Improving Collaboration Through Identity Management

250 views

Published on

Driven by recent events and several White House and Congressional directives, federal agencies are focused on identity management like never before. With all this pressure, agency leaders face a difficult task ensuring secure access to agency resources by the right people, at the right time, and for the right reasons, without restricting the organization’s operational effectiveness.

Published in: News & Politics, Career
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
250
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Improving Collaboration Through Identity Management

  1. 1. Improving Collaboration through Identity Management A Candid Survey of Federal Managers February 2014
  2. 2. Purpose Driven by White House and Congressional directives such as HSPD-12, the National Strategy for Trusted Identities in Cyberspace (NSTIC), Insider Threat Task Force, and FICAM, federal agencies are focused on identity management like never before. Agency leaders face a difficult task in ensuring secure access to agency resources by the right people, at the right time, and for the right reasons, without restricting the organization’s operational effectiveness. Understanding the difficult task of balancing these two priorities, Government Business Council (GBC), Symantec, and HP undertook a study to explore the current state of identity and access management (IAM) in the federal government. Methodology To assess the perceptions, attitudes, and experiences of federal executives regarding IAM, GBC deployed a survey to a sample of Government Executive’s online and print subscribers in December 2013. The pool of 975 respondents includes those of GS-11 through 15 grade levels and members of the Senior Executive Service in defense and civilian agencies. 2
  3. 3. Table of Contents 1 Executive Summary 4 2 Respondent Profile 6 3  Research Findings 10 i. ii. iii. iv. Current State of Federal IAM Security Concerns Can Limit Mission The Need for an Identity Ecosystem Public-Private Partnerships in IAM 4 Final Considerations 3 11 15 21 26 30
  4. 4. 1 Executive Summary 4
  5. 5. Executive Summary Federal leaders are confident in identity management within their own agencies A majority of respondents (72 percent) are confident or very confident in their agency’s ability to ensure appropriate physical access to resources. Slightly fewer (63 percent) are equally confident in their agency’s ability to ensure appropriate logical access. For many, the two are linked: 71 percent of respondents indicate that their agencies have integrated physical and logical IAM. Outside of one’s own agency, security concerns limit collaboration Nearly all respondents interact with groups outside of their agency, but security concerns limit their ability to provide services to these groups over the Internet. While respondents view the growth of mobile devices as an opportunity to improve collaboration, security concerns have limited their uptake in federal agencies. An “Identity Ecosystem” that links an electronic identity across multiple platforms could improve collaboration and efficiency while lowering costs The idea of a common framework for establishing trusted identities is a new concept for some federal leaders, but anticipated effects are largely positive. A majority of respondents expect an “Identity Ecosystem” to increase efficiency and confidence in using online services, among other benefits. To create an “Identity Ecosystem,” respondents are open to public-private partnerships, but security, privacy, and liability concerns will need to be addressed. 5
  6. 6. 2 Respondent Profile 6
  7. 7. Survey respondents are senior federal executives Job Grade SES Reports/Oversees 5% Over 200 22% GS/GM-15 GS/GM-14 78% of respondents are GS/GM-13 or above 23% GS/GM-13 3% 51-200 59% 7% 21-50 of respondents oversee at least one report 7% 28% 6-20 1-5 21% 16% GS/GM-12 4% GS/GM-11 None 2% Other 0% 10% Percentage of respondents, n=975 7 21% 20% 30% 41% 0% 20% 40% 60%
  8. 8. Most respondents work in operations Job Function ▶  ▶  Most respondents work in operations, a category that includes program/ project managers and logistics specialists. “Other” includes categories such as legal, research, management, technical professionals, and auditors. 32% Operations Human capital 12% Engineering 11% Finance 8% Acquisition and procurement 6% Legislative 5% Information technology 5% Facilities, fleet and real estate management 3% Communications and telecommunications 3% Other Percentage of respondents, n=975 8 16% 0% 10% 20% 30% 40% 50%
