Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/4/2009
05:44 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

ID Management Remains Challenge For Federal Agencies

Some of the hurdles faced by the U.S. government include funding, organizational structure, and data protection.

Despite numerous federal mandates such as Homeland Security Presidential Directive 12, identity management remains a challenge for government agencies, according to federal cybersecurity and IT officials.

"It's a challenge that it is an unfunded mandate," said Ken Calabrese, CTO of the Department of Health and Human Services, during a panel discussion on identity management in Washington. "There are some straight dollar benefits, but it's just something that doesn't resonate with people at this point. Articulating business value is a tough challenge."

Over the last few months, the Department of Health and Human Services has conducted a review of its identity management efforts, concluding that the agency needs more coordinated control over logical and physical security. HHS is carrying out a pilot program with that in mind. Now, when someone hands in their office keys upon leaving a job, their ID is automatically deleted from all systems. The agency is also testing single sign-on capabilities.

There are areas where HHS still needs to fill in the blanks. For example, it needs to study ways to more thoroughly prove identity in online communications between doctors and patients involving electronic health records, especially at the nationwide scale the White House has proposed for e-health records, Calabrese said.

NASA faces a different challenge. It's not that there are too many people logging into NASA systems, but that there are so many constituent groups. The space agency is revamping its network architecture to create "zones" that communities of interest can access, similar to role-based access. There might be one zone for NASA workers, another for universities, and another for foreign space agencies.

Still, identity and access management is no panacea, said Jerry Davis, NASA's deputy CIO for IT security. "The problem isn't just knowing who's on the network," he said. "When you have someone who's connected to the network and they're a true person, what are they connecting to the network with? Two-factor authentication isn't going to help if you've got a bug that does keylogging or whatever."

At the Internal Revenue Service, the organizational structure poses challenges in coming up with a comprehensive identity management and authentication policy. The IRS splits cybersecurity into two groups, operations and policy, and neither has control over physical access.

Based on data it stores on household income, the IRS is being considered for a role in verifying income for lenders and home buyers, according to Andrew Hartridge, IRS' director for cybersecurity policy and programs. The IRS could leverage its data to create challenge questions as a way of authenticating home buyers, but Hartridge said that would require significant adjustments to prevent disclosure of information to someone with unauthorized access.

The Federal Aviation Administration, meanwhile, has sorted out who manages physical access, who manages logical access, and who verifies identities, and it uses a portable "card mobile" to distribute smart cards with digital credentials to employees at various FAA locations. Yet, FAA CIO Dave Bowen echoed some of the problems other agencies face, including the lack of funding for HSPD-12 and the difficulty in convincing line of business managers of the importance of strong identity management measures.


There's a big buzz surrounding Government 2.0 -- the revolution that's bringing the principles and value of the Web as a platform to the business of governing. Attend Gov 2.0 Expo Showcase and hear innovators show how this is really happening. At the Washington Convention Center, Sept. 8. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26246
PUBLISHED: 2020-12-03
Pimcore is an open source digital experience platform. In Pimcore before version 6.8.5 it is possible to modify & create website settings without having the appropriate permissions.
CVE-2020-29279
PUBLISHED: 2020-12-02
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVE-2020-29280
PUBLISHED: 2020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
CVE-2020-29282
PUBLISHED: 2020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
CVE-2020-29283
PUBLISHED: 2020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.