Improving Collaboration Through Identity Management
-
Upload
governmentbusinesscouncil -
Category
News & Politics
-
view
92 -
download
1
description
Transcript of Improving Collaboration Through Identity Management
Improving Collaboration through Identity Management A Candid Survey of Federal Managers
February 2014
Purpose Driven by White House and Congressional directives such as HSPD-12, the National Strategy for Trusted Identities in Cyberspace (NSTIC), Insider Threat Task Force, and FICAM, federal agencies are focused on identity management like never before. Agency leaders face a difficult task in ensuring secure access to agency resources by the right people, at the right time, and for the right reasons, without restricting the organization’s operational effectiveness. Understanding the difficult task of balancing these two priorities, Government Business Council (GBC), Symantec, and HP undertook a study to explore the current state of identity and access management (IAM) in the federal government.
2
Methodology To assess the perceptions, attitudes, and experiences of federal executives regarding IAM, GBC deployed a survey to a sample of Government Executive’s online and print subscribers in December 2013. The pool of 975 respondents includes those of GS-11 through 15 grade levels and members of the Senior Executive Service in defense and civilian agencies.
Table of Contents
1 Executive Summary 4
2 Respondent Profile 6
3 Research Findings 10 i. Current State of Federal IAM 11 ii. Security Concerns Can Limit Mission 15 iii. The Need for an Identity Ecosystem 21 iv. Public-Private Partnerships in IAM 26
4 Final Considerations 30
3
4
1 Executive Summary
Executive Summary Federal leaders are confident in identity management within their own agencies
A majority of respondents (72 percent) are confident or very confident in their agency’s ability to ensure appropriate physical access to resources. Slightly fewer (63 percent) are equally confident in their agency’s ability to ensure appropriate logical access. For many, the two are linked: 71 percent of respondents indicate that their agencies have integrated physical and logical IAM.
Outside of one’s own agency, security concerns limit collaboration
Nearly all respondents interact with groups outside of their agency, but security concerns limit their ability to provide services to these groups over the Internet. While respondents view the growth of mobile devices as an opportunity to improve collaboration, security concerns have limited their uptake in federal agencies.
An “Identity Ecosystem” that links an electronic identity across multiple platforms could improve collaboration and efficiency while lowering costs
The idea of a common framework for establishing trusted identities is a new concept for some federal leaders, but anticipated effects are largely positive. A majority of respondents expect an “Identity Ecosystem” to increase efficiency and confidence in using online services, among other benefits. To create an “Identity Ecosystem,” respondents are open to public-private partnerships, but security, privacy, and liability concerns will need to be addressed.
5
6
2 Respondent Profile
2%
4%
16%
28%
23%
22%
5%
0% 10% 20% 30%
Other
GS/GM-11
GS/GM-12
GS/GM-13
GS/GM-14
GS/GM-15
SES
Survey respondents are senior federal executives
7
41%
21%
21%
7%
7%
3%
0% 20% 40% 60%
None
1-5
6-20
21-50
51-200
Over 200
Job Grade Reports/Oversees
Percentage of respondents, n=975
78% of respondents are GS/GM-13
or above
59% of respondents oversee at least
one report
Most respondents work in operations
▶ Most respondents work in operations, a category that includes program/project managers and logistics specialists.
▶ “Other” includes categories such as legal, research, management, technical professionals, and auditors.
8
Job Function
16%
3%
3%
5%
5%
6%
8%
11%
12%
32%
0% 10% 20% 30% 40% 50%
Other
Communications and telecommunications
Facilities, fleet and real estate management
Information technology
Legislative
Acquisition and procurement
Finance
Engineering
Human capital
Operations
Percentage of respondents, n=975
Most Represented Agencies Department of Treasury Department of Agriculture Department of the Interior Department of Transportation Department of Commerce General Services Administration Environmental Protection Agency National Aeronautics and Space Administration Social Security Administration Department of Housing and Urban Development Department of Energy Department of Labor United States Government Accountability Office Department of State Department of Education
Office of Personnel Management Small Business Administration United States Postal Service Department of Homeland Security United States Agency for International Development Nuclear Regulatory Commission Department of Health and Human Services Department of Veterans Affairs National Science Foundation Executive Office of the President (including OMB) Department of Defense (OSD, DISA, DIA, DLA, etc.) Department of Justice Department of the Army Other independent agency
9
Agencies listed in order of frequency
10
3 Research Findings
11
i. Current State of Federal IAM
What is Identity and Access Management?
