Is Your Identity Management Program Protecting Your Federal Systems?

Transcription

1 Is Your Identity Management Program Protecting Your Federal Systems? With the increase in integrated, cloud and remote technologies, it is more challenging than ever for federal government agencies to fully protect their sensitive networks and comply with the numerous federal compliance regulations. External threats are always top of mind but the threats posed by internal security breaches pose an equal risk. Due to large contractor and global workforce, extending proper access privileges without heightening risk is a fine line often difficult to manage. Administration, compliance, governance, cyber security and budgets must all be considered. This whitepaper serves to help government agencies understand the full breadth of Identity and Access Management, and how the proper strategy can help reduce cyber security exposure and costs while providing additional operational, compliance and risk management benefits.

2 Executive Summary False Security Cyber security threats are increasing as the world and IT technologies are becoming more integrated. Shared services, cloud-based virtual systems, and remote and mobile device access create an intricate and complex web of connectivity that challenges all organizations to keep their networks secure. Government agencies are particularly vulnerable, due in part to their large global user base and use of transient contractors. Costly cyber security defense investments not only fail to provide protection from most insider-based threats, but they produce almost no offsetting gains in operational efficiency or cost reductions. They also do little to ease the governance, audit and compliance administrative burden levied on most federal organizations. While federal organizations have implemented Identity and Access Management to automate the issuance of user IDs and passwords, newer technology and a fresh approach can provide practical mitigation of insider threat, operational efficiency gains and cost reductions, and improved governance and compliance. This whitepaper serves to help government agencies understand the full breadth of Identity and Access Management (IAM or IdAM) or what Gartner terms Identity Governance and Administration (IGA). True IAM is an opportunity for federal IT and cyber security organizations to centralize on a single technology to reduce cyber security exposure and costs while providing additional operational, compliance and risk management benefits. Government agency leaders have a reason to be on heightened alert. Security threats are only getting more numerous, brazen and complex. The risk of external threats by nefarious entities around the world is only eclipsed by the insider threats. While some of these security breaches are unintentional, an increasing number are from patient, persistent insiders who have learned the networks, the security gaps and where to hide their activity. These types of threats can cause severe damage to the network or cause high-profile embarrassments that the media is all too ready to publicize on a global scale. Even worse, they can cause damage to national security, compromising and threatening the safety of American citizens here and abroad. Many federal agencies are under the false assumption they are protected if they have implemented standard Identity Management (IM) as outlined in federal directives like HSPD-12, FICAM, and DOD IM is only a credential-issuing program (Smart Cards), however, and does not mitigate the increasingly dangerous insider threats once a person is on the network. Tracking and controlling user access privileges across multiple systems is virtually impossible. When left unchecked, costs escalate, administration becomes unmanageable and the network remains vulnerable, particularly to existing authorized users with approved access. Many federal agencies are under the false assumption they are protected if they have implemented standard Identity Management (IM) as outlined in federal directives like HSPD-12, FICAM, and DOD FEDERAL

