State Governments Automate User Privileges to Assist With Identity Management and Access

A consolidated IAM structure lets states incorporate functionality such as automated privileged access management and adaptive authentication requirements, which are based on user behavior, location and other contextual factors.

Employees are only allowed to access the appropriate systems and data during their tenure with the organization, limiting the potential damage if credentials are compromised.

Access controls that assign permissions based on defined job roles (rather than manual requests) may reduce the chance of onboarding and offboarding errors, says Eric Sweden, program director for enterprise architecture and governance at the National Association of State Chief Information Officers.

“It ensures access is always aligned with the job function, which is critical in a dynamic staffing situation,” he says. “States can accelerate provisioning for contractors, temporary staff and emergency hires during health emergencies, natural disasters, election cycles — whenever workforce demand spikes.”

DIVE DEEPER: IAM addresses the challenges of increasingly complex IT environments.

Identity Management Solutions Can Spur Employee Mobility

For the past four years, identity and access management has been one of state governments’ top 10 priorities, according to NASCIO research.

Driven by the need for secure employee access to resources, some states have implemented enterprisewide solutions that facilitate the full employee identity lifecycle, from onboarding to exit.

NASCIO’s 2024 State CIO Survey found 71% of agencies either had finished or were in the process of integrating an enterprise IAM system.

“Today, states are moving toward centralized identity and access management platforms that promote standard approaches, reduced cost and unified user management,” Sweden says. “IAM is not only optimal but also essential for operations in government.”

With Entra ID, state residents can log in to the MyMassGov platform using a single email address and password to reach multiple web-based applications including Virtual Gateway, which supplies real-time health information for Medicaid program members, and the new unemployment benefits system that the Commonwealth introduced in early May.

“Entra ID has helped enable employees’ single sign-on abilities to access their work resources, even remotely, which simplifies access while mitigating security risks,” Snyder says. “MyMassGov is our constituent-focused IAM platform for public-facing web applications. We are currently managing over 2 million accounts involving major applications.”

An EOTSS representative speaking at the NASCIO annual conference in 2022 told attendees that introducing a self-service employee password reset option had dramatically reduced IT help desk wait times.

Government workers didn’t immediately embrace all aspects of Massachusetts’s move to a singular IAM system, he said. Some were hesitant to use their phones to perform the associated call-, text- and app-based multifactor authentication until the Commonwealth worked with its employee’s union to encourage them, he said.

Workforce training has also helped build support for the IAM solution, Snyder says.

“We needed to make sure workers understood the critical need for multifactor authentication and the safeguards that facilitate off-premises work,” he says. “Now everyone in the organization appreciates the reasons behind that effort, and multifactor is no longer this new thing; rather, it’s a part of our security culture across the enterprise.”

Click the banner below to sign up for the StateTech newsletter for weekly updates.

Uniform IAM Practices Could Protect State Resources

Traditionally, New Mexico’s individual state agencies managed their own Active Directory environments, which posed some interoperability and consistency challenges, says Jason Johnson, deputy CIO for the New Mexico Department of Information Technology.

In 2021, DoIT transitioned state employees from on-premises Microsoft Exchange to Microsoft 365, but they still had separate email and local agency-level identities.

Workers in a specific department would have to log on to their computer using the ID their division provided and then log in to Outlook with their email domain ID.

DoIT has been working to transition the state’s 76 agencies, boards and commissions to a shared organizational forest model by helping them sync their Active Directories into Entra ID, which will merge employees’ dual identities.

Thirty agencies have finished the transition, Johnson says; eight more are 77% to 92% complete, and he expects progress to continue throughout the fiscal year.

With the new system, agencies will manage their user groups and devices, offering standardization and autonomy. Employees just have to enter one username and password to access the necessary email, Adobe and other programs to perform their jobs.

“It makes it simpler for agencies,” Johnson says. “They're in control of setting up security groups and doing things they need to do. It's a way to keep everybody underneath the same umbrella while giving them the independence to still manage their user base.”

By eliminating the servers that are often required to sustain Active Directory, consolidating user credential capabilities could also result in cost reductions.

“Some of the smaller agencies have been able to do away with their Active Directory environment because the only purpose of it was to provide an identity for login,” Johnson says. “That can be done solely in the cloud via Entra ID. That's been a big plus; they don't need to maintain extra hardware.”

RELATED: Containerization is a key tool for government efficiency and scalability.

States Empower Access With Confidence, Thanks to Controls

Employees who log in to the state’s network from an unfamiliar location, such as a work conference, enter the same information they would when sitting at their desk in the office and are prompted to use an MFA token from the Microsoft Authenticator app.

If a cybersecurity breach occurs, the system sends an alert. The state can trace the origin and movement of any dubious items — whether employees are onsite or off the network — and isolate a device to stop malware from spreading.

“Whenever you can have all of your users and a lot of your communication data and devices in one system, it gives you great triangulation, knowing what is being accessed from where and by whom,” Johnson says. “It gives you a level of understanding of your exposure I haven't ever seen before. To be able to see all that analytical information is incredibly powerful.”

New Mexico’s IAM solution effectively addresses the need for identity verification to prevent cyberattacks, without inundating employees with an unreasonable number of requests.

For those who didn’t realize how convenient having a single identity for computer and email access would be, the switch to a centralized platform has led to “a big ‘aha!’ moment,” Johnson says.

“You're not asking them every time they log on for it, if they're working from a state-owned building,” he says. “By taking advantage of Entra ID and leveraging single sign-on, we're able to improve the user experience while maintaining the security posture we prefer. That is something that doesn't happen often — usually, one of those has to give.”