March 21, 2017

3 reasons to pay more attention to IAM in public sector

lloyd-mccoy-65x85

 

 

By Lloyd McCoy, immixGroup

So much of what we’re reading in the news about government surveillance and data leaks and breaches has so much to do with security, privacy and access.

Despite all the incidents, security is going to continue being a major concern given that people love the freedom and convenience of things like mobile devices and being able to work wherever they want.

At the same time, businesses are just now seeing the promise of internet of things solutions, especially in government agencies. But security in IoT is still a major hurdle, causing some agencies to pump the brakes a bit.

So where does that leave the tech sector? There may be a continuing stream of risk, but there’s also opportunity, especially for companies with Identity Access Management (IAM) solutions that can address some of these valid security concerns.

Here are three challenges to think about as you create a strategy for selling IAM solutions to the public sector:

Focus on reducing risk over eliminating threats

The recent story on the CIA’s secret hacking tools to break into computers, mobile phones and smart TVs was interesting but not all that surprising. These stories should make us all aware of how vulnerable connected devices are.

Security risks will always be a part of our lives with technology. Especially since consumers and corporate users aren’t willing to cut out smart and mobile devices despite the continued threat of hacks and surveillance by government agencies or even competitors.

So what’s the solution? Government agencies now realize that the focus is better suited to reducing risk, versus the pipe dream of totally eliminating cyber threats. For consumers, passwords on smart TVs, cameras and other connected devices should be changed as often as they change computer passwords.

For government agencies and enterprises, the solution could be as simple as workforce training on passwords and covering laptop cameras to IT solutions that create a layer of protection somewhere in the connected device’s gateway.

Where industry can help is with getting the government to achieve, or at least approach 100 percent multi-factor authentication and single sign-on. Network segmentation, just-in-time privilege access and recuing the need for VPN access are other areas of risk reduction where government agencies have said they need assistance from industry.

Mobile workers increase risks

President Trump’s federal budget proposal includes spending increases for defense and homeland security but cuts to most other government agencies. We don’t know yet how the spending proposal will eventually affect the federal workforce. Agencies may turn to bigger telework programs in order to reduce real estate costs.

With telework comes bigger risk for breaches and other security concerns. Many remote employees have security software set up on their computers and devices, but how effective are they? Are they too cumbersome or do they protect enough?

This is another insertion point for IAM tools that protect mobile devices. As government agencies seek to take distance out of the equation, they will need uncovering and protecting against all the threat vectors that come about as agencies move their networks further out and into people’s homes. The growing use of classified mobile computing, particularly in the Department of Defense, makes the importance of credentialing and privileged access greater than ever.

IoT is great, but is it secure?

The public sector has slowly been implementing IoT projects even though the technology has been deployed without thinking of security first. The truth is anything with a chip that’s connected to the internet is vulnerable to hacking.

State and local governments seem to be further along than the federal government in implementing IoT solutions and tackling the security implications. Some states like Washington are migrating to IPv6 to be able to centrally manage its internet protocol addresses. That step will open the door for a more secure IoT strategy for the state.

But Oakland County, Mich., has been extremely cautious when it comes to IoT because of the risk of hacking. State and local governments worry about a range of potential threats, from a hacker shutting down the air conditioning in a data center to an adversary taking control of a city’s internet-connected lights. Oakland County is installing a new building management system that will be centrally controlled, with the connection over a secure fiber-optic network. IT managers can dial in remotely via the internet but it will be through a secure “tunnel” connection requiring two-factor authentication.

State and local IT leaders are admittedly nervous about IoT because of the security aspects. Many industries like HVAC for instance, have little experience dealing with the cybersecurity threats that IoT can pose. State and local governments need better engagement with industry to ensure the right security is in place.

Lloyd McCoy is the DOD manager for immixGroup’s Market Intelligence team and he leads Arrow ECS’ commercial Market Intelligence team. He previously worked as a senior analyst at DOD.