3 A Modern IAM Solution for a Modern World Federal agencies must approach identity management from different perspective, one that considers much more than credential management. A practical solution is found through an integrated, simplified, and centralized IAM program. Modern IAM encompasses four essential components: 1. Authentication - proving users are who they claim to be. This is the only portion of IAM a credentialissuing or Smart Card program addresses. 2. Authorization - ensuring authenticated users have access only to authorized resources and applications 3. Audit and Governance - ensuring the entire architecture and its function can be monitored, controlled and proved 4. Administration - ensuring processes are automated and interoperability with existing enterprise IT applications, assets and other existing cyber security systems. SailPoint offers a comprehensive solution that addresses all four components of IAM. Its IAM product suite manages the complete user lifecycle to rapidly mitigate security threats and improve governance, risk management and regulation compliance - all while bringing significant operational efficiencies and return on investment. How Does a Centralized IAM Solution Address Specific Federal Government Challenges Federal agencies have unique challenges that require a tailored solution. When government agencies embrace IAM with a centralized, integrated tool, the four essential components are simplified and streamlined. Centralized IAM solves the most prevalent challenges federal agencies face: Cyber Security Authentication and Authorization The large, transient contractor workforce makes cyber security a unique challenge for federal agencies. Authentication and onboarding can be time consuming and contractors credentials are often not shared between or within agencies. Their constant joining, moving and leaving generates a large amount of administrative paperwork often resulting in a directory of unmonitored users who are authorized on multiple networks. IAM improves cyber security, both external and internal, by allowing agencies to set identity policies around authentication, provisioning, authorizations and certifications. Assessing risk across the agency becomes easier when there is a single Role Model, Policy Model, Risk Model, Identity Repository, and Workflow Engine that improves visibility into who is doing what. Automated, continuous monitoring across the IT infrastructure enables supervisors to know what is going on in their environment, proactively prevent potential issues and rapidly respond to current threats. IAM includes credential management to prevent the wrong people from accessing government buildings or computers, but goes much further by assigning a risk profile for employees and automatically flagging privilege escalation requests to deter inadvertent or intentional access to restricted networks without proper authorization. When any activity is outside of standard operating procedures, an automated alert is generated. FEDERAL 3

4 SailPoint s product suite addresses and streamlines complete IAM, helping federal agencies identify, map, set and modify the rights and roles applicable for each person in the agency. Those rights extend to remote users accessing cloud, web and mobile applications from any device for increased productivity. The products are browser-based to solve modern security and IT issues immediately without lengthy software or product upgrades. SailPoint simplifies the process of granting and modifying user access for improved network security, but greatly enhances regulation compliance and governance as well. Federal Regulation Compliance Audit and Governance As a result of HSPD12, FISMA, FICAM and other government compliance regulations, government agencies must manage and comply with a host of requirements around the constant governance over identities, access privileges and sensitive IT systems - without additional budget. Even with these controls in place, insider threats remain, especially when combined with old or piecemealed provisioning technology. These federal regulations, as well as DHS CDM, DOD 8500 Risk Management, NIST Risk Management and many FIPS PUBS and SPs require modern, automated IAM for practical and cost-effective implementation. When data collection, monitoring and reporting are automated, compliance and audits are simplified and systems are better protected. IAM drives transparency, providing visibility into the access and certification of direct reports and on-demand audit reports. SailPoint allows agencies to operate from a single repository, enabling a significant number of controls and requirements to be consolidated and integrated. The common framework covers multiple functional risk areas and provides full traceability to hundreds of mandates. Managers and supervisors gain automated, real-time insight and reporting into the level and appropriateness of access for each person for complete identity management regulation compliance and significant process efficiencies. Process Efficiencies Administration and Governance Current operational and administrative processes are often still manual, particularly around provisioning systems for issuing user IDs and passwords. The heavy resource requirements delays implementation of security products, onboarding new employees and contractors, provisioning and de-provisioning transient workers, monitoring access privileges, and audit reporting. When resources are strained, systems are overly complex and access privileges cannot be continuously monitored, risks for security breaches rise. IAM enforces policy governance and automates processes, including audit reporting, on/off boarding and provisioning, separation of duty and access by job function. IAM is also an opportunity for federal agencies to centralize their disparate systems for better understanding of where applications reside and who has access. This enables simpler continuous monitoring and regulation compliance. SailPoint believes automation is the critical factor federal agencies need in order to reduce many administrative hassles. By automating processes, centralizing management and streamlining the execution of compliance controls, productivity increases while support costs and risk decrease. The simple step of allowing users to manage their own passwords and access applications remotely means employees and contractors get to work faster with appropriate access privileges for the job. Any requests for access to previous systems or networks for which they have not been granted continued access is denied and an alert sent to a supervisor. 4 FEDERAL

