How one agency is getting rid of passwords through the cloud

The Justice Department is trying to accomplish a technology feat few other agencies have successfully maneuvered. It’s putting its identity management service in a cloud.

Greg Hall, the assistant director and chief information security officer in the Executive Office for U.S. Attorneys in the Justice Department, said the goal is to create a single sign-on for as much of the litigation process as possible.

“It’s really part of a broader identity and access management strategic initiative that we started about two years ago,” Hall said on Ask the CIO. “We worked with some internal folks to develop a three-year strategy, which involved a number of things like technology acquisition as well as putting together a strategic roadmap, and also trying to understand how we can align with the broader federal government identity and access management direction as well as some of the DoJ specific identity credential and access management initiatives.”

Advertisement

One of those technology acquisitions was hiring Okta to provide its cloud service to integrate internal and external uses.

“It allows us to accept identity information from them and to provision them for access into our enterprise framework to access data sets we have in the cloud as part of our U.S. Attorneys file exchange environment, as well as systems on premise where we have litigation information that is specific to individual cases,” Hall said. “We’ve also been able to leverage the Okta technology in terms of looking at things like derived credentials and looking at other capabilities that we think are necessary to help us achieve the vision we set out for our IDAM program.”

Okta recently received approval under the Federal Risk Authorization and Management Program (FedRAMP) for its cloud identity service.

EoA required Okta to test and comply with a total of 300 controls, vulnerability management, incident response capability and business continuity, to earn the FedRAMP authority to operate.

Mark Settle, the chief information officer at Okta, said EoA employees will authenticate to the cloud through their smart identity card or other authentication data.

Settle said bureau attorneys can use the cloud authentication service no matter what device they are using—smartphone, tablet, laptop or desktop.

“It’s a very scalable service, which has been another appeal to some of our other government customers that we’ve been talking to simply because they deal with very large populations of individual,” he said. “Our service allows any organization to effectively federate in selectively different identity attributes. Those attributes could vary from my full name, my phone number, my email address, and in the government context, it could involve things like my social security number, my PIV card and other things. All of those could be selectively federated into our directory and our directory could be exercised to enable access to specific systems. DoJ is using us for a one-stop platform to federate identity attributes from preexisting systems and then really use us as the gateway going forward for access to all their systems. The initial focus is on DoJ employees.”

In the past, many organizations trying to go down the single sign-on path would’ve had to cobble together several technologies and integrate them with back-end systems.

By using the Amazon Web Services cloud, Settle said Okta can set up the authentication system in less than 90 days.

“It’s a completely configurable service so it’s not as if we would link to a pre-existing identity store and suck up all that information and take it into our cloud service,” he said. “The customer, in this case DoJ, can be very explicit about what specific identity attributes they want to federate into what we call our universal directory.”

The government has struggled to move to a federated identity management system. The General Services Administration’s 18F organization is leading a fourth effort over the last 20 years to create a centralized identity management service. The initiative, called Login.gov, remains under development and it’s unclear how agencies are responding to its availability.

Several agencies, such as the Veterans Affairs Department and now DoJ, have turned to commercial service providers.

Hall said these technologies are letting EoA reduce the burden on its attorneys and other employees in how they meet the agency’s mission.

“That means accessing the data that is scalable, that’s trusted, that’s efficient and gives them access to what they need while at the same time lets us employ the least privileged principle,” he said. “We’ve been able to integrate some applications. We have a roadmap to integrate additional ones, including both on-premise and in the cloud. We are doing some work in AWS, provisioning some litigation applications out there, and trying to provide services to support the integration and to our broader enterprise framework.”

Hall said EoA employees will use their smart identity cards to log-on to the network and then authenticate through the Okta cloud software to the data and applications they need to use.

Along with the benefits of single sign-on capability, which includes getting out from under password management, Hall said by using the cloud the Executive Office for U.S. Attorneys also is saving development time and money because they don’t have to write identity management software for every application.

Hall said beyond the identity management effort, EoA also is focusing more broadly on network and data cybersecurity.

He said his office is continuing its deployment of enhanced endpoint security tools and a data encryption platform, and is rolling out Microsoft Windows 10.

“Part of that roll out includes an advanced threat defense and threat intelligence integration capability, which I think helps deal with zero day threats and advanced malware,” he said. “We have to be almost predictive to address the threats that are out there today and to be able to effectively respond, and at the same time still do the blocking and tackling.”

Additionally, Hall said EoA is refreshing its intrusion protection and detection infrastructure and enhance its security information and event management data analytical capabilities.

“Today, it really is a big data challenge because you have to shift through the mountain of data you have from all the sensor and endpoints and the telemetry data you collect and making sense out of that and being able to respond,” he said.