By Jill R. Aitoro
November 1, 2007
Controlling who gains access to what on computer networks is vitally
important and devilishly hard. Success stories can help.
In February 2001, the FBI arrested one of its own veteran
counterintelligence agents, Robert Philip Hanssen, for providing
classified information to Russia and the former Soviet Union. Hanssen
gave up more than 6,000 pages of documents, most of which he pulled from
the FBI's own computers.
Such an audacious breach might seem impossible in this post-Sept. 11 era
of system lockdown, but the conditions that permitted it persist.
The FBI continues to have major weaknesses in its critical computer
network. It still fails to properly identify and authenticate users or
consistently configure network devices and services to prevent
unauthorized insider access, the Government Accountability Office
reported in April (GAO-07-368).
And the FBI isn't the only agency with vulnerable networks.
GAO also found in September that the Veterans Affairs Department, which
reported two high-profile security breaches in 2006, has not fully
completed 20 of 22 IT security recommendations that its inspector
general made a year ago. VA failed to adequately restrict access to
data, networks and facilities or to ensure that only authorized changes
and updates to computer programs were made, according to the report
The same story has played out across government: The absence of proper
security processes and technologies allows computer users to wander
through agency networks virtually unimpeded. Most inside users have no
malicious intent; a few have interests that range from criminal to
prurient. So far, few have had espionage in mind. But the inability to
control access to sensitive data creates holes for nasty insiders and
outsiders to slip through. So much so that Input, a Reston, Va.-based
research firm, expects federal agencies will spend nearly $350 million
on technology to manage identity and access in 2008.
In the first six months of 2007, 26 percent of all data breaches with
the potential for identity theft hit the government sector. It was
second only to the retail sector in the number of identities exposed on
its systems, security vendor Symantec found.
The cause of such lapses isn't a lack of proper technology. Rather,
"agencies have to start looking at programs holistically," says Karen
Evans, administrator of e-government and information technology at the
Office of Management and Budget. "They should be looking at how they can
reduce risk and still allow people to access information and services."
Homeland Security Presidential Directive 12, issued by President Bush in
2004, has raised awareness of the importance of identity management.
HSPD 12 requires an identity credential for every federal employee and
contractor who logs on to a government network. Though it will control
who can log on, once a user is online, the ID does little to regulate
access to the drives, files and databases in the network, critics say.
It's like having a security guard check visitors' identities at a
building entrance, but failing to control where people go once inside.
Government networks are notoriously complex and unknown holes are hidden
throughout. The Information Systems Security Line of Business, the
e-authentication presidential initiative and the 2002 Federal
Information Security Management Act provide hints about how to control
access once users are logged into a system, but agencies must determine
the best approach.
Some have rolled out their own initiatives to safeguard data. Examining
these efforts provides tips and guidance for other agencies. Here's a
look at three lessons learned by agencies trying to manage identities to
control where users go on a network.
Lesson 1: Consolidate
Traditionally, access controls exist at the level of software
applications, such as a Web portal developed in Oracle's business
software suite, for example. But application-based controls create a
fragmented environment that is a nightmare to manage and can open
numerous doors for unauthorized users.
"Agencies have a patchwork of processes and technologies that they have
put in place over many years to provide access control to their critical
data," says David Troy, the identity management solutions practice
leader at EDS, an IT systems integrator headquartered in Plano, Texas.
Without centralized management, changes in access rights have to be
entered individually into each software application and security tool on
the system. "The result is very lengthy delays for providing or changing
access rights, and an inability to remove those rights in a timely
fashion, if at all."
By taking a centralized approach to identity management, Troy says,
agencies can automate and accelerate the process. The Housing and Urban
Development Department offers an example. Until this year, the
department relied on e-mail to inform managers which employees or
contractors had access to which networks, files and databases. Because
neither workflow procedures nor approval processes were automated, the
system was unwieldy and imprecise. "It was difficult to get any real
picture of where accesses were because processes were all over the map,"
says Patrick Howell, HUD's chief information security officer.
The department hired EDS to develop an automated identity management
system, now dubbed the Centralized HUD Account Management Process. EDS,
relying on Unicenter Service Desk from Islandia, N.Y.-based business
software vendor CA, developed a single entry point for managers to
submit new accounts, modify existing accounts, and approve or revoke
access to HUD business applications. The system allows the department to
ensure that only authorized users gain access to sensitive information.
When a new employee or contractor is hired, a user ID must be generated
and stored in the active directory record and e-mail account. A manager
routes a request for access to a security officer in charge of the
specific application that the employee or contractor needs. No steps can
be skipped in the routing process, and each task manager's actions can
be audited to check who approved what when. The audit allows for strict
An employee or contractor with an account can get access rights to
another area on one of HUD's networks only by logging on to the HUD
intranet, entering data about his or her role and explaining why access
is needed. If the request is approved, a custom work order is generated.
