One Nation Under Guard
Securing User Identities Across State & Local Government
Underwitten by
According to a report by the Identity Theft Resource Center, nearly 170 million records were compromised last year due to data breaches involving American citizens, with 21.5 million exposed in the Office of Personnel Management alone. In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices.
In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees in May 2016. Overall, the results indicate that while state and local audiences are devoting additional resources to improving IAM practices, there is still more that can be done to stem the next wave of cyber attacks.
Research Methodology
In May 2016, GBC released a survey on identity and access management to a random sample of print and online subscribers in state and local government. 306 leaders from state and local organizations participated in the survey, 57% of whom self-identify as VP/senior level or higher. Respondents include representatives from at least 26 mission areas. For more information on respondents, please see the Respondent Profile.
Executive Summary
Overall, respondents show general confidence in IAM practices at their organization
66% of respondents are confident in their agency’s ability to ensure access to systems and data is user-appropriate, with 26% overall identifying as “very confident” on this matter. Respondents are similarly favorable when it comes to how their organization manages access privileges for citizens and third party contractors. 81% of respondents trust in the procedures their agency uses to manage access for citizens, and 78% trust in the procedures their agency uses to manage access for third party contractors.
Agencies may need to expand IAM tools, including multifactor authentication
Over half of all respondents affirm their agency requires periodic password changes (52%) and strong password requirements (52%) to ensure security of user access. While these provide some level of security, the growing sophistication of cyber attacks has made investing in multifactor authentication increasingly imperative for protecting data. However, only 1 in 10 claim to use hardware or software tokens to cross-check their user access, and even fewer report verifying their identity through SMS (5%) or biometrics (3%). Without such extra security measures in place, agencies leave themselves more vulnerable to cyber attacks that can overcome conventional password safeguards.
Top IAM challenges require strong leadership and oversight
Even though respondents are mostly confident in the processes their organizations use to ensure access is appropriate, they also cite governance and authorization as the top IAM challenges (33% and 27%, respectively) facing their organizations. Employees are less likely to cite provisioning, deprovisioning, and authenticating users as IAM challenges, perhaps because these can be construed as functional challenges, potentially treatable through automation. Governance and authorization, however, require leaders who can anticipate IAM vulnerabilities and provide critical oversight to user security.
Employee awareness and training in proper IAM practices could be improved, and many favor greater oversight and enforcement of privileged management procedures
Agency leaders also have an opportunity to address knowledge gaps in IAM practices. For example, 1 in 5 respondents are unaware of what IAM practices their organization uses, including 24% who are unsure how often, if at all, their agency enforces password changes. Respondents familiar with management of privileged accounts point out several areas of vulnerability, including more frequent superuser password changes and improved oversight of privileged accounts. Even while a quarter of respondents claim their organization never enforces admin password changes, 63% are of the mindset that improved oversight of privileged accounts could reduce the likelihood of a security breach.
Research Findings
Respondents are generally confident in their agency’s ability to assign appropriate access
With some reservations, respondents are generally confident in their agency’s IAM abilities. Nearly 2 out of 3 respondents (66%) are either confident or very confident in their organization’s ability to ensure access to systems and data is appropriate, in that it meets the specific user’s security status and role requirements. 26% indicate they are somewhat confident, only 7% indicate they are not confident, and 2% are unsure of their position on this issue.
Respondents’ evaluations of updating measures (e.g. password changes) are across the board
When asked how frequently their organization enforces updating measures, such as password changes, to ensure security of user access, responses are mixed. 11% say their organization enforces such updates every 30 days, 16% every 60 days, and 26% every 90 days. Only 13% say these measures occur either “once every 6 months” or “annually”. Most disconcerting is the finding that 10% have never been required to change their password, and that 24% are not sure if they have ever been asked to or not. That means that approximately 1 in 3 respondents (34%) have either never been forced to update their password or simply have no awareness of the matter.
Governance and Access
Respondents cite governance of appropriate access as top IAM challenge
Even though employees are generally confident in their agency’s ability to ensure appropriate access, they also consider the oversight of this process (i.e. ensuring that all access rights are appropriate) to be the leading challenge (54%) facing their IAM capabilities. Similarly, authorizing what rights each user should have is the second most-cited challenge (44%), followed by privileged management (33%) in third. It’s possible that respondents regard governance and authorization as more challenging because enacting change to such processes requires greater strategic oversight and buy-in from senior leaders. Other tasks, like deprovisioning (23%) and provisioning (17%), on the other hand, are more functional in nature and potentially less challenging as they can be treated through automation.
Deprovisioning user access is faster, but also more challenging than provisioning
Interestingly, while respondents indicate deprovisioning a user (e.g., removing user identity and access: 14%) is slightly more challenging than provisioning a user (e.g., creating identity and establishing access: 10%), they also report that deprovisioning takes less time. Whereas 52% of respondents say it takes less than 24 hours to deprovision a user, 39% say it takes the same amount of time to provision new users. On the other hand, when it comes to provisioning new hires with access, 72% of respondents say this is achieved in less than 4 days. By comparison, 65% say it takes less than 4 days to deprovision user accounts. Bottom line: poor or delayed deprovisioning practices constitute a major source of security compromise, therefore any amount of time where a terminated user maintains access should be considered unacceptable.
Respondents trust the procedures their organization uses to provide access to citizens and third party contractors alike
When asked if they trust the procedures their organization has in place for managing access for citizens and end users, 81% of respondents agree or strongly agree that such procedures are trustworthy. Similarly, 78% agree or strongly agree that the procedures for managing access for third party contractors are also trustworthy. Only 1 or 2% express strong distrust of how their organization manages access for both parties, a sign that - overall - employees are confident in agency IAM processes for external users.
