What is happening now, in 2021, is forcing government agencies to use their IT in different ways. Tools like VPNs have had a hard time scaling to the amount of traffic being generated when employees are suddenly working from home. It pushes security controls in different directions—onto people’s identities and the endpoints—the machines they use. The most effective security focuses on the security of identities and endpoints and uses that to make access decisions—rather than the user’s physical location or network.
Adopting Technologies More Efficiently
The current environment also means that agencies need the capacity to adopt technologies more quickly. Cloud service providers’ ability to inherit authorities to operate (ATOs) from other cloud service providers is critical to FedRAMP’s success. FedRAMP just has to verify that a company is doing the same as company X is doing before providing an ATO.
By checking those couple boxes, it allows new cloud service providers to quickly get a bunch of controls off their plate and focus on what they do best. In inheriting those ATOs, other cloud service providers can reduce their development and audit time before entering the FedRAMP marketplace. This makes government more efficient and cost effective.
Choosing the Right Security Solutions
Another factor affecting government operations is a zero-trust environment, which particularly affects companies’ developers. Zero trust forces us to examine other signals and factors when making authentication decisions: we especially check the identity of the individual and the system they are using. We ensure that the end points are secure, fully patched, and managed by the organization.
If they aren’t, then we might not actually want to completely deny access. Today’s workforce is highly mobile, and we must take that into account while building applications. If we limit access so tightly that nobody can use it or they need a very specific environment to use it, then our users will find different solutions.
The IT industry has often made the mistake of bolting on security, putting it in the wrong place rather than building it into the system. This can drive users away from better solutions into less secure systems. Zero trust wants to solve for that problem, offering people access to the right information at the right time and building that into our applications.
Improving the User Experience
Okta worked with the Quality Payment Program for the U.S. Digital Service and the Center for Medicare and Medicaid Services. They needed to bring together providers, patients in data registries, and the government; but each group had different needs and usage patterns. We helped them tie the three different backgrounds together to form a single authentication experience.
The users also required a consistent, compliance-based experience because they were working with regulated healthcare data. The regulations set various requirements, such as needing a FIPS 140 validated multifactor authentication. They solved that issue by using a secure token, a soft token on the phone, or another authentication method.
The program also needed to integrate system identities. The access to more data means that we had to do that through APIs, allowing systems to share information with systems in a secure and auditable way. By managing these APIs, CMS was able to ensure that systems and users have access to that data.
Looking into the Future
Agencies will continue to focus on the specific challenges facing employees or constituents and need technical solutions. But, if your solution is not the easiest to use, your users will look for different systems. This is absolutely critical for IT professionals and security teams to understand. If we continue to bolt on security, then the implications will be far reaching.
We will also see more focus on third-party and enterprise risk. FedRAMP is a risk-based program that is available to all agencies so they can fully understand the risk with using your application and compare that with the risks inside their own work. At the end of the audit, you have a list of risks, your plan of action, and milestones. In the future the third-party risk team will be beefed up as part of security.
Visit our website to learn more about the GovForward: Multicloud Series and FedRAMP through our additional resources.