"There has to be a system to help manage the huge number of systems and
users and the continual churning in rights and levels of access
required. Without that system, you just continuously chase after
problems," Howell says.
Train, Train, Train
Identity management means more than a smart card standard for entering
buildings and networks. It also includes detailed policy and oversight
to enhance collaboration among employees and contractors within and
The goal is a secure validation process that makes it easy for users to
move through a network to quickly access information. But agencies'
disparate systems and requirements frequently make negotiating networks
arduous and complicated. For example, one agency might define a Top
Secret security clearance differently from another, making it difficult
to clearly specify in a user's profile where he or she is permitted to
go within a network.
"If there are three entities that have to speak to one another, they
need to bring the network to the lowest common denominator in terms of
access," says Ray Bjorklund, chief knowledge officer at McLean,
Va.-based market research firm Federal Sources. "But what if that
impacts the success of the collaboration [because] classified
information is suddenly not available? Those are the types of issues
that are holding up progress. The 'need to know' issue comes into play.
How do you deal with policy and the cultural change?"
That's the quandary the Health and Human Services Department faces. HHS
must share data not only within the department and with other agencies,
but also with private health care organizations. In May 2001, Jared
Adair, then deputy chief information officer of the Health Care
Financing Administration (now the Centers for Medicare and Medicaid
Services), told Congress about the challenges Medicare faced.
"By law, Medicare fee-for-service claims are processed by about 50
private sector insurance companies that each have their own business
processes and variations in the use of Medicare claims processing
software, which we are responsible for overseeing," she said. "From a
technology standpoint, such decentralization requires that we transmit
data with contractors to ensure that we bring together up-to-date
information on eligibility, enrollment, deductibles, utilization and
other potential insurance payers. We also must share eligibility and
managed care enrollment data with the approximately 540 managed care
plans providing services to Medicare beneficiaries."
To balance the need for access with the conflicting need to secure data,
CMS developed custom training tools for managing who can see and use
data and ensuring that government personnel and business partners
followed proper procedures. Users must participate in computer- based
training when initially issued a CMS user ID and then every year when
their IDs are certified.
The CMS Information Security Program policy governs operation and
safeguarding of information systems; the Business Partners System
Security Manual addresses information security for those in the private
sector. Ongoing program memos also provide day-to-day operating
instructions, policies and procedures to ensure everyone follows proper
Develop in Phases
Methods of identity management are almost infinitely variable. Some
require two-factor authentication with a common access card and personal
ID number. Others require a biometric iris scan. The frequency with
which the system checks digital certificates - the blocks of data used
to uniquely identify people over networks - might be standardized across
an agency or managed by the group assigned to a specific area on the
network or even at the employee level.
IT managers must figure out how to manage such details and be willing to
adjust along the way. For example, the Defense Department used to save
all revoked employee certificates in a database application against
which the network could check new users. As the list grew, so did the
demand for bandwidth. With help from contractor BearingPoint, Defense
moved to online certificate verification, easing the burden on the
"HSPD 12 set a lowest common denominator - a background check tied to a
credential or identity," says Gordon Hannah, managing director of the
Public Services Security and Identity Management Group at BearingPoint,
an IT consultancy based in McLean, Va. "That establishes a baseline
level of trust. With the technical capability there, policy becomes the
bigger issue. Agencies need to think in terms of a phased [rollout] with
solid change management principles. At the end of the day, this is a
fairly large undertaking that touches everyone."
Defense issued smart cards over three years, followed by a phased
approach that started with digital signatures on e-mail. The digital
signatures then could be used as master keys for gaining access to other
applications on the network and encrypting data sent over the Internet.
Controls on the back end were then able to establish groups with common
attributes. Defense will take a similarly gradual approach to adopting
HSPD 12 IDs, issuing replacement cards to employees only when the ones
they hold expire. That allows Defense to transfer and supplement data
maintained on the cards in installments. Iris scans and fingerprints are
among the additional identifiers that Defense expects to store on HSPD
12 smart cards.
Similarly, the Navy implemented identity management with single sign-on
capability that allows individuals to access multiple computer platforms
and applications after being authenticated once. The department first
rolled out single sign-on to the Space and Naval Warfare Systems
Command, which manages Navy IT systems, to improve secure communication
between ships and shore bases. The Navy now is extending single sign-on
through the Navy Knowledge Online Web site, which serves more than
480,000 officers and enlisted personnel.
The step-by-step approach was born of caution, says Robert Carey, the
Navy's chief information officer. "The larger issue is not getting
liquored up about cool technology, but [instead] making sure it
adequately meets the need of the stated requirement." ID managers also
shouldn't lose sight of the limitations of the current system in their
zeal to implant new methods, he says.
Identity management is complicated. Implementation should be gradual and
strategic, moving from application to application to determine the
sensitivity of the information in each, and person by person to
determine what information needs to be made available to whom. In the
long run, OMB's Evans says, agencies should weigh what they're trying to
accomplish against the level of risk they're willing to manage.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com