According to a report by the Identity Theft Resource Center, nearly 170 million records were compromised last year due to data breaches involving American citizens, with 21.5 million exposed in the Office of Personnel Management alone. In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices.

In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees in May 2016. Overall, the results indicate that while state and local audiences are devoting additional resources to improving IAM practices, there is still more that can be done to stem the next wave of cyber attacks.

Research Methodology

In May 2016, GBC released a survey on identity and access management to a random sample of print and online subscribers in state and local government. 306 leaders from state and local organizations participated in the survey, 57% of whom self-identify as VP/senior level or higher. Respondents include representatives from at least 26 mission areas. For more information on respondents, please see the Respondent Profile.

Overall, respondents show general confidence in IAM practices at their organization

66% of respondents are confident in their agency’s ability to ensure access to systems and data is user-appropriate, with 26% overall identifying as “very confident” on this matter. Respondents are similarly favorable when it comes to how their organization manages access privileges for citizens and third party contractors. 81% of respondents trust in the procedures their agency uses to manage access for citizens, and 78% trust in the procedures their agency uses to manage access for third party contractors.

Agencies may need to expand IAM tools, including multifactor authentication

Over half of all respondents affirm their agency requires periodic password changes (52%) and strong password requirements (52%) to ensure security of user access. While these provide some level of security, the growing sophistication of cyber attacks has made investing in multifactor authentication increasingly imperative for protecting data. However, only 1 in 10 claim to use hardware or software tokens to cross-check their user access, and even fewer report verifying their identity through SMS (5%) or biometrics (3%). Without such extra security measures in place, agencies leave themselves more vulnerable to cyber attacks that can overcome conventional password safeguards.

Top IAM challenges require strong leadership and oversight    

Even though respondents are mostly confident in the processes their organizations use to ensure access is appropriate, they also cite governance and authorization as the top IAM challenges (33% and 27%, respectively) facing their organizations. Employees are less likely to cite provisioning, deprovisioning, and authenticating users as IAM challenges, perhaps because these can be construed as functional challenges, potentially treatable through automation. Governance and authorization, however, require leaders who can anticipate IAM vulnerabilities and provide critical oversight to user security.

Employee awareness and training in proper IAM practices could be improved, and many favor greater oversight and enforcement of privileged management procedures

Agency leaders also have an opportunity to address knowledge gaps in IAM practices. For example, 1 in 5 respondents are unaware of what IAM practices their organization uses, including 24% who are unsure how often, if at all, their agency enforces password changes. Respondents familiar with management of privileged accounts point out several areas of vulnerability, including more frequent superuser password changes and improved oversight of privileged accounts. Even while a quarter of respondents claim their organization never enforces admin password changes, 63% are of the mindset that improved oversight of privileged accounts could reduce the likelihood of a security breach.

Respondents are generally confident in their agency’s ability to assign appropriate access

With some reservations, respondents are generally confident in their agency’s IAM abilities. Nearly 2 out of 3 respondents (66%) are either confident or very confident in their organization’s ability to ensure access to systems and data is appropriate, in that it meets the specific user’s security status and role requirements. 26% indicate they are somewhat confident, only 7% indicate they are not confident, and 2% are unsure of their position on this issue.

Respondents’ evaluations of updating measures (e.g. password changes) are across the board

When asked how frequently their organization enforces updating measures, such as password changes, to ensure security of user access, responses are mixed. 11% say their organization enforces such updates every 30 days, 16% every 60 days, and 26% every 90 days. Only 13% say these measures occur either “once every 6 months” or “annually”. Most disconcerting is the finding that 10% have never been required to change their password, and that 24% are not sure if they have ever been asked to or not. That means that approximately 1 in 3 respondents (34%) have either never been forced to update their password or simply have no awareness of the matter.

Respondents cite governance of appropriate access as top IAM challenge

Even though employees are generally confident in their agency’s ability to ensure appropriate access, they also consider the oversight of this process (i.e. ensuring that all access rights are appropriate) to be the leading challenge (54%) facing their IAM capabilities. Similarly, authorizing what rights each user should have is the second most-cited challenge (44%), followed by privileged management (33%) in third. It’s possible that respondents regard governance and authorization as more challenging because enacting change to such processes requires greater strategic oversight and buy-in from senior leaders. Other tasks, like deprovisioning (23%) and provisioning (17%), on the other hand, are more functional in nature and potentially less challenging as they can be treated through automation.

Deprovisioning user access is faster, but also more challenging than provisioning

Interestingly, while respondents indicate deprovisioning a user (e.g., removing user identity and access: 14%) is slightly more challenging than provisioning a user (e.g., creating identity and establishing access: 10%), they also report that deprovisioning takes less time. Whereas 52% of respondents say it takes less than 24 hours to deprovision a user, 39% say it takes the same amount of time to provision new users. On the other hand, when it comes to provisioning new hires with access, 72% of respondents say this is achieved in less than 4 days. By comparison, 65% say it takes less than 4 days to deprovision user accounts. Bottom line: poor or delayed deprovisioning practices constitute a major source of security compromise, therefore any amount of time where a terminated user maintains access should be considered unacceptable.

