Modular, open-standard ICAM solutions are a foundation for zero trust

As government agencies advance zero-trust strategies, robust Identity Credential and Access Management (ICAM) solutions are critical to a strong cybersecurity posture.

Presented by Leidos Leidos's logo

As cyberattackers grow increasingly sophisticated, federal leaders must be able to track exactly who is accessing agency resources. At the same time, government employees need seamless access to those resources to efficiently perform their duties. The key to balancing both sides of this equation is a modernized Identity Credential and Access Management (ICAM) strategy that maximizes security while minimizing user impact. 

The FY2023 defense budget request highlighted “accelerating ICAM modernization efforts to more effectively integrate emerging technology” as a priority, underscoring the importance of adapting ICAM to support a cutting-edge zero-trust environment. With strong industry partnerships, agency leaders can feel confident that “the right person with the right privileges can access the right information at the right time.” 

The future of ICAM

A robust ICAM strategy enables streamlined information sharing among government agencies and mission partners. ICAM solutions are foundational to zero trust, and government directives like Executive Order 14028 are driving innovation in the ICAM field. 

For users, a good ICAM experience is straightforward: when the user attempts to access a resource, they have no issues getting authenticated and authorized — their identity is known, their entitlements are provisioned and they don’t encounter error messages. In short, they can get to what they want, when they want. Meanwhile, behind the scenes, the tools and strategies that support this seemingly simple experience are evolving.

“Two key areas that Leidos has been focusing on are identity governance and continuous authentication and authorization,” says Paul Eells, master ICAM and cybersecurity solutions architect at Leidos. “There’s a recognition that we need to understand and dip outside of what was traditionally the ICAM space to look into identity analytics and uncover user and entity behavior and learn what it means and how to apply it for access control.”

Gone are the days when verifying identity once at the perimeter via a username and password was considered secure. Modern identity governance and administration (IGA) strategies are eliminating usernames and passwords altogether in favor of multifactor authentication (MFA) and continuous authorization within the perimeter. Modern approaches also include privileged access management (PAM), which mitigates risk by creating levels of access and layering additional security on individuals with greater access.

For those with the most privileged access — someone who maintains the system and has root access, for example — Eells highlights the importance of examining the details of each interaction. Are they accessing the system on behalf of their role as a system administrator? Or are they simply accessing resources the system provides to less-privileged users?

“We’re shifting from a simple ABAC [attribute-based access control] authorization which focuses on confirming who you are, to now checking on whether you are OK to access a particular service,” Eells says. “Dynamic authorization at a finer-grained level. Not only is it checking entitlements, but also considering behavioral factors — is this normal or expected? Checking or considering the device from which the user is attempting to make the access, the network that the device is on, the time or day of the week that the user is attempting access and the strength of the credential.”

In many ways, implementing ICAM is not so much a technical challenge as a challenge of understanding human behavior. Identity analytics uncover anomalous activity, but humans aren’t always predictable. A user attempting to access an application at an unusual time or from a new place isn’t necessarily doing so for nefarious purposes. Now the question becomes, if anomalous behavior is flagged, how should it be addressed?

“Should I outright deny access or deny authentication? Or should I ask some questions, or ask for additional credentials to be provided? Maybe there's a hierarchical chain that says, ‘OK, Paul is here on Saturday doing this, I need to reach out to somebody else to make sure it's OK for me to allow Paul to continue to do it,’” Eells says. “We don't want to prohibit providing the right information when it's necessary to do so, but we also want to make sure we're putting the right things in place to recognize when things seem to be out of whack.”

Recent high-profile cyberattacks highlight the importance of having advanced systems in place to flag unusual access and behavior as quickly as possible. The State Department uncovered an email hack by detecting “anomalous activity,” and further investigation indicated the hack had been initiated a month earlier. In that time, the hackers were able to access numerous State Department email inboxes.

Attributes of a modern ICAM solution

To prevent bad actors from accessing government information, Leidos is developing new service-based ICAM solutions with modern features. At a basic level, the solutions must be able to scale in two ways: to support new features and capabilities and to support ever-increasing loads in user bases and ICAM instances. Solutions must also support MFA, as directed by Executive Order 14028.

But Leidos is digging even deeper, tapping into other emerging software techniques and tools to ensure its ICAM solutions leverage the company’s “everything as code” and vendor-agnostic approaches to development.

“We don't build solutions around a specific vendor,” says Kevin Chin, director of generative AI and solutions architect at Leidos. “We like to collaborate with our customers directly, to understand their ecosystems and their enterprise so that we can address their needs and deliver the right ICAM solution for them.”

Much of this work is done through Leidos’ Zero Trust Proving Ground, a collaborative environment available to partners and customers, where Leidos identifies, evaluates, integrates, and tests commercial zero trust-related tools and solutions, including ICAM, to reduce the risk and accelerate the adoption of solutions into customer environments.

“We work with a wide range of different vendors really focused on that open architecture. We bring in their products, understand the customer needs, and invite our customers into the Zero Trust Proving Ground lab, where we can develop the solutions together,” Chin says. “What that yields is efficiencies in developing the solution — deployable automations, like infrastructure as code and microservices — that can accelerate the delivery within the customer environment.”

There’s no singular solution that can suit all agencies’ needs. Even an individual agency’s needs can evolve quickly, which means ICAM solutions must be flexible. Open architecture supports the agility necessary to keep up with innovation.

“What I build you today does XYZ, but I might build you something completely different to do XYZ in the future,” Eells says. “Because your needs are different, the technologies have advanced and I should be leveraging those newest technologies.” 

Modular, microservices-based architectures also lend themselves to more agile development. Rather than requiring potentially disruptive full-system upgrades, individual microservices can be independently updated and scaled as needed.

“In the technology world, things change very rapidly, and being able to give that flexibility to customers to say, ‘Alright, we have this modular microservice that does that functionality, but over the last two years, these new vendors and new capabilities came out.’” Chin says. “How you plug out and plug in those microservices — that is really, really important to us.”

ICAM at the edge

The last thing any federal employee in the field or service member on the battlefield needs is to encounter access and authorization difficulties at a critical time. A moment of poor connectivity can make that a reality, which is why research on ICAM at the edge centers on enabling strong, durable computing in any location.

This includes leveraging Leidos’ Edge to Cloud (E2C) ecosystem to reliably run ICAM solutions at the edge. E2C aims to provide consistent, powerful computing no matter where a user is located by creating a shared digital ecosystem between the edge and cloud service providers. 

“How do we give customers, who could be people running around literally in a field, the same type of IT capabilities that we have in our office with a powerful computer?” Chin says. “Thinking about our military customers, or national security, being able to access data in real time for their mission. That's where ICAM comes in, being able to provide the authentication and authorization services for that warfighter.”

Another tool in the ICAM toolbox is certainly not short on attention lately: generative AI. In this application, the same type of transformer-based deep learning architecture that powers pop culture phenom ChatGPT holds significant potential for improving ICAM, particularly at the edge.

“Leidos has a lot of experience deploying and operating Large Language Models (LLM) into production environment, and that transformer-based architecture allows analytics AI running out on the edge to self-learn,” Chin says. “Being able to self-learn fuels that ICAM solution of continuous authentication and continuous authorization. We’re excited to bring these solutions all together, and we’re well-equipped with the technical knowledge to bring these solutions to our customers.”

Learn more about how Leidos is developing solutions to transform the ICAM field from the office to the edge.

This content is made possible by our sponsor Leidos; it is not written by and does not necessarily reflect the views of GovExec's editorial staff. 

NEXT STORY: In a BYOD world, higher ed campuses need tools for closing security gaps