12
▶ As used in this report, identity and access management (IAM) refers to a security practice that ensures access by the right people, at the right time, and for the right reasons.
▶ IAM can be used in reference to both physical access (e.g., to facilities, areas, or rooms) and logical access (e.g., to networks or files).
Federal leaders are confident in IAM within their own agencies
Physical access (e.g., to facilities, areas, rooms)
Logical access (e.g., to networks, files)
13
29%
43%
21%
7% 1%
19%
44%
26%
8% 2%
Very confident
Confident
Somewhat confident
Not confident
DK
63% of respondents are very confident or
confident
72% of respondents are very confident or
confident
Percentage of respondents, n=975 and n=974, respectively
For many, physical and logical access are interconnected
▶ A majority of respondents indicate that their agencies have integrated physical and logical IAM.
▶ Typically, integration involves using a common card or device to access the agency’s building and computer networks.
14
Has your department/agency integrated physical and logical IAM?
Yes 71%
No, but considering
15%
No, not considering
5% Don’t know
9%
Percentage of respondents, n=974
15
ii. Security Concerns Can Limit Mission
94% of federal leaders interact with external groups, especially other agencies
85%
56% 56% 49%
8% 6%
Other federal departments/
agencies
Citizens State, local, regional
government departments/
agencies
Industry partners Other None of the above
16
Groups interacted with through the course of work
Percentage of respondents, n=972
27% of respondents interact with
other federal agencies, citizens, state/local/regional government agencies, and industry partners
Security concerns limit service provision
9% 22% 44% 24%
Security concerns prevent my department/ agency from offering certain services online.
Strongly disagree Disagree Agree Strongly agree
17
A majority of respondents (68 percent) indicate that security concerns limit online service provision. Even those who are currently providing services to citizens believe they are limited: 72 percent identify limits to online service provision.
68% of respondents agree
or strongly agree
Percentage of respondents, n=825 “Don’t know” not included
Mobile devices offer an opportunity to enhance interaction with external groups
9% 10% 57% 24%
Mobile device usage presents an opportunity for my department/agency to enhance interaction with other groups.
Strongly disagree Disagree Agree Strongly agree
18
81% of respondents agree
or strongly agree
Percentage of respondents, n=863 “Don’t know” not included
…but security concerns limit mobile expansion
5% 30% 46% 19%
Security concerns present an obstacle to my department/agency using mobile devices to interact with other groups.
Strongly disagree Disagree Agree Strongly agree
19
65% of respondents agree
or strongly agree
Percentage of respondents, n=809 “Don’t know” not included
The lack of a common framework for establishing trusted identities limits interaction with external groups
7% 36% 41% 16%
The lack of a common framework for establishing trusted identities limits my department/agency’s interaction with other groups.
Strongly disagree Disagree Agree Strongly agree
20
57% of respondents agree
or strongly agree
Percentage of respondents, n=645 “Don’t know” not included
21
iii. The Need for an “Identity Ecosystem”
The White House has called for the creation of an “Identity Ecosystem”
▶ April 2011’s National Strategy for Trusted Identities in Cyberspace (NSTIC) highlights the need for an “Identity Ecosystem” where individuals and organizations leverage universally-recognized digital identities to securely interact with one another.
▶ By linking an individual’s electronic identities across multiple websites, NSTIC envisions that the “Identity Ecosystem” will provide online services in a manner that promotes confidence, privacy, choice, and innovation.
22
National Strategy for Trusted Identities in Cyberspace, April 2011.