Privileged User Management
In the 2015 Cybersecurity Strategy and Implementation Plan, the U.S. Office of Management and Budget (OMB) highlights the importance of tightening policies and practices for privileged users as a method for strengthening cyber defense, among them being:
- inventory and validate privileged account scope and numbers
- minimize the number of privileged users
- limit functions that can be performed when using privileged accounts
- limit the duration that privileged users can be logged in
- limit the privileged functions that can be performed using remote access
- ensure that privileged user activities are logged and regularly reviewed
Privileged users are employees (e.g., system administrators) who have higher-level access to the administrator accounts on servers, networking devices, operating systems, applications, and/or databases that are used to install, configure, and manage these systems. A privileged user may have access to one or more of the following types of accounts:
- Local Administrative Accounts (e.g., provides access to the local host, typically with the same password shared across an organization)
- Privileged User Accounts (e.g., provides admin privileges on one or more systems, typically with a unique and complex password)
- Domain Administrative Accounts (e.g., gives privileged admin access across all workstations and servers within a Windows domain)
- Emergency Accounts (e.g., provides unprivileged users with admin access to secure systems in case of an emergency)
- Service Accounts (e.g., gives privileged local or domain access which can be used by an application or service to interact with the operating system)
- Application Accounts (e.g., used by applications to access databases, run batch jobs or scripts, or provide access to other applications, and usually have broad access to underlying company information that resides in applications and databases)
If you’re just coming in to look at data, I don’t care who you are […] We have to assume that all of our networks are compromised.Ann Dunkin, CIO at Environmental Protection Agency
Administrative Findings
Overall, respondents confirm agency has process in place for changing admin password
Respondents indicate negligent administrative password policies
Whereas 53% of general users report changing their passwords at least once every 90 days or less, the statistics for administrative users, who yield much higher access authority and privileges, are no less concerning. Overall, 62% of respondents report their organization changes its administrator password at least once every 90 days or less. 22% of respondents report an update every 30 days, 13% every 60 days, and 25% every 90 days. However, 13% say the administrator password is changed only every 6 months (8%) or just once every year (5%). And it is telling that 1 in 4 respondents (25%) are confident their organization never changes its administrator passwords at all.
The National Institute of Standards and Technology (NIST) stresses the importance of enforcing proper administrative protocol, mentioning that if even "a single machine is compromised, an attacker may be able to recover the password and use it to gain access to all other machines that use the shared password." Therefore, organizations who opt for convenience by sharing passwords among administrative accounts and failing to enforce more frequent password updates expose themselves to substantial risk.
Management and Oversight
Respondents identify delegation as most common management practice for privileged accounts
Among the management practices listed, nearly two thirds of respondents (66%) cite delegation (e.g., implementing a least-privilege model of administrative activity where administrators are only given sufficient rights to do their job) as the technique used to manage access to privileged accounts. This is more popular than alternative practices like Active Directory bridging (38%), session audits (30%), and password vaulting (30%).
A majority of respondents favor improved oversight of privileged users to boost security
Only a small fraction of respondents claim their organization is using the NIST Cybersecurity Framework to help manage cybersecurity risks
When asked if their organization is using the NIST Cybersecurity Framework to guide their cybersecurity risk management, 10% say they are employing either the entire framework or just part of the framework currently. Only 2% indicate their organization plans to use the framework in the future, and 3% say the framework isn’t being used or planning to be used any time soon. A large majority of respondents (85%), however, are unaware of their organization’s position regarding the NIST framework.
While we’re all about open data, sharing data, making it available, we [also] need to protect those systems and those types of information. There needs to be a balance between what’s open, what’s shared, and what we actually have to keep in house.Maria Roat, CTO at Department of Transportation
Looking Forward
Agencies should expand IAM techniques to prepare for more sophisticated threats
Although employee confidence in agency IAM capabilities is high, employee data will continue to be at risk so long as agencies delay implementing IAM best practices. One area of potential investment is multifactor authentication, to verify user identities by requiring an extra level of authentication unique to that user (e.g. SMS text, biometrics, hardware token). Policies regarding password requirements and periodic password updates also may need to be reinforced, especially when 1 in 10 respondents indicates their organization never enforces such updating measures at all and nearly 1 in 4 admits not knowing how often such measures take place.
Agency leaders have an opportunity to educate employees in IAM practices, including issues in privileged management
Moving forward, agencies might focus more on making sure employees are cognizant of challenges and best practices in the field of IAM, including privileged access management and administrator account policies. In light of new threats and employee concerns, IT leaders may review the merits of various privileged management practices (e.g., delegation, active directory bridging), the ways these practices affect information security, and why improved oversight of these practices can reduce the likelihood of a security breach. Together, both improved processes and stronger internal communication can help agencies more effectively address vulnerabilities and prevent potential information or access breaches.
Respondent Profile
Survey respondents are largely senior state and local leaders
Respondents represent a variety of state and local organizations
Many respondents are involved and/or familiar with IT-decision making in their organization.
Respondents hail from a wide range of mission areas.
As Government Executive Media Group's research division, Government Business Council (GBC) is dedicated to advancing the business of government through analysis, insight, and analytical independence. An extension of Government Executive's 40 years of exemplary editorial standards and commitment to the highest ethical values, GBC studies influential decision makers from across government to produce intelligence-based research and analysis.
Learn more at www.govexec.com/insights.
Report Author: Daniel Thomas
One Identity eliminates the complexities and time-consuming processes often required to govern identities, manage privileged accounts and control access. Our Identity and Access Management (IAM) solutions enhance your organization’s agility while addressing your IAM challenges in on-premises, cloud and hybrid environments.
Learn more about our identity governance, access management, and privileged management solutions at www.oneidentity.com.