States and Localities Build on Success with Identity and Access Management

Most local and state governments strive to build IAM solutions to centrally manage user identities and access to government applications and data for both employees and citizens. The effort has grown more complex in recent years as government agencies adopt more Software as a Service (SaaS) applications, as remote work becomes more prevalent and as they offer more digital government services to citizens.

“IAM offers obvious security benefits. It reduces the potential for accounts getting compromised and data being stolen, and it ensures that users only have access to things they need access to and are appropriate for their job or responsibilities,” says Merritt Maxim, vice president and research director at Forrester Research. 

Single sign-on (SSO) also simplifies the user experience and improves employee productivity. “Users don’t type passwords all over the place. They do an initial authentication and access the applications they need throughout their day,” Maxim says. “It also reduces IT operation costs because users aren’t calling the help desk all the time, saying they forgot their passwords for various systems.” 

WATCH: Learn how Ohio connects citizens through its identity and access management program.

States Look to Modernizing IAM for Expansion of Digital Services

The Maryland IT department offers centralized IAM services for executive branch agencies and small and midsized state agencies. One technology it uses is Microsoft Active Directory. But many of the state’s largest agencies, including health, transportation and human services, have their own IT staffs and have developed their own IAM programs with their own individual Active Directory implementations to manage and authenticate users, Leahy says.

Maryland hopes to one day consolidate agencies under one centralized Active Directory environment and one IAM solution, but for now, it manages IAM for about 12,000 of the state’s 50,000 employees, he says. 

The state’s central IT department has deployed a cloud-based tool to enable multifactor authentication and SSO for SaaS applications. Through a portal, employees can log in with one username and password to access a virtual desktop, Microsoft 365, Gmail and other applications. 

The IT staff continually fine-tunes its IAM implementation and is looking to augment it with a new tool to improve security further, says Leahy, who remains vague on details to protect the state’s security posture. 

“It’s an iterative process. We are always changing things as we learn new information,” he says.

The Maryland IT department is piloting self-sovereign identity, an approach that is decentralized through blockchain technology. If it proves successful, Leahy hopes to convince the state legislature and Gov. Larry Hogan to approve the technology for statewide use early next year. The IT department would still need buy-in from state agencies, but it doesn’t have to be implemented all at once and could start with one application, he says. 

Self-sovereign identity improves privacy because residents have control of their data, Leahy says. 

“When it comes to identity and access management, my goal is to make it as simple as humanly possible for our citizenry,” he says.

Single Sign-On Access Eases Remote Access for Government Workers

While Maryland is building next-generation IAM technology, Larimer County in Colorado has deployed available technology to provide SSO services to employees and residents.

The county has implemented IAM with Okta’s cloud-based SSO technology and Microsoft Active Directory to manage user identities and control access to applications and data. The benefit: Employees only need to remember one strong password instead of unique passwords for every application, which makes the county less vulnerable to attacks. 

“I am hyperfocused on user experience and making access to technology as seamless as possible for people,” says Larimer County CIO Mark Pfaffinger. “On the other side, I’m also sensitive to ensuring that we know who’s on our network and what access privileges they have to what. So, we needed an identity model that was going to grow with our continued complexity as we moved to a hybrid environment.”

EXPLORE: County IT officials outline shared priorities and pool resources.

More specifically, Active Directory is the source of record for user identities and permissions and automatically syncs to Okta Identity Cloud, so Okta automatically knows what privileges each employee has for apps and data, Pfaffinger says. Okta provides pre-built integrations to cloud-based apps and connectors to on-premises enterprise apps, which enable SSO access to the applications, even when employees work remotely.

Residents also get SSO access to the county’s online services. They can create their own usernames and passwords, but Okta allows residents to also log in through their social media credentials, says Gregg Turnbull, the county’s innovation and insights director. In fact, the majority of residents log in with their social accounts. 

“We started with Google and Facebook because that’s what most people use,” Turnbull says.

The county is currently using Okta technology to enable two-factor authentication, adds Tom Iwanski, the county’s IT security and operations team lead.

One-Stop Portal Smooths Delivery of Citizen Services

In the Midwest, the state of Indiana has built a portal with SSO capabilities that enables residents and businesses to log in once to access a variety of services, such as applying for family and social services programs, buying hunting and fishing licenses, and downloading COVID-19 vaccination records. 

The project began in 2017 when Gov. Eric Holcomb asked state employees to brainstorm ways to make life better in the Hoosier State. The Indiana Office of Technology pitched the idea of creating a single identity for residents and using of SSO technology to consolidate authentication, improve security and create a better user experience, recalls Graig Lubsen, IOT’s director of communications and external affairs.

DISCOVER: Three stages of building an identity and access management program. 

IOT collaborated with state agencies on a governance strategy for two years, and in March 2019, the state’s Department of Homeland Security launched the first application on the Access Indiana portal — an application to schedule and manage the inspection of elevators and amusement park rides. 

Since then, the state has added more than 100 applications and services online, and the use of Access Indiana has skyrocketed. Over the past year, the number of users has nearly tripled to 1.4 million, says Lubsen, who manages Access Indiana.

IOT built Access Indiana with the assistance of its web developer. The state deployed the IdentityServer4 framework to authenticate residents, integrate applications from state agencies and enable SSO, he says. 

The state’s 30,000 employees can also log in to Access Indiana to manage public-facing applications and access some internal applications, such as a central content management system for the state’s 300 websites, he says. IOT connected the state’s Azure Active Directory to Access Indiana to authenticate state employees, he says. 

“The benefit from a citizen and business user perspective is that they’ve got one identity now to get to more than 100 different services,” he says.