"It's a challenge that it is an unfunded mandate," said Ken Calabrese, CTO of the Department of Health and Human Services, during a panel discussion on identity management in Washington. "There are some straight dollar benefits, but it's just something that doesn't resonate with people at this point. Articulating business value is a tough challenge."
Over the last few months, the Department of Health and Human Services has conducted a review of its identity management efforts, concluding that the agency needs more coordinated control over logical and physical security. HHS is carrying out a pilot program with that in mind. Now, when someone hands in their office keys upon leaving a job, their ID is automatically deleted from all systems. The agency is also testing single sign-on capabilities.
There are areas where HHS still needs to fill in the blanks. For example, it needs to study ways to more thoroughly prove identity in online communications between doctors and patients involving electronic health records, especially at the nationwide scale the White House has proposed for e-health records, Calabrese said.
NASA faces a different challenge. It's not that there are too many people logging into NASA systems, but that there are so many constituent groups. The space agency is revamping its network architecture to create "zones" that communities of interest can access, similar to role-based access. There might be one zone for NASA workers, another for universities, and another for foreign space agencies.
Still, identity and access management is no panacea, said Jerry Davis, NASA's deputy CIO for IT security. "The problem isn't just knowing who's on the network," he said. "When you have someone who's connected to the network and they're a true person, what are they connecting to the network with? Two-factor authentication isn't going to help if you've got a bug that does keylogging or whatever."
At the Internal Revenue Service, the organizational structure poses challenges in coming up with a comprehensive identity management and authentication policy. The IRS splits cybersecurity into two groups, operations and policy, and neither has control over physical access.
Based on data it stores on household income, the IRS is being considered for a role in verifying income for lenders and home buyers, according to Andrew Hartridge, IRS' director for cybersecurity policy and programs. The IRS could leverage its data to create challenge questions as a way of authenticating home buyers, but Hartridge said that would require significant adjustments to prevent disclosure of information to someone with unauthorized access.
The Federal Aviation Administration, meanwhile, has sorted out who manages physical access, who manages logical access, and who verifies identities, and it uses a portable "card mobile" to distribute smart cards with digital credentials to employees at various FAA locations. Yet, FAA CIO Dave Bowen echoed some of the problems other agencies face, including the lack of funding for HSPD-12 and the difficulty in convincing line of business managers of the importance of strong identity management measures.
There's a big buzz surrounding Government 2.0 -- the revolution that's bringing the principles and value of the Web as a platform to the business of governing. Attend Gov 2.0 Expo Showcase and hear innovators show how this is really happening. At the Washington Convention Center, Sept. 8. Find out more and register.