Identity, Credentialing and Access Management (ICAM) in a Unified Network
The Army is focused on unifying their existing strategic, operational, and tactical networks under the concept of Unified Network Operations (UNO). This strategy ensures they can get the right data, at the right time, to the right warfighter. This includes Army forces down to the lowest tactical echelon, as well as Combatant Commands, joint forces, and allies.
Army leadership continually stresses the importance of UNO to our ability to fight the next war. At a recent AFCEA Pacific Northwest luncheon, LTG Xavier Brunson, CG I Corp, and Dr. Raj Iyer, Army CIO emphasized that what we do between wars to prepare for the next war is critical to the success of our mission.
Our potential adversaries’ threats continue to increase in number, degree of complexity, and level of physical and technical damage they can inflict. The Unified Network gives the Army the ability to operate in a highly contested and congested operational environment with speed and at a global range that enables the decision dominance commanders need to maintain overmatch. – LTG John Morrison Jr., Deputy Chief of Staff of G-6.
To reach this goal of a unified network, Army will need a strong Identity, Credentialing, and Access Management (ICAM) program. Currently, Army’s ICAM program is not providing the needed capabilities to enable true UNO.
Dr. Raj Iyer says, “data is the new ammunition.” A decentralized ICAM model is equivalent to an uncoordinated, poorly integrated logistical operation that delivers ammunition late and in insufficient quantities to the warfighter.
The implications of an improperly managed ICAM program are clear. The inability to provide commanders with the right data at the right time could result in losing the next war and unnecessary casualties. Less obvious is the personal risk for U.S. service members compromised by the resulting cybersecurity breaches. Read a personal account of the impacts of a compromised identity in the military from Microsoft employee Vishal Amin here.
Successfully implementing a single, unified network that securely provides warfighters with the right data at the right time needs to be a key focus for us so we can take the best advantage of this time between wars.
Current State of Army ICAM
The Army recognizes that their current Identity Credentialing and Access Management (ICAM) model does not provide the necessary capabilities for true UNO. Historically, Army’s ICAM weakness have been reflect in:
- Manual Processes
- Core governance capabilities
- Analytical capabilities
- External (guest) access
Efficiency and security problems arise when installations and units have their own identity stores, their own ICAM processes and procedures, and decentralized access management. Issues include:
- Potentially critical delays in getting access to relevant data as units are deployed around the world
- Huge inefficiencies which result in a significant amount of labor dedicated to developing and managing multiple ICAM systems, processes, and procedures across the army
- Slow and inefficient in and out processing
- Different logins for different locations and/or applications
The heavy reliance on manual process and the reliance on people to perform mundane, redundant tasks significantly slows down the ability to grant access to data and applications. It also introduces errors. This is especially acute in forward-deployed areas where timely access to critical data is key and the people to perform these tasks are difficult to find and could instead be focused on more value-added tasks.
Manual processes also introduce the risk that user accounts will remain active when no longer needed and users will remain over-privileged based on their role. This increases the number of potential attack vectors.
Core Governance Capabilities
Corporate America learned how important identity governance and accurate resource access is to improving organizational security posture and compliance. These solutions are commonly implemented in the corporate world, and the Army could leverage the lessons learned as we implement these processes.
There are some fairly simple identity governance processes that can significantly reduce the possibility of compromise or insider risk, including:
- Access Certification
- Separation of Duties
- Role-Based Access / Attribute-Based Access Control
- Access Request
Access Certification is the periodic review of user access by the appropriate person, usually a supervisor or application owner. This helps to ensure that access is based on the current mission’s needs. Access certification also ensures that users do not have excessive privileges, and that defunct accounts are deprovisioned promptly.
Separation of Duties ensures that users are not granted certain combinations of roles that would pose a risk, or that they are only granted with specific approval. The classic example is that a user should not be able to create a vendor, enter a purchase order AND print checks. There are many other examples based on the specific mission and applications.
