Access Risk Management for Government
Managing users’ identities and controlling their access to vital or sensitive information assets is a critical priority for government agencies and related non-government organizations, (NGOs) alike.
At the Federal level, for example, there has been a significant effort over the past decade to define, enforce and manage government-wide policies concerning access rights for a wide variety of users, including employees, contractors, suppliers, and citizens.
In 2002, Congress passed the Federal Information Security Management Act (FISMA) and tasked the National Institute of Standards and Technology (NIST) with publishing standards and guidance in accordance with the law. As a result, NIST has published the following Federal Information Processing Standards (FIPS), which all federal agencies must comply with:
- FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
- FIPS 201, Personal Identity Verification of Federal Employees and Contractors
NIST has also published a Special Publication (SP) 800-series with recommendations that are binding on all federal agencies (other than national security programs and systems):
- Guide to Enterprise Password Management, Special Publication 800-118
- Recommended Security Controls for Federal Information Systems, Special Publication 800-53
- Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Special Publication 800-122
And, in 2004, the Homeland Security Department issued HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors, which defined Federal government policies for identifying employees and others who require access to government IT assets.
At the State and Local level, there has also been a significant effort to improve the governance and management of access by both employees and outsiders to sensitive information. Most states have passed laws and regulations protecting citizen privacy rights, including broad disclosure laws. But, state and local governments have also taken steps to establish their own internal policies, processes and procedures to control access to internal IT systems.
According to the “State CIO's Top Ten Policy and Technology Priorities for 2011”, published in October 2010 by the National Association of State Chief Information Officers (NASCIO), security ranks seventh out of the top ten priority strategies, and identity and access management is the fifth highest priority in the final ranking of technology priorities.
NASCIO and Deloitte conducted a survey of state CIOs in 2010, which found that respondents ranked security as the primary factor (63 percent) influencing their IAM investments followed by operational efficiency, compliance and improved end-user experience. The survey also disclosed that 39% of breaches from within the enterprise were the result of an employee's actions (e.g., abuse of privileged access).
Government agencies of all types face a number of daunting challenges when addressing identity and access management.
They must deal with an extremely diverse population, including employees, contractors, suppliers, and citizens. Some agencies must cope with seasonal hiring patterns, such as IRS, Census, youth programs, etc.
Agencies vary widely in terms of the diversity of functions that they must perform, ranging from national security and defense to the delivery of healthcare and emergency relief services to citizens.
One effect of this range of missions is a very diverse collection of internal IT systems and applications, including legacy, highly customized applications; and a mix of commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) systems. And, as is often the case, these systems frequently come pre-configured with their own internal security models, which must be accounted for, and accommodated by, any externally defined identity and access management system.
And, like many commercial entities, various agencies are seriously considering moving applications to cloud-based or mobile systems, compounding the problem of enforcing security and asset protection.
However, there are clear benefits associated with designing and implementing an identity and access management strategy. They include:
- Increased security, which directly leads to a reduction in identity theft, data breaches and trust violations.
- Assuring compliance with laws, regulations, Executive Orders, standards and other mandates.
- Enhanced customer service, which translates directly into reduced service desk costs and increased taxpayer confidence in agency services.
- Elimination of redundancy through automation and consolidation of processes and workflow, with resulting reductions in the overall cost of the security infrastructure.
How Courion Helps
Courion’s Access Risk Management solutions deliver stronger security by ensuring only the right people have the right access to the right resources. Government customers who deploy Courion also significantly reduce overhead expenses and accelerate core business processes by making make it much easier for a wide range of personnel and external users to manage their own identities.
Some of the Access Risk Management Suite features that government organizations rely on include:
Identify Unknown Accounts: Courion’s IdentityMap process locates user accounts on internal systems and associates those accounts with a known individual identified in a designated system of record, such as Peoplesoft HR. The initial IdentityMap scan can identify and resolve zombie accounts, which are accounts associated with someone who is no longer with the organization. Subsequent IdentityMap scans may reveal previously unknown accounts, which may indicate an attack. Courion can then alert the appropriate personnel to take remedial action.
Access Certification: Courion ComplianceCourier™ is used by line-of-business managers, security professionals, or IT administrators to review access rights of users they supervise and certify that access complies with policy. When a user’s access rights are out of compliance with policy or industry regulations, ComplianceCourier provides a range of options to block or restrict unauthorized access. Audit tracking capabilities also make compliance reporting and analysis faster, easier and cheaper.
Protect Sensitive Data: Courion’s Sensitive Data Manager module works in conjunction with industry-leading data loss prevention (DLP) technologies to verify that access is not being misused to cover up illegal or unethical activities. Integration with DLP technologies enables your organization to find sensitive patient or employee data, identify who has access to that data, determine how they obtained that access, and correct access that is inconsistent with the individual’s business role.
Identify Suspicious Activity: Courion’s User Activity Manager module leverages leading security incident and event management (SIEM) technologies to perform deep analysis of prior user activity. Integration with SIEM technologies enables you to identify patterns of suspicious behavior – after-hours access, large data downloads, access from a previously unknown account, etc. – captured in system log files, and combine that data with information concerning the user engaged in that behavior, such as name, title, department, manager, location, etc. You can then determine if the individual’s behavior is consistent with the needs of the business, and take the appropriate steps to terminate access to key applications if it is not.
Manage Employee Access Rights: Some agencies must cope with high employee turnover and meet the challenge of providing new employees with access to the systems they require to be productive on Day One, and automatically removing their access when they leave the organization. They use Courion’s RoleCourier® solution to manage the role definition process, which ensures that users within a particular role are automatically granted the minimum access rights they require to be productive. AccountCourier® then automates the process of account creation and termination, using either pre-defined roles, or enforcing the existing access request and authorization process your agency already uses. These solutions ensure that users have the appropriate access rights, enforce separation of duties policies, and significantly reduce the time, effort and cost of managing employee access rights.
Secure Passwords: Courion’s PasswordCourier® reduces potential access vulnerabilities by enforcing strong password policies, while also dramatically reducing costs associated with help desk calls because of its secure self-service password reset capability.
Contact Courion today to learn more about how the following government organizations have benefited from Courion’s Access Risk Management solutions:
- US Federal Government: Internal Revenue Services, Federal Aviation Agency, Federal Deposit Insurance Corp., Office of Personnel Management, Defense Intelligence Agency.
- Non-US Agencies: Government of Ontario, Midlands Police (UK), HM Revenue Service (UK)