As awareness of insider threats — both malicious and accidental — continues to rise, the identity, credential and access management (ICAM) side of cybersecurity has gained increased focus. As civilian agencies get a more comprehensive view of their security posture under the first phase of the Continuous Diagnostics and Mitigation (CDM) program, Phase II will center on who has access to those systems and monitoring where they go in the network once inside.
Phase II of CDM, "Least privilege and infrastructure integrity," has five focus areas, four of which — access and control management; security-related behavior management; credentials and authentication management; and privileges — relate directly to identity and access management. The fifth area, boundary protection, sets up Phase III.
"This was a new space until Target, JPMorgan, Snowden and the rest happened," said Ken Ammon, chief strategy officer at Xceedium. "In a six- to eight-month window we've seen this become a critical part of cybersecurity. The attacks that are succeeding are based in this area."
Initiatives like Federal Identity, Credential and Access Management, the National Strategy for Trusted Identities in Cyberspace and a recent executive order on "Improving the security of consumer financial transactions" have agencies thinking about user access and privileges. However, few are making the connection between managing access and continuous monitoring.
"In tracking Phase II, we saw this intersection with other programs, such as PIV [personal identity verification] and CAC [common access cards]," Ammon said, noting that he was recently at a forum discussing the overlap with federal managers. "As they described what they wanted for TRUST [one of the five Phase II focus areas], they described ICAM, but didn't connect the two in the documents."
If security managers don't have an integrated view of their systems, who should have access and what they should be allowed to do, they can't properly measure their network security.
The CDM program in its entirety is "looking to ensure that they can adequately call out what the defined state is, then report from deviations on that defined state," Ammon said. If the two security systems are not connected, that won't be possible.
"Most federal organizations have been attacking [the monitoring and inventory] problem for the last 15 years now," Federal CTO at Hewlett-Packard Rob Roy said. "Phase II is the area of people — where do people present a threat to organizations."
Along with PIV cards, CAC and other forms of multifactor authentication, the management side of ICAM must include a watchful eye on human behavior.
"You have to manage what they have access to — who it is and control where they can go," Roy said. "But you also have to monitor and make sure the policies are being followed."
Misuse of unauthorized or outdated credentials, using someone else's information or accessing an open server that should be secured are all forms of cyber intrusion, whether intended to be malicious or merely a mistake.
No matter the reason, a secure system must be able to mitigate any risk from such an intrusion in real time.
A strong ICAM system should have "the ability to automate and shut down or quarantine a user" that wanders outside their privilege zone, Roy said.
Unlike other forms of cybersecurity, identity and access control "is not a scale of 1-10 of risk — it's binary," according to Ammon. "Scoring of this risk management is black and white," either a user should have access or they shouldn't.
Also unlike Phase I, the technology around identity management tends to be less familiar.
"In Phase I, the technology is already known or already in place," Ammon said. "In Phase II, it's a high-demand security issue and in some cases new technology."
Along with software that tracks user privileges through the network, technology controlling the initial entry point is advancing, as well.
Areas of innovation center on biometrics (use of fingerprints, retinal scans or other biological identifiers), device authorization (using encryption to certify the device, as well as the user), and split key management (similar to a safety deposit box at a bank, where the service provider holds half the encryption key and the user maintains the other half).
CDM program managers are finalizing the requirements for Phase II now, according to Jim Piche, DHS group manager at Federal Systems Integration and Management at GSA. Once set, the existing blanket purchase agreements (BPAs) will be modified to include the new tools, likely by the end of fiscal 2015.
"The companies that hold the BPAs have already proved capabilities with integrators across all of the tool functional areas, so now it's just about adding the discrete tools," Piche said during a panel discussion in October.
"Once DHS adds the Phase II tools, that doesn't mean we've stopped with Phase I," Piche added. "The life of the BPA is intended to add these three sets of tools in these phases and have them available to anyone at any time."\
