The Postal Service is outpacing nearly every civilian agency in knowing who is on its network and exactly what they are doing.
With more than 220,000 employees authorized to be on its network, USPS is winning the battle against the insider threat.
“We have created over time almost a single sign-on environment which allows us to use the E-Access [application] which is where an employee submits what he wants to be allocated or authorized to against the varying applications or infrastructures. His manager will have to approve his application for those rights, and then the database owner will say it’s a legitimate reason to get that information or it’s not a legitimate business reason,” said Chuck McGann, the service’s chief information security officer. “We control the data access that way. Once that happens, [the system] will match up against the Active Directory record for that employee and put him into a particular group and put him into a particular residence factor, which turns around and says, ‘Chuck now has access to the Internet or doesn’t have access to the Internet,’ and that is how we control our environment.”
The Postal Services isn’t required to meet the mandates of Homeland Security Presidential Directive-12 to give employees secure identification cards, nor does it have to meet the Office of Management and Budget’s deadlines for employees to use the smartcards to log-on to their computer networks. But McGann said the benefits of applying identity management and access control requirements to their network are huge.
He said when an employee quits or is terminated, or even changes jobs within USPS, they are moved from the human resources database and their privileges granted through Active Directory are revoked quickly. “It’s a pretty robust timeframe, certainly less than 24 hours and certainly less than 12 hours that this person is no longer allowed access into any of the applications and in fact in some instances does roll over into facility access,” McGann said. “So we’ve actually linked some of these things out into the facility access so if you are no longer in the HR database you are actually suspended in active directory as soon as we get that notification.”
For every civilian agency, the move to logical access has been a journey, and the use of role-based access controls is taking even longer. The Defense Department, which implemented logical access using their secure identity cards in 2006, still is figuring out how to grant and revoke data and system privileges instantaneously.
The Army, for instance, is putting a lot of hope in its move to email in the cloud to implement access-based controls.
The National Institute of Standards and Technology’s National Strategy for Trusted Identities in Cyberspace (NSTIC) is considering how to do identity management in the cloud, and that would include controlling access to systems and data.
Additionally, the White House is drafting a strategy to combat insider threats. It’s part of President Barack Obama’s October executive order promoting secure information sharing.
But all of these efforts are in the development or pilot stages.
McGann said USPS developed its E-Access system using custom built software that is integrated with both its legacy systems and newer virtualized or cloud systems.
McGann said E-Access links into USPS’ Active Directory environment and into the employee master files.
“Anytime an employee master chain is created, it rolls through the E-Access process and rolls up into the Active Directory and says, ‘This person is no longer here or this person has a new job,'” he said. “When this person has a new job, all of a sudden it comes back to the E-Access system and says, ‘You need to be removed from these rights and these rights need to be reallocated to someone else or you need to get the rights appropriate with your particular position.'”
Challenges to single sign-on
McGann said the biggest challenge has been linking every application back to the E-Access system and the Active Directory process.
“We still are going through the environment and registering all the applications,” he said. “When you have 860 applications and some of them are out in the field and are not national applications, we want to have that level of control. It requires us to register those applications so the control can be issued.”
Part of the application registration process is getting the business owners to understand they must have control and discipline over who has access and for how long to the system and its data.
“Where I see us going in the future is having better control in making sure the managers are aware of the responsibilities,” he said. “Just giving me access for 30 minutes or 30 days, we can control that, and that is one of the things we need to look at versus this long-term kind of access that rolls on. I think we are doing a pretty good job at that.”
He said too often employees with limited access to data or access that is about to expire forget or don’t realize they must ask the database owner to renew their authorization.
McGann said the system automatically blocks employees when their access expires.
“We have to get it to where people understood they had a responsibility to say and view the requester and say that’s a legitimate business need or not a legitimate business need,” he said. “I think that has been the biggest challenge, understanding it’s not just a rubber stamp.”