How Identity and Access Management Supports a Zero-Trust Environment

In other words, it’s the governance, lifecycle and procedures that are difficult, especially in state and local government environments. Federating an identity store and feeding it to all sorts of different applications and services is technically challenging, but that’s simply a question of navigating all the acronyms and protocols.

Understanding IAM and its relationship to zero trust really comes from breaking down IAM to its two components: identity management (used for authentication) and access controls or access management (used for authorization).

How Can State and Local Governments Manage Identities?

IAM starts with identity management: That’s not just the database of identities. It’s the database plus the entire lifecycle of managing identities in an agency (or in some cases, the identities of constituents using government services). 

An example of the simplest type of identity management might be an agency using Microsoft’s Active Directory to store identities, combined with the governance attached to adding, changing and deleting identities from the directory. 

Most agencies struggle with procedures, policies and governance. In part, that’s because tools such as Active Directory are “take it or leave it.” Admins get a set of technical capabilities, and if they don’t like those capabilities, they don’t have a lot of options to influence the direction of the product. 

This means there’s not a lot of technology to understand and build; it’s more a question of how to use that technology and whether additional layers are needed to handle any special requirements of an application or agency. But there are also technology choices that influence IAM, especially because IAM is now so closely tied to zero-trust architectures.

LEARN MORE: How Massachusetts finds success in employee identity management.

How Does Identity Management Support Authentication? 

While much of identity management is mature technology backed by old-school policies and procedures, there is a lot of action in one particular area: the actual authentication mechanisms supported by IAM. Thinking about authentication is now a particularly critical part of understanding IAM, especially because simple passwords are no longer considered adequate for security.

This means that authentication methods such as multifactor authentication (MFA) and FIDO2 (so-called passwordless authentication) have a strong bearing on the definition of IAM. State and local government IT teams embarking on an IAM and zero-trust journey should start by clearly defining their user community and then identifying the various authentication mechanisms that are required.

Click the banner below to learn about getting zero trust architecture right.

These first steps are important because they will steer the most basic technology choices. For example, if the IAM solution must serve citizen users, requirements such as scalability and authentication options will be dramatically different than if the IAM solution is only for agency staff and contractors. Similarly, if the IAM solution must federate across many government agencies, this also implies different technology choices. 

User constituency and user count are dominant factors, but IT teams also need to think about what types of authentication methods will be needed. From a technology point of view, agencies are in the middle of a fairly large shift: moving from basic passwords to MFA to certificate-based authentication that leverages biometrics and nearly ubiquitous smart devices.

Any IT team releasing an application that does not include either MFA or the newer FIDO2-based passkey system (supported by Google, Microsoft and Apple, among others) won’t meet basic standards for information security when it comes to audits and best practices.

EXPLORE: How can state and local agencies better collaborate on cybersecurity?

When thinking about an IAM solution and who will use it, IT managers also need to keep in mind that these authentication technologies are now considered table stakes for security for any public application. It doesn’t matter too much which MFA or passwordless authentication technology an administrator chooses, as long as application security is not dependent on simple username/password combinations. While security experts will extol the benefits of the new passkey systems, IT managers should also consider user community as well as data sensitivity when planning IAM details and seek an informed balance between security and accessibility.

Web-based applications and custom-built smartphone and tablet applications can easily integrate these powerful authentication methods. Proxies in front of web applications are a favored technique to quickly adapt legacy apps to support IAM and SSO technology. While some applications will completely resist modernization — even with updated front ends and proxies — most state and local government IT teams can modernize authentication.

And it’s worth repeating that no matter how someone defines the technology side of IAM, the hardest parts are all of the governance elements: How will the user lifecycle be handled? How will users be onboarded and offboarded? How can agencies securely automate password resets, information updates and account unlocks? How will reporting and data dump requests from audit and compliance teams be satisfied quickly?

How Does Access Management Support Authorization?

While authentication is important and easy to focus on because of the user experience, authorization presents state and local IT teams with a more difficult issue: Even if the authentication can be upgraded to 21st century technology through proxies and front-end updates, authorization can become an intractable issue — particularly so with legacy applications that are not designed to gather authorization information from a central IAM service.

Click the banner below to become a StateTech Insider to get customized cybersecurity content.

Access management can be difficult to pin down when defining IAM because the definition of authorization will differ from expert to expert. IT teams with a strong Windows or database background may choose to focus on very deep application access controls while the network team may be looking in another direction, granting access based on network location; posture checks; and device type, ownership and status. Both definitions are relevant to zero trust, but choosing a focus area for authorization is part of building an IAM solution for an agency.

Setting expectations for what the access control and authorization parts of IAM can and cannot accomplish is a key milestone. As part of defining IAM, IT teams will need to work on achieving consensus on basic elements, such as vocabulary and goals.

This is especially true in government technology environments, where common factors such as interagency collaboration, legacy applications and siloed IT teams can complicate project execution. Focusing on realistic results and developing a shared vision of what IAM means is the best way to avoid project delays and derailments.