5 Cost Savings Budgets are always a challenge for federal agencies. A number of security offerings, often based on numerous components purchased from various manufacturers, can cost millions of dollars in multiple product and coding requirements, integration configurations and ongoing maintenance. Implementation of these complex systems can take years to fully deploy. Agencies that have already spent money on cyber security will need to have demonstrable ROI to justify the purchase of any new product. A comprehensive IAM solution can ease budget constraints and provide rapid ROI in several ways: Complete IAM has all of the necessary components included in a single product to reduce acquisition, ongoing maintenance and upgrade costs. If the solution is based on single-code architecture, coding and customization costs decrease. Automation immediately reduces administrative labor costs. Onboarding costs decrease when workers can begin their jobs more quickly. SailPoint offers a flexible, customizable product with a unitary code base that integrates with any provisioning system and most business operation systems. All of its out-of-the-box connectors are included, eliminating the need for multiple product purchases and configurations while scaling to meet the changing needs of federal agencies. With one interface, SailPoint s software is relatively uncomplicated to acquire, configure, implement, deploy and use. FEDERAL 5

6 SailPoint Is a Leader in Identity Management SailPoint leads the industry with its IdentityIQ product suite, which includes IdentityIQ Compliance Manager, IdentityIQ Lifecycle Manager and IdentityIQ Governance Platform. SailPoint s sole focus has been on governance and identity management since 2005, with its founders in the industry since Gartner places SailPoint as a market leader in its Magic Quadrant for Identity Governance and Administration (IGA) and mentions some vendors base their products on OEM technology from SailPoint, further highlighting SailPoint s influence on the market. SailPoint IdentityIQ Complete Identity Management SailPoint addresses the challenges federal agencies face with a full identity management suite of products that seamlessly integrate with other systems and applications. All are based on a unified governance framework that can be fully functional within months or even faster with its cloud-based SaaS IdentityNow option. IdentityIQ consists of: IdentityIQ Compliance Manager automates access certifications, policy management, access request and provisioning, password management, identity intelligence and audit reporting, particularly around FICAM and FISMA, and NIST. IdentityIQ Lifecycle Manager manages changes to access through self-service request and password management interfaces and automated lifecycle events. Its scalability is ideal for the dynamic nature of federal agencies and their workforce. IdentityIQ Governance Platform ensures the right policies are established with workflows, reporting and role modeling. It stores identity and log information in a centralized repository which can be aggregated and scaled without additional costs. adquarters oints Drive ite com UK Netherlands Germany Switzerland Australia Singapore Africa +44 (0) (0) (0) (0) Corporate Headquarters SailPoint s proprietary Four Points IAM Driveproduct suite UK gives federal +44 (0) 845 agencies the right level of protection against today s biggest Building 2, Suite 100 Netherlands +31 (0) security threats Austin, Texas while solving many of Germany the most +49 pressing (0) challenges 5434 unique to the government. Through strict Switzerland +41 (0) governance over the authentication, authorization, auditing and administration processes, federal agencies can better USA toll-free Australia Singapore mitigate cyber security risk, obtain transparency Africa +27 to 21 ease regulatory compliance, and improve operational efficiencies to achieve rapid ROI. UK Netherlands Germany Switzerland Australia Singapore Africa Corporate Headquarters Four Points Drive Building 2, Suite 100 Austin, Texas USA toll-free (0) (0) (0) (0) Corporate Headquarters Four Points Drive Building 2, Suite 100 Austin, Texas USA toll-free About SailPoint As the fastest-growing, independent identity and access management (IAM) provider, SailPoint helps hundreds of the UK +44 (0) Netherlands world s largest +31 (0) organizations securely and effectively deliver and manage user access from any device to data and Germany +49 (0) Switzerland applications +41 (0) residing in 282 the datacenter, on mobile devices, and in the cloud. The company s innovative product portfolio Australia offers customers an integrated set of core services including identity governance, provisioning, and access management Singapore delivered Africa on-premises or from the cloud (IAM-as-a-service). For more information, visit SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries. All other products or services are trademarks of their respective companies