Security is everybody’s business. This is something I’ve long understood, but I was reminded of it again as I helped my colleague, Paula Wells, prepare to take part in a panel discussion earlier this year. It’s a point that is worth reiterating.
The occasion was a conference centered on solving current government security challenges using identity governance, hosted by SailPoint Technologies, and the panelists were discussing the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program. As Paula noted, “It’s not necessarily the technical part that’s the challenge.” Throughout our work on the CDM program, we have observed varying levels of readiness and engagement among federal agencies which often are differentiated more by the human factor than the software and systems.
Users continue to represent the largest and most dynamic security risk to any agency and focusing on best practices around user account management, least privileged access, and strong authentication can have a significant positive impact on an agency’s overall security posture.
CDM is about keeping a close eye on what is happening on a network—through both the connected devices and the users accessing those devices—and identifying and addressing potential threats as quickly as possible. CDM solutions deployed in concert with a strong identity, credentials and access management (ICAM) program can identify and prevent both insider threats and outside intrusions.
Mastering the Master User Record
CDM gains insight about users by creating a Master User Record, or MUR, which requires gathering data on every user that connects to the agency network. The data collected helps an agency to validate that every connected user is accessing the network with appropriate credentials, has been adjudicated through the agency-required background investigation processes, and has taken mandatory cybersecurity awareness training. For many agencies, this initiative represents the first time that they are building a holistic view of their entire user population and provides a significant opportunity to identify and mitigate potential security risks.
Building the MUR requires buy-in from IT, business process and source system owners, senior leadership, and in some cases third-party workforce representatives such as trade unions. The single biggest challenge to being successful is aligning the various stakeholders necessary to identify, compile and populate the data.
If an organization assigns this task to a midlevel employee without the authority to move these stakeholders in a common direction, or without the insight into the strategic objectives of CDM to explain why information is needed and how it will be used, implementation activities can be derailed by competing priorities or lack of buy-in.
That’s especially true when the data owners are not part of the same organization, which is often the case when collecting data across background investigation, active directory and employee or contractor training systems. Here are a few tips for easing the process:
Three keys to getting data for the MUR
- Choose someone at a high level in the organization to own the successful outcome of the initiative
- Consistently and frequently explain to stakeholders why the information is needed and what it will be used for. including the fact that this information remains within the agency network and under the agency’s control
- Emphasize data privacy and security; explain that the data will be encrypted, protected and available only to people with a need to know. Data remains within the agency network at all times and only an aggregate view of the data will be provided through the federal dashboard.
Locking the doors with identity management
Knowing who is on your network is the second phase of a CDM program, after identifying what is on your network. Once you have that information, you can then determine if you have users who should not have access—former employees, for example, who for whatever reason were not removed from the system when they left their jobs. This kind of visibility is essential to protecting your network and its devices against intruders. An estimated 80% of breaches involve someone gaining inappropriate access to a credential, whether through phishing, hacking or any other means. Once intruders have that credential, the organization’s entire network is available to them.
The identity management tools made available to agencies under CDM can provide the foundation for a robust ICAM program including automated credential provisioning and de-provisioning, enforcing least privileged access principles, and identifying accounts where a combination of privileges may represent an unacceptable risk to the agency. Compiling the information in the MUR can be the first critical step on a longer cybersecurity journey.
Be vigilant always
All of this is why security is everybody’s business. Technology can go a long way toward keeping unauthorized users out of the network, but it is only as good as the implementation, management and use of that technology. Those who are have a responsibility for protecting an agency’s information need a holistic and agile ICAM program to stay ahead of evolving threats. CDM tools and data insights, when implemented correctly, can provide the foundation for that program; but ultimately, if leadership is not fully bought in and users aren’t educated on avoiding the ever-evolving traps hackers commonly use, technology alone isn’t enough.
Are you safe from the insider threat? Read our solution brief, Are You Doing Enough to Protect Against Insider Threats, to learn more.
About this author
Vice President, Consulting Services
Clay Goldwein is responsible for CGI’s business with the U. S. Department of Homeland Security (DHS). His experience includes leading large, cross-agency cybersecurity programs. Mr. Goldwein led the standup of CGI’s federal cloud under the U. S.