Sizable amounts of respondents are unsure of the effect that an “Identity Ecosystem” will have on efficiency, confidence, cost-effectiveness, citizen service quality, privacy, help desk calls, and security (23-34 percent select “don’t know”). Of those respondents who have an opinion, most anticipate positive effects:
Federal leaders expect largely positive effects from the creation of an “Identity Ecosystem”
30%
10%
15%
9%
15%
7%
11%
28%
38%
28%
34%
26%
29%
23%
42%
52%
57%
58%
60%
64%
66%
Security risks
Help desk calls
Privacy protections
Quality of citizen services
Cost-effectiveness
Confidence in using online services
Efficiency
Increase No change Decrease
23
Expected effects of an Identity Ecosystem
Percentage of respondents, n varies “Don’t know” not included
Respondents identify additional benefits of an “Identity Ecosystem,” including…
Better data quality. Streamlined security clearance processes and better tracking of individuals.
The ability to work more effectively outside the office environment. It would give me access to sites that I need to use but are restricted if not on a government system.
Improved intergovernmental activities.
24
“ ”
” “
” “
Sampling of open-ended responses
” “
“Identity Ecosystem” may be far off
2%
30%
24%
11%
3%
30%
0-1 years
2-5 years
6-10 years
More than 10 years
Never
Don't know
25
How soon do you think government could achieve an “Identity Ecosystem”?
Percentage of respondents, n=971
56% of respondents
think government can achieve
Identity Ecosystem in the next 10 years
26
iv. Public-private Partnerships in IAM
To reach “Identity Ecosystem,” the federal government supports public-private partnerships in IAM
27
“The private sector will lead the development and implementation of this Identity Ecosystem, and it will own and operate the vast majority of the services
within it.”
-National Strategy for Trusted Identities in Cyberspace, April 2011
"The Obama administration is committed to supporting public-
private partnerships that both enhance consumer privacy and ensure the
Internet remains a driver of innovation and economic growth."
-Secretary of Commerce Penny Pritzker, September 2013
National Strategy for Trusted Identities in Cyberspace, April 2011. NIST.gov, “NIST Awards Grants to Improve Online Security and Privacy,” September 2013.
Though few respondents are opposed to public-private partnerships in IAM, many are unsure
31% 31%
18% 20%
0%
10%
20%
30%
40%
50%
Support Neither support nor oppose
Oppose Don't know
28
Opinion of public-private partnerships in IAM
Percentage of respondents, n=970
Security, privacy, and liability top the list of concerns about public-private partnerships in IAM
29
Concerns about public-private partnerships in IAM
Percentage of respondents, n=965
5%
15%
7%
14%
30%
40%
50%
51%
55%
None of the above
Don't know
Other
Loss of IT jobs
Vendor lock-in
Changes in work/operational flows
Liability
Privacy
Security
30
4 Final Considerations
When considering an IAM strategy in your agency… Make room for mobile.
Though federal agencies may be late mobile adopters, citizens using government services are more and more likely to be doing so from a mobile device. As this trend continues, providing a secure, usable mobile interface for citizen services will be essential to mission effectiveness.
Look to agencies already experiencing IAM success.
The Federal Cloud Credential Exchange (FCCX), run by GSA and USPS is a good look into the future of identity management. FCCX will unify six different civilian agencies using FICAM authentication standards to allow the public to securely access online services through a single sign-on. This streamlined authentication will reduce costs for participating agencies, while providing a “secure, privacy-enhancing, easy-to-use-solution.”
Count all costs, including the hidden expense of forgotten passwords.
Forgotten passwords are expensive. Agencies should look at how they can reduce operational costs by passing those expenses on to credential service providers—federal or commercial—who can unify services around a single sign on.
31
USPS participating in creation of digital Federal Cloud Credential Exchange program
Underwritten by
About HP and Symantec
For over 20 years, HP and Symantec have delivered joint technology solutions and services that enable organizations worldwide to secure and manage their most critical information. HP integrates Symantec into security, storage, server, and client solutions, and delivers enterprise services based on market-leading Symantec solutions.
About GBC
Contact
Zoe Grotophorst Manager, Research & Strategic Insights
Tel. 202.266.7335 [email protected]
govexec.com/GBC @GovBizCouncil
Our Mission
Government Business Council (GBC), the research arm of Government Executive Media Group, is dedicated to advancing the business of government through analysis and insight. GBC partners with industry to share best practices with top government decision-makers, understanding the deep value inherent in industry’s experience engaging and supporting federal agencies.
33
Improving Collaboration through Identity Management A Candid Survey of Federal Managers
February 2014