employees often struggled to keep track of long lists of difficult-to-remember passwords. All of that changed when the city launched Access Boston in 2019.
“Now everything is super easy and user friendly, and I think people appreciate that,” she says.
LEARN MORE: How identity and access management supports a zero-trust environment.
Most important, Grozier adds, the revamped approach to identity and access management improves Boston’s security posture significantly. Employees are no longer tempted to cut corners by using and reusing passwords that could give hackers easy entry to department systems. And even if a bad actor stole login credentials, they’d still have to get around multifactor authentication.
“This is a way for us to protect the city and the data of all the people who work here,” Grozier says. “It’s a perfect balance between keeping security really tight while not making it so difficult that we start driving employees crazy.”
41%
The percentage of state and local governments that say they build their own IAM solutions
Source: gcn.com, “Agencies Still Rely on Username-Password for Access Management,” Jan. 24, 2022
Sacramento Is Seeing Increased Visibility and IT Efficiency
The Sacramento Municipal Utility District in California knows something about the relationship between innovation and efficiency.
A community-owned power company serving more than 1.5 million customers, SMUD has a reputation as a national leader in renewable power and sustainability. Until recently, however, its identity and access management program lagged by comparison. User access and onboarding were handled manually, and its IT team often lacked visibility into who had access to the utility’s applications.
Like Gretchen Grozier in Boston, John Peters, SMUD senior enterprise infrastructure specialist, knew there had to be a better way. He turned his attention to potential solutions and in 2017 led the utility’s implementation of IdentityIQ.
The SailPoint technology, Peters says, allows his team to quickly assign individual workers access to critical applications. “If you report to a particular director, or if you’re an employee rather than a contractor, SailPoint takes that organizational metadata and automates who’s allowed to go where."
Back to the article
Autoplay
Full Screen
Grid View
Exit Full Screen
Back to the article
Autoplay
Full Screen
Grid View
Exit Full Screen
The department relies on a pair of technologies to facilitate single sign-on, Peters says. For applications that allow Windows integration for SSO, security assertion markup language does the job; SSO for cloud-based apps is possible through a SailPoint integration with Azure Active Directory.
Single sign-on, Peters says, enables his team to “act as a gatekeeper” to any application approved by the utility. The utility enforces MFA only when the user isn’t on a trusted network or is attempting to sign in from an unrecognized device, he adds. Otherwise, when employees log in, the only hurdle they have to clear involves entering their password to their account.
Peters notes that by bolstering data security, SailPoint and SSO have “dramatically” reduced risk for his department — and he and his colleagues aren’t the only ones who appreciate the new approach.
“Now, when you’re onboarded as a new employee or a contractor, you immediately have access to a variety of solutions — everything you need to get going,” he says. “It’s easy, and it’s seamless; you don’t even have to think about it.”
Photography by Christopher Navin
