Adversaries, whether nation-states, criminal, or thrill-seekers, are aggressively targeting government agencies for cyber-attacks to exfiltrate data or to disrupt critical operations.
A primary target for these attackers is Federal Identity, Credentials, and Access Management (ICAM) systems. Compromising these systems enables attackers to assume the identity of federal users. Such a breach can also allow unfettered access to government data and systems.
At the same time, the federal government is undertaking a massive transformation from on-premises to a cloud-first infrastructure. This transformation requires a radical change in how we view ICAM as it becomes the foundation for how we secure both cloud and on-premises data and applications. This article will provide a roadmap to a widely accepted approach to a cloud-based identity model.
ICAM is the set of tools, policies, and systems that an agency uses to enable the right individual to access the right resource, at the right time, for the right reason in support of federal business objectives.
The perimeter security model no longer applies. Point solutions and multiple identity stores are no longer sufficient to properly secure identity data. Federal agencies must also comply with new requirements as they upgrade their ICAM requirements as they move to the cloud. NIST Special Publication 800-63 (Digital Identity Guidelines) outlines the technical identity requirements that agencies must follow.
Effective ICAM solutions encompass the following principles:
- Zero Trust mindset
- Single Identity Model
- Least Privilege Access
- Multi-Factor Authentication
- Risk-Based Identity Analytics
- Conditional Access
Zero Trust Mindset
Assume that you have already been breached and that all access requests are hostile. This requires continually evaluating access requests to ensure they are valid.
Single Identity Repository
Leverage a single, enterprise-wide identity repository for access across your on-premises and multi-vendor cloud environments. This enables a comprehensive set of access controls across all users and a single view of user entitlements and activities. For example, organizations that already have Microsoft 365 should leverage Azure Active Directory (Azure AD) as the single identity repository. Organizations (including federal agencies) should embrace Microsoft’s Hybrid approach leveraging Azure AD as the single identity repository in the cloud.
Properly manage and enforce the principles of least privilege with governance tools such as conditional access and Privileged Identity Management (PIM).
Multi-Factor Authentication (MFA)
Enforce Multi-Factor Authentication for any user with access to your applications or data. MFA doesn’t always have to be via a phone or token. It could also leverage biometric solutions such as Windows Hello to ensure a better user experience.
Leveraging the single identity repository to perform risk-based identity analytics will enable organizations to focus security, compliance and management efforts on the identities that pose the most risk to the organization. Risk-based analytics will also allow for streamlining processes to improve the user experience and allow administrators to quickly identify security signals such as risky user sign-ins – all while reducing costs.
Leverage Conditional Access policies based on risk-based analytics to limit access. For instance, users with a managed device would get access in accordance with their entitlements, but an unmanaged device may get read-only access. Users coming from abnormal locations may have their access limited or require an additional factor to authenticate.
About Oxford Computer Group
For over a decade, we have specialized in Microsoft identity, security, and governance solutions. We have an excellent track record – we have won the Microsoft Partner of the Year award eight times and were a 2020 finalist for Microsoft’s Security System Integrator of the Year award.
Our priority is to deliver business value for our federal clients, and we do so by designing and developing innovative solutions that solve key challenges. We assess architectures and processes, and make recommendations designed to support strategic objectives. To accelerate deployment, we use our proven methodology, best practices, and a unique library of code developed during 900+ projects.
If your organization needs assistance with an ICAM solution, our expert team can help! Contact us here.
Find out how extensive compliance and management for NIST is achieved on the Azure platform here.