Respondents trust the procedures their organization uses to provide access to citizens and third party contractors alike

When asked if they trust the procedures their organization has in place for managing access for citizens and end users, 81% of respondents agree or strongly agree that such procedures are trustworthy. Similarly, 78% agree or strongly agree that the procedures for managing access for third party contractors are also trustworthy. Only 1 or 2% express strong distrust of how their organization manages access for both parties, a sign that - overall - employees are confident in agency IAM processes for external users.  

In the 2015 Cybersecurity Strategy and Implementation Plan, the U.S. Office of Management and Budget (OMB) highlights the importance of tightening policies and practices for privileged users as a method for strengthening cyber defense, among them being:

• inventory and validate privileged account scope and numbers
• minimize the number of privileged users
• limit functions that can be performed when using privileged accounts
• limit the duration that privileged users can be logged in
• limit the privileged functions that can be performed using remote access
• ensure that privileged user activities are logged and regularly reviewed

Privileged users are employees (e.g., system administrators) who have higher-level access to the administrator accounts on servers, networking devices, operating systems, applications, and/or databases that are used to install, configure, and manage these systems. A privileged user may have access to one or more of the following types of accounts:

• Local Administrative Accounts (e.g., provides access to the local host, typically with the same password shared across an organization)
• Privileged User Accounts (e.g., provides admin privileges on one or more systems, typically with a unique and complex password)
• Domain Administrative Accounts (e.g., gives privileged admin access across all workstations and servers within a Windows domain)
• Emergency Accounts (e.g., provides unprivileged users with admin access to secure systems in case of an emergency)
• Service Accounts (e.g., gives privileged local or domain access which can be used by an application or service to interact with the operating system)
• Application Accounts (e.g., used by applications to access databases, run batch jobs or scripts, or provide access to other applications, and usually have broad access to underlying company information that resides in applications and databases)

Overall, respondents confirm agency has process in place for changing admin password

Respondents indicate negligent administrative password policies 

Whereas 53% of general users report changing their passwords at least once every 90 days or less, the statistics for administrative users, who yield much higher access authority and privileges, are no less concerning. Overall, 62% of respondents report their organization changes its administrator password at least once every 90 days or less. 22% of respondents report an update every 30 days, 13% every 60 days, and 25% every 90 days. However, 13% say the administrator password is changed only every 6 months (8%) or just once every year (5%). And it is telling that 1 in 4 respondents (25%) are confident their organization never changes its administrator passwords at all.

Respondents identify delegation as most common management practice for privileged accounts  

Among the management practices listed, nearly two thirds of respondents (66%) cite delegation (e.g., implementing a least-privilege model of administrative activity where administrators are only given sufficient rights to do their job) as the technique used to manage access to privileged accounts. This is more popular than alternative practices like Active Directory bridging (38%), session audits (30%), and password vaulting (30%).

A majority of respondents favor improved oversight of privileged users to boost security

Only a small fraction of respondents claim their organization is using the NIST Cybersecurity Framework to help manage cybersecurity risks

When asked if their organization is using the NIST Cybersecurity Framework to guide their cybersecurity risk management, 10% say they are employing either the entire framework or just part of the framework currently. Only 2% indicate their organization plans to use the framework in the future, and 3% say the framework isn’t being used or planning to be used any time soon. A large majority of respondents (85%), however, are unaware of their organization’s position regarding the NIST framework.

Agencies should expand IAM techniques to prepare for more sophisticated threats

Although employee confidence in agency IAM capabilities is high, employee data will continue to be at risk so long as agencies delay implementing IAM best practices. One area of potential investment is multifactor authentication, to verify user identities by requiring an extra level of authentication unique to that user (e.g. SMS text, biometrics, hardware token). Policies regarding password requirements and periodic password updates also may need to be reinforced, especially when 1 in 10 respondents indicates their organization never enforces such updating measures at all and nearly 1 in 4 admits not knowing how often such measures take place.

Agency leaders have an opportunity to educate employees in IAM practices, including issues in privileged management

Moving forward, agencies might focus more on making sure employees are cognizant of challenges and best practices in the field of IAM, including privileged access management and administrator account policies. In light of new threats and employee concerns, IT leaders may review the merits of various privileged management practices (e.g., delegation, active directory bridging), the ways these practices affect information security, and why improved oversight of these practices can reduce the likelihood of a security breach. Together, both improved processes and stronger internal communication can help agencies more effectively address vulnerabilities and prevent potential information or access breaches.