  9. 9. Most Represented Agencies Department of Treasury Office of Personnel Management Department of Agriculture Small Business Administration Department of the Interior United States Postal Service Department of Transportation Department of Homeland Security Department of Commerce United States Agency for International Development General Services Administration Nuclear Regulatory Commission Environmental Protection Agency Department of Health and Human Services National Aeronautics and Space Administration Department of Veterans Affairs Social Security Administration National Science Foundation Department of Housing and Urban Development Executive Office of the President (including OMB) Department of Energy Department of Defense (OSD, DISA, DIA, DLA, etc.) Department of Labor Department of Justice United States Government Accountability Office Department of the Army Department of State Other independent agency Department of Education Agencies listed in order of frequency 9
  10. 10. 3 Research Findings 10
  11. 11. i. Current State of Federal IAM 11
  12. 12. What is Identity and Access Management? ▶  As used in this report, identity and access management (IAM) refers to a security practice that ensures access by the right people, at the right time, and for the right reasons. ▶  IAM can be used in reference to both physical access (e.g., to facilities, areas, or rooms) and logical access (e.g., to networks or files). 12
  13. 13. Federal leaders are confident in IAM within their own agencies Physical access (e.g., to facilities, areas, rooms) 29% Logical access (e.g., to networks, files) Very confident 19% 63% 72% of respondents are very confident or confident 44% 43% Somewhat confident Not confident 21% 7% 1% DK Percentage of respondents, n=975 and n=974, respectively 13 of respondents are very confident or confident Confident 26% 8% 2%
  14. 14. For many, physical and logical access are interconnected Has your department/agency integrated physical and logical IAM? ▶  ▶  A majority of respondents indicate that their agencies have integrated physical and logical IAM. Typically, integration involves using a common card or device to access the agency’s building and computer networks. Percentage of respondents, n=974 14 No, not considering 5% No, but considering 15% Don’t know 9% Yes 71%
  15. 15. ii. Security Concerns Can Limit Mission 15
  16. 16. 94% of federal leaders interact with external groups, especially other agencies Groups interacted with through the course of work 85% 27% 56% 56% 49% of respondents interact with other federal agencies, citizens, state/local/regional government agencies, and industry partners 8% Other federal departments/ agencies Citizens Percentage of respondents, n=972 16 State, local, Industry partners regional government departments/ agencies 6% Other None of the above
  17. 17. Security concerns limit service provision A majority of respondents (68 percent) indicate that security concerns limit online service provision. Even those who are currently providing services to citizens believe they are limited: 72 percent identify limits to online service provision. Security concerns prevent my department/ agency from offering certain services online. 68% of respondents agree or strongly agree 9% 22% Strongly disagree Percentage of respondents, n=825 “Don’t know” not included 17 44% Disagree Agree 24% Strongly agree
  18. 18. Mobile devices offer an opportunity to enhance interaction with external groups Mobile device usage presents an opportunity for my department/agency to enhance interaction with other groups. 81% of respondents agree or strongly agree 9% 10% 57% Strongly disagree Percentage of respondents, n=863 “Don’t know” not included 18 Disagree 24% Agree Strongly agree
  19. 19. …but security concerns limit mobile expansion Security concerns present an obstacle to my department/agency using mobile devices to interact with other groups. 65% of respondents agree or strongly agree 5% 30% Strongly disagree Percentage of respondents, n=809 “Don’t know” not included 19 46% Disagree Agree 19% Strongly agree
  20. 20. The lack of a common framework for establishing trusted identities limits interaction with external groups The lack of a common framework for establishing trusted identities limits my department/agency’s interaction with other groups.  7% 57% of respondents agree or strongly agree 36% Strongly disagree Percentage of respondents, n=645 “Don’t know” not included 20 41% Disagree Agree Strongly agree 16%
  21. 21. iii. The Need for an “Identity Ecosystem” 21
  22. 22. The White House has called for the creation of an “Identity Ecosystem” ▶  ▶  April 2011’s National Strategy for Trusted Identities in Cyberspace (NSTIC) highlights the need for an “Identity Ecosystem” where individuals and organizations leverage universally-recognized digital identities to securely interact with one another. By linking an individual’s electronic identities across multiple websites, NSTIC envisions that the “Identity Ecosystem” will provide online services in a manner that promotes confidence, privacy, choice, and innovation. National Strategy for Trusted Identities in Cyberspace, April 2011. 22
