Mike Lettman has been pleased with Okta, which can easily activate or deactivate access for Arizona state staff.

Sep 25 2018

How Identity Management Tools Help States Solve Thorny Security Issues

Single sign-on solutions provide access for state users as well as millions of citizens who depend on their agencies.

State and local agencies are the guardians of valuable personal information for millions of citizens. At the same time, they deliver vital services via the internet and require applications that are easy for citizens to use.

“We need to balance user experience with security the best we can,” says Mike Lettman, CISO for the state of Arizona.

As part of that balance, states are increasingly turning to enterprisewide identity and access management technology, which Gartner describes as enabling “the right individuals to access the right resources at the right times for the right reasons.” Along with Arizona, Louisiana and Michigan are among the states that have adopted IAM solutions to guard appropriate access for employees internally and for citizens, depending on their benefits, externally.

MORE FROM STATETECH:  Strengthen identity authentication without isolating users!

Agencies Streamline Access to Apps via Single Sign-On 

With Lettman’s guidance, the Arizona Department of Administration Arizona Strategic Enterprise Technology (ADOA-ASET) office implemented Okta, a cloud-based IAM solution that works with nearly every enterprise application.

“In government, the joke is that we don’t sell shoes or batteries,” says Lettman. “We sell law enforcement, healthcare and licensing services. We have one of everything, so we need an open-source solution that can integrate all that.”

ADOA-ASET applied the Okta solution to applications used by more than 6,600 users in 60 agencies.

Lettman has been pleased with the back-end administration of Okta. When an employee joins or leaves one of Arizona’s agencies, his staff can easily turn access to applications on or off with Okta. Before, they would have had to log in to each system separately to change permissions.

The single sign-on also provides a layer of defense against outside threats.

“Multiple passwords aren’t so secure,” Lettman says. “Everyone writes them on a sticky note or stores them on their laptop. If that’s stolen, the thief has access to everything.”

For added security, the single password is accompanied by multifactor authentication. If a user isn’t recognized by the system, Okta sends a message to his or her smartphone to request verification.

As for introducing an IAM solution to the public, Lettman says that he can see this happening in the future, but he also sees challenges.

“You can imagine this going out to citizens — to the tax base, the school base. That’s anywhere from 3 million to more than 6 million citizens logging in to the state system. You want a system that’s scalable,” he says.


IAM Can Benefit Citizens as Well as Government Users

“No one likes to manage multiple passwords,” says Caleb Buhs, communications director for Michigan’s Department of Technology, Management and Budget. “Large tech companies and online stores drive an expectation of simplicity, security and integration, which the state strives to meet, as well.”

In Michigan, DTMB uses IAM with more than 1,000 state IT workers as well as roughly 9 million citizens who use public services. Before adopting an IAM solution, Michigan agencies accessed thousands of applications and servers separately.

Now, DTMB uses Centrify as the IAM solution for Michigan’s IT workers, and the single sign-on in IBM’s Tivoli Access Manager for public-facing programs. Both solutions have greatly streamlined management for the state’s IT staff, increasing output as well. 

The use of Tivoli Access Manager has been so successful that Michigan is expanding it to online services for the state motor vehicles department and the Michigan Unemployment Insurance Agency, doubling the number of users within the Michigan state population to 18 million by the end of 2018.

MORE FROM STATETECH: Find out how states can best secure citizen data! 

Identity and Access Management Solutions Must Evolve

While IAM solutions are valuable, they do not alone ensure the security of their associated applications, says Mike Wyatt, principal with Deloitte Risk and Financial Advisory. “IAM solutions protect accounts used to manage the IT environment, mitigating the risk of a breach,” Wyatt says. “IAM systems provide feeds to security information event management solutions. Finally, when implemented properly, IAM solutions improve the resiliency of an organization to recover in a cyberattack or natural disaster.”

However, “many cybercapabilities required for a good cybersecurity posture are separate and distinct from IAM solutions. Endpoint protection, firewalls and data loss prevention are examples of some non-IAM capabilities, but which integrate with and are enriched via IAM solutions,” Wyatt cautions.

The IT team at the Louisiana Office of Technology Services has been working with CA Technologies for several years to strengthen its IAM solution, which now covers 16 government agencies, including nearly 1.5 million Medicaid recipients.

IAM solutions that can meet technology and regulatory requirements, both today and in the future, are key.


“We knew from the beginning that we needed to develop a system that not only works today for one agency, but would work for multiple agencies for years to come,” says Matthew Vince, director of project management for OTS.

Michigan and Illinois plan to launch a single sign-on system in late 2020 for a shared Medicaid processing system for providers, insurance companies and clients. Flexible, off-the-shelf IAM solutions help to keep costs down while expanding services.

“Government needs to save money more than ever,” says Buhs from Michigan’s DTMB. “We chose our IAM solutions to meet our duty to the residents of Michigan based on cost, ease of use, data protection and diversity of application availability.”


Photography by Steve Craft

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.