Introduction
One of the foundational components of the security architecture is the management of identity credentials and authorization to interact with data. Currently the method is a manual paper-based system routed between the HR department and the IT department on employee hiring and termination. This is problematic for several reasons which will be discussed below. The solution is to implement an Identity Governance & Administration (IGA) software package.
The most important reason to replace the manual process with a unified IGA system is due to information security compliance requirements of the Federal contracts as outlined in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Specific controls must be implemented along with methods to audit compliance. Also, speed of implementation is needed because deadline to be in compliance is December 31, 2017 as outlined in Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012(DOD, 2017), and we are already past the date. Our contracts could be cancelled or severe financial penalties assessed if this is not corrected.
NIST SP 800-171 requires specific controls for access to information systems holding confidential data. The following sections from the guide are relevant to achieving compliance with an IGA solution.
3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.3 Control the flow of CUI in accordance with approved authorizations.
3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
3.1.8 Limit unsuccessful logon attempts.
3.1.9 Provide privacy and security notices consistent with applicable CUI rules.
3.1.10 Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.
3.1.11 Terminate (automatically) a user session after a defined condition(Ross, Viscuso, Guissanie, Dempsey, & Riddle, 2015).
Another vital reason to implement an advanced IGA solution is simply to increase data security. This is accomplished by reducing the attack surface of the network from external and insider threats. An IGA system will allow data to be categorized and users to be assigned roles which will allow the user to only access authorized data(Silowash et al., 2012, p. 54). Foe example, only HR employees will be allowed to access HR records, and only researchers can access research data. More advanced IGA suites have the option of finer grained controls to create needs-based access controlled by a data owner. The security benefit of this access restriction is that a compromise of authentication credentials will limit the data exposure, as well as limit the data loss in the event of a malicious insider. Stolen HR credentials will not allow the compromise of research data(Silowash et al., 2012, p. 56).
Enhanced employee productivity and job satisfaction is another important benefit. A single sign on method will allow users to access all the corporate technology resources with one username and password combination(Silowash et al., 2012, p. 35). The staff will no longer need to remember several different credentials for the separate technology systems around the company. Ease of usability will be increased and maintenance will be reduced. Reduction of complexity will also lead to an increase of security. Employees will also be able to change their own passwords and information without HR or IT being involved. Frustration is reduced in the employee as well as the administrative and IT staff. It’ll greatly improve group cohesion and morale, which also decreases insider threat(Silowash et al., 2012, p. 28).
Summary
An Identity Governance & Administration (IGA) solution is necessary for the continued operation of the corporation. Failure to comply will result in our losing Federal contracts and paying sever noncompliance penalties. Benefits will be an increase in data security and employee productivity. It’s well worth the cost of the purchase and the effort of implementation.
References
Safeguarding covered defense information and cyber incident reporting., 48 CFR 252.204-7012 C.F.R. § (b)(2)(ii)(A) (2017).
Ross, R., Viscuso, P., Guissanie, G., Dempsey, K., & Riddle, M. (2015). Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST Special Publication, 800(171), 76.
Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T. J., & Flynn, L. (2012). Common sense guide to mitigating insider threats 4th edition: CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST.