Bridging Identity Governance and Dynamic Access: The Anatomy of a Contextual and Dynamic Access Policy

As organizations adapt to increasingly complex IT ecosystems, traditional static access policies fail to meet modern security demands. This blog instance continues to explore how identity attributes, and governance controls impact contextual and dynamic access policies—as highlighted previous articles; Governing Identity Attributes in a Contextual and Dynamic Access Control Environment and SailPoint Identity Security The foundation of DoD ICAM and Zero Trust, it examines the role of identity governance controls, such as role-based access (dynamic or policy-based), lifecycle management, and separation of duties, as the foundation for real-time decision-making and compliance. Together, these approaches not only mitigate evolving threats but also align with critical standards like NIST SP 800-207, NIST CSF, and DHS CISA recommendations, enabling secure, adaptive, and scalable access ecosystems. Discover how this integration empowers organizations to achieve zero-trust principles, enhance operational resilience, and maintain regulatory compliance in an era of dynamic threats.

Authors Note: While I referenced the DoD instruction and guidance, the examples in the document can be applied to the NIST Cybersecurity Framework, and NIST SP 800-53 controls as well. My next article with speak specifically to the applicability of the DHS CDM MUR and future proposed DEFEND capabilities.


Defining Contextual and Dynamic Access Policies

Contextual and dynamic access policies adapt access decisions based on real-time inputs, including user identity, device security posture, behavioral patterns, and environmental risks. By focusing on current context rather than static attributes, these policies mitigate risks such as over-provisioning or unauthorized access.

Key Features:

  • Contextual Awareness: Evaluates real-time signals such as login frequency, device encryption status, geolocation, and threat intelligence.
  • Dynamic Decision-Making: Enforces least-privilege access dynamically and incorporates risk-based authentication (e.g., triggering MFA only under high-risk scenarios).
  • Identity Governance Integration: Leverages governance structures to align access with roles, responsibilities, and compliance standards.

The Role of Identity Governance Controls

Identity governance forms the backbone of effective contextual and dynamic access policies by providing the structure needed for secure access management. Core components include:

SailPoint Bridging Identity Governance Blog Embedded Image
  • Role-Based Access Control (RBAC), Dynamic/Policy-based: Defines roles and associated entitlements to reduce excessive or inappropriate access.
  • Access Reviews: Ensures periodic validation of user access rights, aligning with business needs and compliance mandates.
  • Separation of Duties (SoD): Prevents conflicts of interest by limiting excessive control over critical processes.
  • Lifecycle Management: Automates the provisioning and de-provisioning of access rights as roles change.
  • Policy Framework: Establishes clear baselines for determining who can access what resources under specific conditions.

Balancing Runtime Evaluation and Governance Controls

While governance controls establish structured, policy-driven access frameworks, runtime evaluations add the flexibility to adapt to real-time risks. Together, they create a layered security approach:

  • Baseline Governance: Sets foundational access rights using role-based policies and lifecycle management.
  • Dynamic Contextualization: Enhances governance by factoring in real-time conditions to ensure access decisions reflect current risk levels.
  • Feedback Loops: Insights from runtime evaluations inform and refine governance policies over time.

Benefits of Integration

By combining governance controls with contextual access policies, organizations achieve:

  • Enhanced security through continuous evaluation and dynamic risk mitigation.
  • Improved compliance with regulatory frameworks like GDPR, HIPAA, and NIST standards.
  • Operational efficiency by automating access reviews and reducing administrative overhead.

The integration of contextual and dynamic access policies with identity governance controls addresses the dual needs of flexibility and security in modern cybersecurity strategies. By combining structured governance with real-time adaptability, organizations can mitigate risks, ensure compliance, and achieve a proactive security posture that aligns with evolving business needs and regulatory demands. This layered approach represents the future of access management in a rapidly changing digital environment.


To learn more about how SailPoint can support your organization’s efforts within identity governance, cybersecurity and Zero Trust, view our resource, “The Anatomy of a Contextual and Dynamic Access Policy.”


Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SailPoint, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Governing Identity Attributes in a Contextual and Dynamic Access Control Environment

In the rapidly evolving landscape of cybersecurity, federal agencies, the Department of Defense (DoD), and critical infrastructure sectors face unique challenges in governing identity attributes within dynamic and contextual access control environments. The Department of Defense Instruction 8520.04, Identity Authentication for Information Systems, underscores the importance of identity governance in establishing trust and managing access across DoD systems. In parallel, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) guidance and the National Institute of Standards and Technology (NIST) frameworks further emphasize the critical need for secure and adaptive access controls in safeguarding critical infrastructure and federal systems.

This article examines the governance of identity attributes in this complex environment, linking these practices to Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC) models. It highlights how adherence to DoD 8520.04, CISA’s Zero Trust Maturity Model, and NIST guidelines enable organizations to maintain the accuracy, security, and provenance of identity attributes. These efforts are particularly crucial for critical infrastructure, where the ability to dynamically evaluate and protect access can prevent disruptions to essential services and minimize security risks. By integrating these principles, organizations not only achieve regulatory compliance but also strengthen their defense against evolving threats, ensuring the resilience of national security systems and vital infrastructure.

SailPoint Governing Identity Attributes Blog Embedded Image 2025

Importance of Governing Identity Attributes

Dynamic Access Control

In a dynamic access control environment (Zero Trust), access decisions are made based on real-time evaluation of identity attributes and contextual information. Identity governance plays a pivotal role in ensuring that these attributes are accurate, up-to-date, and relevant. Effective identity governance facilitates:

  • Real-time Access Decisions: By maintaining a comprehensive and current view of identity attributes, organizations can make informed and timely access decisions, ensuring that users have appropriate access rights based on their roles, responsibilities, and the context of their access request.
  • Adaptive Security: Identity governance enables adaptive security measures that can dynamically adjust access controls in response to changing risk levels, user behaviors, and environmental conditions.

Attribute Provenance

Attribute provenance refers to the history and origin of identity attributes. Understanding the provenance of attributes is critical for ensuring their reliability and trustworthiness. Identity governance supports attribute provenance by:

  • Tracking Attribute Sources: Implementing mechanisms to track the origins of identity attributes, including the systems and processes involved in their creation and modification.
  • Ensuring Data Integrity: Establishing validation and verification processes to ensure the integrity and accuracy of identity attributes over time.

Attribute Protection

Protecting identity attributes from unauthorized access, alteration, or misuse is fundamental to maintaining a secure access control environment. Identity governance enhances attribute protection through:

  • Access Controls: Implementing stringent access controls to limit who can view, modify, or manage identity attributes.
  • Encryption and Masking: Utilizing encryption and data masking techniques to protect sensitive identity attributes both at rest and in transit.
  • Monitoring and Auditing: Continuously monitoring and auditing access to identity attributes to detect and respond to any suspicious activities or policy violations.

Attribute Effectiveness

The effectiveness of identity attributes in supporting access control decisions is contingent upon their relevance, accuracy, and granularity. Identity governance ensures attribute effectiveness by:

  • Regular Reviews and Updates: Conducting periodic reviews and updates of identity attributes to align with evolving business needs, regulatory requirements, and security policies.
  • Feedback Mechanisms: Establishing feedback mechanisms to assess the effectiveness of identity attributes in real-world access control scenarios and make necessary adjustments.

Risks Associated with ABAC and RBAC

ABAC Risks

ABAC relies on the evaluation of attributes to make access control decisions. While ABAC offers flexibility and granularity, it also presents several risks:

  • Complexity: The complexity of managing a large number of attributes and policies can lead to misconfigurations and errors, potentially resulting in unauthorized access or access denials.
  • Scalability: As the number of attributes and policies grows, the scalability of the ABAC system can be challenged, affecting performance and responsiveness.
  • Attribute Quality: The effectiveness of ABAC is heavily dependent on the quality of the attributes. Inaccurate, outdated, or incomplete attributes can compromise access control decisions.

RBAC Risks

RBAC assigns access rights based on predefined roles. While RBAC simplifies access management, it also has inherent risks:

  • Role Explosion: The proliferation of roles to accommodate varying access needs can lead to role explosion, complicating role management and increasing administrative overhead.
  • Stale Roles: Over time, roles may become stale or misaligned with current job functions, leading to over-privileged or under-privileged access.
  • Inflexibility: RBAC may lack the flexibility to handle dynamic and context-specific access requirements, limiting its effectiveness in modern, agile environments.

Importance to a Zero Trust Model

The Zero Trust model is predicated on the principle of “never trust, always verify,” emphasizing continuous verification of identity and context for access decisions. Governing identity attributes is integral to the Zero Trust model for several reasons:

  • Continuous Verification: Accurate and reliable identity attributes are essential for continuous verification processes that dynamically assess access requests in real-time.
  • Context-Aware Security: By governing identity attributes, organizations can implement context-aware security measures that consider a wide range of factors, including user behavior, device health, and network conditions.
  • Minimizing Attack Surface: Effective governance of identity attributes helps minimize the attack surface by ensuring that access rights are tightly controlled and aligned with current security policies and threat landscapes.

Governing identity attributes is a cornerstone of modern access control strategies, particularly within the dynamic and contextual environments that characterize today’s IT ecosystems. By supporting dynamic access, ensuring attribute provenance, protection, and effectiveness, and addressing the risks associated with ABAC and RBAC, identity governance enhances the security and efficiency of access control mechanisms. In the context of a Zero Trust model, the rigorous governance of identity attributes is indispensable for maintaining robust and adaptive security postures, ultimately contributing to the resilience and integrity of organizational systems and data.

To learn more about SailPoint’s cybersecurity capabilities and how it can support mission-critical DoD initiatives, view our technology solutions portfolio. Additionally, check out our other blog highlighting the latest insights into “The Role of Identity Governance in the Implementation of DoD Instruction 8520.04”.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SailPoint, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Securing Systems Through Segmentation and Zero Trust

Zero Trust is a cybersecurity strategy that recognizes trust as a vulnerability that may potentially allow malicious actors to exploit system environments. Traditionally, systems operated by granting permissions, visibility and trust to a user once they gain access. Rather than minimize trust and opportunity for breaches, Zero Trust eliminates trusted packets, systems and users altogether.

Implementing Zero Trust’s Fundamental Design Concepts

While breaches are inevitable, agencies can equip themselves with a Zero Trust framework to prevent successful cyber-attacks. Zero Trust encompasses identity, access permissions and micro segmentation, per the National Institute of Standards and Technology (NIST) architecture. All three enforcement points are required to complete the Zero Trust model. While security products are a component of Government agency’s implementation of Zero Trust, it is a strategy that requires proper planning.

To successfully implement Zero Trust, agencies must understand its fundamental design concepts.

  • Focus on business outcomes: Determine key agency objectives and design strategies with those in mind.

  • Design security strategies from the “inside out”: Typically, networks are designed from the “outside in,” beginning with the software and moving onto data. This can introduce vulnerabilities. By designing software accessibility around data and assets that need to be protected, agencies can personalize security and minimize vulnerabilities.

  • Determine who or what needs to have access: Individuals should default with the least amount of privilege, having additional access granted on a need-to-know basis.

  • Inspect and log all traffic: Multiple factors should be considered to determine whether to allow traffic, not just authentication. Understanding what traffic is moving in and out of the network prevents breaches.

Fundamentally, Zero Trust is simple. Trust is a human concept, not a digital concept. Once agencies understand the basics of Zero Trust, they can decide which tactics they will use to help them deploy it across their network.

Breaking Up Breaches with Segmentation

Illumio Microsegmentation Zero Trust Blog Embedded Image 2024

In other security strategies, security is implemented on perimeters or endpoints. This places IT far from the data that needs monitoring. The average time between a breach and its discovery is 277 days and is usually discovered by independent third parties. With flat, unsegmented surfaces, once breachers gain access to a network, they can take advantage of the entire system. Zero Trust alleviates this by transforming a system’s attack surface into a “protect surface.” Through proper segmentation, systems make the attack surface as small as possible, then places users adjacent to the attack surface to protect it. This area then becomes a more manageable surface for agencies to monitor and protect, eliminating the time gap between breach and discovery.

Once the strategy method is chosen, agencies must decide which tactics and tools they will use to deploy Zero Trust. Here is a simple, five-step process for deploying Zero Trust.

1. Define the protect surface: It is important to start with knowing what data needs protection. A great first step is to follow the DAAS element—protect data, assets, applications and services. Segmentation can help separate these four elements and posit each on its own protect surface, giving IT employees a manageable surface to monitor.

    2. Map transaction flows: With a robust protect surface, agencies can begin tailoring their Zero Trust environment. Understanding how the entire system functions together is imperative. With visibility into transaction flow mapping, agencies can build and architecture the environment around the protect surface.

    3. Architect a Zero Trust environment: Agencies should personalize their security to best fit their protect surface. That way, Zero Trust can work for the agency and its environment.

    4. Create policy: It is important to ask questions when creating policy, as Zero Trust is a set of granular allowance rules. Who should be allowed access and via what application? When should access be enabled? Where is the data located on the protect surface? Why is the agency doing this? These questions help agencies map out their personalized cybersecurity strategy.

    5. Monitor and maintain the protect surface: By creating an anti-fragile system, which increases its capability after exposure to shocks and violations, agencies can adapt and strengthen from stressors.

    Segmentation is vital to the theory of Zero Trust. Through centralized management, agencies can utilize segmentation to their benefit, positing IT adjacent to the specialized surface they protect. Zero Trust can be a learning curve. By implementing each protect surface individually, agencies can avoid becoming overwhelming. Building from the foundation up allows agencies to control their networks. Additional technologies, such as artificial intelligence (AI) and machine learning (ML), help give defenders the advantage by enabling them to focus on protect surfaces. Through a personalized and carefully planned Zero Trust strategy, agencies can stop breaches and protect their network and data.

    Illumio & Zero Trust

    Zero Trust often incorporates threat-hunting solutions, to detect a problem and then try to block or remove it. But no solution will ever be 100% and it must be assumed that eventually a threat will slip through, undetected. Undetected threats will eventually move between workloads, further compromising the network. Illumio, a cloud computing security company that specializes in Zero Trust micro segmentation, can future-proof agencies against malware.

    While threat-hunting tools focus on the workload, Illumio focuses on the segment, which means that Illumio enforces the Protect Surface via the vectors used by any and all threats that try to breach it. Any complex AI-generated malware which will appear in the near future will also want to move across segments, and Illumio will protect the environment today against threats which will appear tomorrow.

    To learn more about Zero Trust and Segmentation, visit Illumio’s webinar, Segmentation is the Foundation of Zero Trust.

    Highlights from the SANS Government Security Forum on Zero Trust, CMMC Compliance and AI

    Carahsoft Technology Corporation, a leader in Government IT solutions, partnered with the SANS Institute for the fourth year in a row to host the 2024 Government Security Solutions Forum. The event gathered cybersecurity professionals and Public Sector leaders to address evolving cyber threats facing Government agencies. Experts led discussions on key topics, including Zero Trust implementation, achieving Cybersecurity Maturity Model Certification (CMMC) compliance and harnessing artificial intelligence (AI). This blog highlights key takeaways from three of the six sessions surrounding these imperative industry topics, providing actionable insights to strengthen cybersecurity defenses in today’s digital landscape. During the event a visual artist Ashton Rodenhiser summarized the sessions which are featured in this blog.

    Carahsoft SANS Government Security Solutions Forum Blog Zero Trust Image 2024

    Zero Trust Implementation

    During the session “Zero Trust Implementation Strategies,” experts explored the growing challenges security professionals face with emerging technologies and provided key insights into building a robust Zero Trust framework.

    As new technologies rapidly emerge, security professionals face increasing challenges in keeping pace, especially with the integration of on-prem environments and the cloud. A key principle of Zero Trust is the enforcement of least privilege policies, which requires a shift in how identity management is applied. This begins with strong governance to ensure the accuracy and reliability of policies and attributes.

    Building a comprehensive security framework also involves implementing contextual authorization through micro-segmentation, considering factors like device, location and time to create a robust protective barrier. Furthermore, integrating identity management with Endpoint Detection and Response (EDR) tools is becoming increasingly important for tracking authorized processes and addressing the extended presence of threat actors who exploit admin identities to execute malware.

    One of the biggest challenges in managing security policies is their complexity. Many security policies lack human readability due to their intricate structure, making automation essential for managing actions and enforcing compliance. The National Security Administration’s (NSA) recent Zero Trust guide emphasizes automation as a key pillar, highlighting its importance in responding to data flow deviations and maintaining security.

    Despite the advanced systems in place, human error continues to be a major vulnerability. Employees can unknowingly compromise security through phishing attacks or by interacting with malicious links. To mitigate this, organizations must prioritize improving employee awareness and addressing the human factor as a critical component of cybersecurity.

    Explore how Carahsoft’s Zero Trust portfolio can help Government implement a comprehensive Zero Trust strategy, strengthening organization’s security and protecting critical assets.

    Carahsoft SANS Government Security Solutions Forum Blog CMMC Image 2024

    Achieving CMMC Compliance

    The session “Navigating Supply Chain Security and CMMC Compliance” provided valuable insights into the upcoming implementation of the CMMC framework and its implications for Defense Industrial Base (DIB) organizations. This certification will ensure that DIB organizations meet stringent cybersecurity standards through third-party assessments and will soon be mandatory for both prime contractors and subcontractors working with the Department of Defense (DoD).

    CMMC consists of multiple certification levels, with Level 1 covering basic practices for Federal Contract Information (FCI) and Level 2 addressing 110 practices based on NIST 800-171, extending to around 320 actions. To prepare, organizations should work with Registered Practitioner Organizations (RPOs) to assess their readiness. These RPOs employ Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs), who are trained and certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO), a subsidiary of Cyber AB, which oversees the curriculum and training programs.

    After preparation, organizations will undergo an official assessment by a CMMC Third-Party Assessment Organization (C3PAO), which hires CCPs and CCAs to evaluate the cybersecurity measures in place. As the CMMC rule takes effect, organizations must ensure they work with certified professionals listed on the Cyber AB marketplace, as uncertified entities will not be recognized by the DoD.

    Given the complexity of CMMC and the fact that preparation for certification can take at least six months, organizations are encouraged to start early to meet the new requirements.

    Carahsoft is proud to be part of the CMMC ecosystem, with around 800 employees focused on cybersecurity and partnerships with over 150 vendors. By closely tracking policies and industry trends, Carahsoft aligns customer needs with relevant technologies, promoting “better together” integrations to maximize the value of existing investments. Carahsoft works with vendors that address every CMMC maturity level and capability domain, guiding customers through the complex decision-making process to ensure that they select the most suitable technologies to fill security gaps effectively and efficiently. Explore Carahsoft’s CMMC portfolio.

    Carahsoft SANS Government Security Solutions Forum Blog AI Image 2024

    Harnessing AI

    Amid the complexities of cybersecurity, effective threat detection and response are increasingly reliant on advanced technologies like AI. The session “Harnessing AI for Advanced Threat Detection” explored the benefits and risks of integrating AI into security operations, highlighting key strategies for balancing automation with rigorous security practices.

    “Advanced threat detection” spans various aspects of security operations, including the development and collection of threat intelligence. AI offers significant benefits in early threat detection, helping organizations quickly identify and respond to malicious activity. However, its use must be approached cautiously across the entire security chain.

    With the rise of generative AI, industries are applying AI to automate time-consuming tasks. A key benefit is AI’s ability to condense information quickly. Tasks like threat searching or intelligence analysis, which once took hours, can now be completed in minutes, freeing experts to focus on higher-level tasks. This “toil reduction” is vital, as AI automates routine work and creates immediate efficiencies with minimal effort.

    While AI brings advantages, there are inherent risks in implementing AI models and infrastructure. It is crucial to approach AI from two perspectives: using it to enhance security while ensuring the security of AI itself.

    Organizations must also consider how they can trust AI-generated information. Trust and validation are essential. Provenance—knowing the source of data and models—is key to building confidence. While AI can handle most of the work, experienced engineers and analysts are still needed to verify and analyze the results so security teams can focus on more complex matters.

    The siloed nature of work within security operations may limit intelligence sharing. Maintaining control of input data is critical, especially with public models hosted by technology vendors. If training data enters public models, organizations may compromise sensitive information. In regulated environments, private models offer safer options, allowing companies train AI while retaining control.

    When integrating AI into security operations, organizations should build trust by validating each use case, allowing AI to be operationalized while ensuring accuracy. Experimentation is key to identifying where AI can provide a return on investment. However, implementing AI requires careful consideration of security models, AI safety and governance, particularly as organizations scale AI into operations.

    Unlock the potential of AI to drive innovation and efficiency in Government organizations with Carahsoft’s AI and machine learning portfolio.

    Frank Briguglio, Federal CTO at SailPoint, and Fatih Akar, Security Product Manager at VMRay, led the discussion on Zero Trust. Melanie ‘Kyle’ Gingrich, Interim Executive Director at The Cyber AB, provided guidance on navigating CMMC compliance. Josh Lemon, Director of Managed Detection and Response at Uptycs, and Ron Bushar, Managing Director of Mandiant Solutions at Google Public Sector, explored the role of AI in advanced threat detection.

    Explore more insightful sessions on how Public Sector cybersecurity teams are strengthening their security posture by watching the SANS 2024 Government Security Forum in partnership with Carahsoft.

    The Role of Identity Governance in the Implementation of DoD Instruction 8520.04

    On September 3, 2024, The Department of Defense (DoD) released Instruction 8520.04, titled “Access Management for DoD Information Systems,” that serves as a foundational policy guiding the secure and efficient management of access to DoD information systems. The instruction mandates protocols for managing access across various environments, including military networks and systems used by both person entities (PEs) and non-person entities (NPEs) such as devices, applications, and automated processes. At the core of this policy is the principle of identity governance, which is essential for ensuring that access to sensitive systems and data is granted, monitored, and revoked based on verified identity attributes and defined security policies.

    In the dynamic cybersecurity landscape, the concept of identity governance refers to the frameworks and processes that manage the lifecycle of digital identities. This includes the creation, management, and deletion of user accounts as well as the provisioning and de-provisioning of access rights based on a combination of user attributes, roles, and organizational policies. Identity governance is critical for compliance with the DoD’s Zero Trust Architecture, as outlined in the DoD Zero Trust Strategy. It emphasizes least privilege, continuous verification, and dynamic access control, all of which are key components of DoD Instruction 8520.04​.

    The policy serves as maturation of the departments ICAM initiatives over the past few years and highlights some key concepts that need to be adopted across the departments ecosystem. Here are some key examples of how identity governance aligns with and strengthens this policy:

    1. Access Control and Provisioning

    One of the primary elements of identity governance is the effective provisioning and de-provisioning of access. This aligns with Section 4 of DoD Instruction 8520.04, which mandates that access to systems be carefully controlled through explicit or dynamic mechanisms. Explicit access involves manually provisioning access rights to specific users, which must be meticulously documented and approved by system or resource owners. On the other hand, dynamic access relies on real-time attribute verification to grant or deny access based on the most current information available, such as the user’s role, location, or security clearance​.

    SailPoint Identity Governance for the DoD Blog Embedded Image 2024

    Identity governance solutions play a crucial role in these processes by automating provisioning and de-provisioning based on predefined policies. When a user’s role changes or they leave the organization, governance systems automatically adjust access rights, ensuring compliance with de-provisioning requirements. This automatic adjustment helps prevent orphaned accounts—user accounts that are no longer needed or authorized—which can pose serious security risks if left unmanaged.

    2. Authoritative Attribute Services

    DoD Instruction 8520.04 emphasizes the importance of authoritative attribute services (AAS) in maintaining the accuracy, integrity, and security of identity attributes used in dynamic access decisions. Identity governance frameworks are designed to integrate with these authoritative services, ensuring that identity attributes such as security clearance levels, employment status, and role-based entitlements are accurate and up-to-date. This enables the DoD to enforce dynamic access control based on real-time identity data​.

    For example, a DoD system that relies on dynamic access might check a user’s current security clearance, job function, or location in real time before granting access to a sensitive file or system, or assign a critical role. These checks are enabled by robust identity governance systems that pull data from authoritative attribute services and apply organizational policies to ensure that access is only granted to those who are fully authorized and meet the predefined criteria.

    3. Least Privilege and Separation of Duties (SoD)

    The concept of least privilege—granting users the minimum level of access necessary to perform their duties—is another foundational principle of both identity governance and DoD Instruction 8520.04. In Section 4.2 of the instruction, system and IT resource owners are required to document and implement explicit access policies that adhere to least privilege standards. Furthermore, systems must implement SoD controls to prevent a single user from having conflicting roles, such as both creating and approving financial transactions​.

    Identity governance frameworks are uniquely equipped to manage SoD by automating the assignment of roles and enforcing policies that prevent users from being granted conflicting privileges. Governance solutions continuously monitor user access and provide alerts if SoD violations occur. By integrating these capabilities with the DoD’s access management protocols, identity governance helps ensure that users cannot escalate their privileges or circumvent access controls, thereby reducing the risk of insider threats and security breaches.

    4. Continuous Auditing and Compliance

    Continuous auditing and monitoring of user access is a critical requirement under DoD Instruction 8520.04, particularly for privileged users. Identity governance solutions enable DoD components to implement robust audit trails that track every access request, change in privileges, and system interaction. This is particularly important for IT privileged users—those with elevated access to critical systems and sensitive data—who require enhanced monitoring to detect and respond to suspicious activity​.

    Through the use of identity governance tools, DoD organizations can enforce periodic access reviews, as mandated by the instruction, to ensure that users only have the access they need and that privileged access is justified and properly documented. These reviews are automated and documented within governance systems, reducing the manual workload on administrators and enhancing the overall security posture by ensuring compliance with regulatory requirements.

    5. Integration with Zero Trust Architecture

    The DoD Zero Trust Strategy emphasizes the need for continuous verification of users and devices as they request access to systems and data, rather than assuming trust based on their presence inside the network perimeter. Identity governance systems are integral to the implementation of Zero Trust principles within the DoD, as they enable real-time verification of identity attributes and ensure that access is granted only after all conditions are met​.

    For instance, an identity governance system might check not only a user’s identity but also their security status, the network they are using, and the time of the access request before enabling access to sensitive data. This multi-layered approach to access control ensures that even if one security measure is compromised, others are in place to protect critical resources.

    In Conclusion

    Identity governance is a foundational element of the DoD’s efforts to secure access to information systems under DoD Instruction 8520.04. By providing a structured approach to managing digital identities, provisioning access, enforcing least privilege and separation of duties, and maintaining continuous auditing and compliance, identity governance systems enable the DoD to meet the stringent security requirements laid out in the instruction. Furthermore, identity governance is a critical enabler of the DoD’s shift toward a Zero Trust Architecture, ensuring that access to sensitive systems is dynamically controlled based on real-time identity attributes and organizational policies.

    As cyber threats continue to evolve, the integration of identity governance with access management protocols like those found in DoD Instruction 8520.04 will be crucial in maintaining the security and integrity of the DoD’s information systems and the data they protect.

    For a details of how SailPoint Identity Security supports the departments current ICAM and Zero Trust initiatives, and specifically how the capabilities of the platform align with the requirements of the policy, please download the report here.

    Software, AI, Cloud and Zero Trust as Top Priorities for the Army and DoD at Large at TechNet Augusta 2023

    Many of the major cybersecurity, data, DevSecOps and other trends from the past couple of years continue to grow and be top priorities for every segment of the Department of Defense (DoD). At TechNet Augusta 2023, Government and industry experts shared the specific needs of their organizations across those areas and solutions to help achieve their goals. The main theme of the event was “Enabling a Data-Centric Army” and expanding those principles and their mobilizing technologies to the entire DoD. For the Army in particular, the shift from hardware to software, the use of artificial intelligence (AI), cloud capabilities and Zero Trust were headlining topics at the conference.

