The IT staff continually fine-tunes its IAM implementation and is looking to augment it with a new tool to improve security further, says Leahy, who remains vague on details to protect the state’s security posture.
“It’s an iterative process. We are always changing things as we learn new information,” he says.
The Maryland IT department is piloting self-sovereign identity, an approach that is decentralized through blockchain technology. If it proves successful, Leahy hopes to convince the state legislature and Gov. Larry Hogan to approve the technology for statewide use early next year. The IT department would still need buy-in from state agencies, but it doesn’t have to be implemented all at once and could start with one application, he says.
Self-sovereign identity improves privacy because residents have control of their data, Leahy says.
“When it comes to identity and access management, my goal is to make it as simple as humanly possible for our citizenry,” he says.
Single Sign-On Access Eases Remote Access for Government Workers
While Maryland is building next-generation IAM technology, Larimer County in Colorado has deployed available technology to provide SSO services to employees and residents.
The county has implemented IAM with Okta’s cloud-based SSO technology and Microsoft Active Directory to manage user identities and control access to applications and data. The benefit: Employees only need to remember one strong password instead of unique passwords for every application, which makes the county less vulnerable to attacks.
“I am hyperfocused on user experience and making access to technology as seamless as possible for people,” says Larimer County CIO Mark Pfaffinger. “On the other side, I’m also sensitive to ensuring that we know who’s on our network and what access privileges they have to what. So, we needed an identity model that was going to grow with our continued complexity as we moved to a hybrid environment.”
EXPLORE: County IT officials outline shared priorities and pool resources.
More specifically, Active Directory is the source of record for user identities and permissions and automatically syncs to Okta Identity Cloud, so Okta automatically knows what privileges each employee has for apps and data, Pfaffinger says. Okta provides pre-built integrations to cloud-based apps and connectors to on-premises enterprise apps, which enable SSO access to the applications, even when employees work remotely.
Residents also get SSO access to the county’s online services. They can create their own usernames and passwords, but Okta allows residents to also log in through their social media credentials, says Gregg Turnbull, the county’s innovation and insights director. In fact, the majority of residents log in with their social accounts.
“We started with Google and Facebook because that’s what most people use,” Turnbull says.
The county is currently using Okta technology to enable two-factor authentication, adds Tom Iwanski, the county’s IT security and operations team lead.
One-Stop Portal Smooths Delivery of Citizen Services
In the Midwest, the state of Indiana has built a portal with SSO capabilities that enables residents and businesses to log in once to access a variety of services, such as applying for family and social services programs, buying hunting and fishing licenses, and downloading COVID-19 vaccination records.
The project began in 2017 when Gov. Eric Holcomb asked state employees to brainstorm ways to make life better in the Hoosier State. The Indiana Office of Technology pitched the idea of creating a single identity for residents and using of SSO technology to consolidate authentication, improve security and create a better user experience, recalls Graig Lubsen, IOT’s director of communications and external affairs.
DISCOVER: Three stages of building an identity and access management program.
IOT collaborated with state agencies on a governance strategy for two years, and in March 2019, the state’s Department of Homeland Security launched the first application on the Access Indiana portal — an application to schedule and manage the inspection of elevators and amusement park rides.
Since then, the state has added more than 100 applications and services online, and the use of Access Indiana has skyrocketed. Over the past year, the number of users has nearly tripled to 1.4 million, says Lubsen, who manages Access Indiana.
IOT built Access Indiana with the assistance of its web developer. The state deployed the IdentityServer4 framework to authenticate residents, integrate applications from state agencies and enable SSO, he says.
The state’s 30,000 employees can also log in to Access Indiana to manage public-facing applications and access some internal applications, such as a central content management system for the state’s 300 websites, he says. IOT connected the state’s Azure Active Directory to Access Indiana to authenticate state employees, he says.
“The benefit from a citizen and business user perspective is that they’ve got one identity now to get to more than 100 different services,” he says.