  23. 23. Federal leaders expect largely positive effects from the creation of an “Identity Ecosystem” Sizable amounts of respondents are unsure of the effect that an “Identity Ecosystem” will have on efficiency, confidence, cost-effectiveness, citizen service quality, privacy, help desk calls, and security (23-34 percent select “don’t know”). Of those respondents who have an opinion, most anticipate positive effects: Expected effects of an Identity Ecosystem Efficiency Confidence in using online services 11% 7% 15% Security risks Percentage of respondents, n varies “Don’t know” not included 23 60% 26% 58% 34% 9% Privacy protections Help desk calls 64% 29% Cost-effectiveness Quality of citizen services 66% 23% 15% 57% 28% 38% 10% 28% 30% 42% 52% Increase No change Decrease
  24. 24. Respondents identify additional benefits of an “Identity Ecosystem,” including… “ Better data quality. ” security clearance “ Streamlinedindividuals. processes and better tracking of ” effectively outside the office “ The ability to work moregive me access to sites that I need environment. It would to use but are restricted if not on a government system. “ Improved intergovernmental activities. ” Sampling of open-ended responses 24 ”
  25. 25. “Identity Ecosystem” may be far off How soon do you think government could achieve an “Identity Ecosystem”? 0-1 years 2% 56% 2-5 years 30% 6-10 years 24% More than 10 years Never Don't know Percentage of respondents, n=971 25 11% 3% 30% of respondents think government can achieve Identity Ecosystem in the next 10 years
  26. 26. iv. Public-private Partnerships in IAM 26
  27. 27. To reach “Identity Ecosystem,” the federal government supports public-private partnerships in IAM “The private sector will lead the development and implementation of this Identity Ecosystem, and it will own and operate the vast majority of the services within it.” -National Strategy for Trusted Identities in Cyberspace, April 2011 "The Obama administration is committed to supporting publicprivate partnerships that both enhance consumer privacy and ensure the Internet remains a driver of innovation and economic growth." -Secretary of Commerce Penny Pritzker, September 2013 National Strategy for Trusted Identities in Cyberspace, April 2011. NIST.gov, “NIST Awards Grants to Improve Online Security and Privacy,” September 2013. 27
  28. 28. Though few respondents are opposed to publicprivate partnerships in IAM, many are unsure Opinion of public-private partnerships in IAM 50% 40% 31% 31% 30% 18% 20% 20% 10% 0% Support Percentage of respondents, n=970 28 Neither support nor oppose Oppose Don't know
  29. 29. Security, privacy, and liability top the list of concerns about public-private partnerships in IAM Concerns about public-private partnerships in IAM Security 55% 51% Privacy Liability 50% Changes in work/operational flows 40% Vendor lock-in 30% Loss of IT jobs Other 14% 7% Don't know None of the above Percentage of respondents, n=965 29 15% 5%
  30. 30. 4 Final Considerations 30
  31. 31. When considering an IAM strategy in your agency… Make room for mobile. Though federal agencies may be late mobile adopters, citizens using government services are more and more likely to be doing so from a mobile device. As this trend continues, providing a secure, usable mobile interface for citizen services will be essential to mission effectiveness. Look to agencies already experiencing IAM success. The Federal Cloud Credential Exchange (FCCX), run by GSA and USPS is a good look into the future of identity management. FCCX will unify six different civilian agencies using FICAM authentication standards to allow the public to securely access online services through a single sign-on. This streamlined authentication will reduce costs for participating agencies, while providing a “secure, privacy-enhancing, easy-to-use-solution.” Count all costs, including the hidden expense of forgotten passwords. Forgotten passwords are expensive. Agencies should look at how they can reduce operational costs by passing those expenses on to credential service providers—federal or commercial— who can unify services around a single sign on. USPS participating in creation of digital Federal Cloud Credential Exchange program 31
  32. 32. Underwritten by About HP and Symantec For over 20 years, HP and Symantec have delivered joint technology solutions and services that enable organizations worldwide to secure and manage their most critical information. HP integrates Symantec into security, storage, server, and client solutions, and delivers enterprise services based on market-leading Symantec solutions.
  33. 33. About GBC Contact Our Mission Zoe Grotophorst Manager, Research & Strategic Insights Government Business Council (GBC), the research arm of Government Executive Media Group, is dedicated to advancing the business of government through analysis and insight. GBC partners with industry to share best practices with top government decision-makers, understanding the deep value inherent in industry’s experience engaging and supporting federal agencies. Tel. 202.266.7335 zgrotophorst@govexec.com govexec.com/GBC @GovBizCouncil 33
  34. 34. Improving Collaboration through Identity Management A Candid Survey of Federal Managers February 2014

×