Role-Based Access/Attribute-Based Access Control is the ability to automatically grant access based on a person’s role or specific attributes. For instance, granting everyone in the battalion S-3 access to a SharePoint site, or including everyone assigned to a specific post in the post emergency distribution list.
Access Requests allow a user to request access to a resource on a self-service basis. This request would be routed to the appropriate approver and automatically provisioned once approved, or canceled if denied. This significantly speeds up the process of granting user access to data and applications while ensuring the proper approvals.
ICAM analytical capabilities are woefully lacking in the Army. Decision makers need to know who has access to specific applications and what access users have across the Army. Decision makers need to be able to analyze this access based on the risk-profile of the user.
For example, if a user has access to applications not associated with their role it should raise a red flag. If a user has access to data that wasn’t properly approved, then it should raise a red flag. Currently, we have not provided this capability.
We fight as a joint force and usually with allied nations. Enabling access for users external to Army is a key to the success of our combat operations. Historically, we’ve relied upon separate networks called Mission Partner Environments (MPE) to provide non-Army users with Access. This needs to change. It is extremely difficult to provide the right data at the right time to commanders in a joint/allied environment when they need to access multiple networks to get the necessary data to make decisions. We need to provide non-Army users with the proper access and security controls to a single, unified network.
What Needs to be Done
From an ICAM perspective, there are some immediate actions that the Army needs to take in this period between wars. As I mentioned above, LTG Brunson and Dr. Iyer emphasized the importance of taking advantage of this time to better prepare for the next conflict. From my perspective, the following capabilities should be prioritized.
Centralize ICAM Management
Centralized ICAM management does not mean centralized control. It means there is a centralized identity store, infrastructure, and capabilities that warfighters can leverage when they deploy to ensure that they have the right ammunition (data) at the right time to make the best decisions. Access policies and decisions would still be made at the appropriate levels based on the needs of the warfighter.
We need to aggressively automate as much of the ICAM process as possible. As soon as a decision maker makes an ICAM decision, the downstream processes need to automatically implement those decisions. This will significantly speed up access to date and applications and reduce the potential for manual error. We should also automate the removal of access based on business rules established by the warfighters.
Core Governance Capabilities
We need to provide the warfighters the capability to effectively implement the following capabilities:
- Access Certification
- Separation of Duties
- Role-Based Access/Attribute-Based Access Control
- Access Request
We need to provide the warfighters the ICAM information (i.e., data) that enables them to execute their missions and understand the risk of any ICAM decision. We can’t dictate ICAM policies and procedures, but we can provide the infrastructure and capabilities that gives the warfighter the ability to tailor the data and reports based on their specific mission.
We need to provide access to non-Army users to a single unified network in a secure manner. These users include joint elements, allied forces, and even local government agencies. Warfighters continually need to coordinate with joint elements and allied forces, and we need to provide them with the capability to access critical data and applications in a similar manner as they interact with other Army elements. We even have use cases where local government officials need access to Army applications to request assistance.
This is not a technology issue. It is a leadership issue. We need to make the best use of this time between wars to provide the best ICAM support we can to the warfighter. The technology exists and the corporate world has leveraged it to improve business outcomes, improve security, and enable compliance with laws and regulations. We need to take what the corporate world has learned, tailor it to the Army mission, and do our part to prepare for the next war.
We also need to allow the warfighter to leverage these capabilities in a manner that best fits their mission and needs and not dictate a single, one-size fits all for each theater.
Andy Shell, LTC, USAR, (ret) is Vice President of Oxford Computer Group’s Federal practice. He served 30 years as a Signal Officer focused on Cyber Intelligence. He is a veteran of Desert Storm, Operation Iraqi Freedom, and Operation Enduring Freedom. He has spent the last 13 years focused on helping corporate and government agencies implement effective Identity, Credentialing, and Access Management (ICAM) to help decision-makers have the proper access to data while maintaining effective security controls.