    Shifting from Hardware to Software

    In an effort to increase agility and expand access to resources, the Army is transitioning its equipment from hardware to software. Amending its materiel release process to decouple software from hardware allows the Army to deploy software outside of the long hardware acquisition cycle. To mobilize this endeavor, the Army Futures Command (AFC), is modifying its software requirements to focus on high-level overviews that are then refined by operators. Alongside this shift, the Army and other departments requested that technology providers ensure that their software solutions integrate with each other. Going forward, the Army also asked industry to provide software that is not tied to specific hardware. This separation will be key to establishing data-centricity. Nearly every speaker echoed the importance of this shift for their departments.

    Utilizing AI

    With this major transition to a software-heavy environment, Army Chief Data and Analytics Officer David Markowitz believes it will be an ideal use case for generative AI in software development. Having a controlled environment in software development would make it easier to properly govern compared to the complexity of some of the other uses. As AI usage increases across the DoD, military leaders requested industry create AI platforms with layered complexity of features enabling users of any skill level to utilize the technology effectively. In regard to AI applications for data, Army CIO Leonel Garciga stated that additional guidance on “Data Use on Public/Commercial Platforms” would be released soon to clarify its policy. Overall, officials concurred that the DoD is not looking to become 100% reliant on AI aid but instead maximize AI’s strengths to augment human critical thinking and empower commanders to make data-driven decisions.

    Enabling Cloud Capabilities

    Over the past year, the Army has exponentially increased its cloud migration and virtualized capabilities. Housing information in the cloud optimizes data storage and simplifies ease of access particularly with the increase in data output, and the push for AI data analytics and data-driven decisions. Hybrid cloud solutions offer the readiness, adaptability and duplication of vital information necessary for military operations to continue smoothly in any situation. Currently, DoD leaders seek industry solutions for modernizing and moving applications to the cloud simultaneously. Acquiring technology with this ability would reduce both the security risk and the work required from the military to implement it.

    Expanding Zero Trust

    Overarching every aspect of the DoD is the critical need for cybersecurity. Garciga plans to emphasize Zero Trust implementation heavily in conjunction with improving user experience and cyber posture. While multi-factor authentication offers a great starting point, military leaders explained that it is not enough and that they look to partner with industry to close virtualization vulnerabilities through continuous monitoring and regular red teaming. At the conference, the Army Cyber Command (ARCYBER) outlined seven principles for IT providers to follow for all capabilities they deliver:

    • Rapidly Patch Software
    • Assess All Production Code for Security Flaws
    • Improve Security of Development Networks
    • Isolate Development Environments from the Internet and from the Vendor Business Network
    • Implement Development Network Security Monitoring
    • Implement Two-Factor Authentication (2FA) on Development Network and Testing Services
    • Implement Role-based Permissions on Development Network

    Empowering DoD Success

    A consistent thread woven throughout the event was the vital nature of open communication and partnership between the DoD and technology companies to achieve the established goals. Within each of these areas including the shift from hardware to software, use of AI, cloud capabilities and Zero Trust, the DoD looks to innovate and explore new methods and solutions to stay ahead on the world platform. Together through collaboration, industry can have a vital role in keeping American citizens safe one technology update at a time.

     

    Explore our Federal Defense Technology Solutions Portfolio to learn how Carahsoft can support your organization through innovative, agile defense resources and IT capabilities.

    *The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at TechNet Augusta 2023.*

    Securing the Digital Workplace: Microsoft 365 Identity Management for Public Sector Leaders

    Zero Trust is a critical focus for public sector organizations as they navigate today’s evolving digital workplace and cybersecurity landscape. But one issue is emerging as increasingly troublesome: insider threats.

    The 2022 Cost of Inside Threats: Global Report found incidents involving insider threats surged 44% over the past two years. While some of these threats may be malicious insiders, seeking to misuse their authorized access for personal gain or harm, many are the result of cybercriminals exploiting vulnerabilities in identities to enter your environment. These criminals use tactics like compromised credentials – the leading cause of data breaches – as well as phishing scams and social engineering to impersonate identities and gain unauthorized access.

    To effectively counter these increasingly sophisticated threats, organizations must strengthen identity management. When executed properly, identity management not only enhances the security of your digital workplace but enables a Zero Trust strategy.

    Let’s discuss what identity management is, how to build a comprehensive strategy in Microsoft 365, and how it can fortify your Zero Trust deployment.

    What is Identity Management?

    AvePoint Identity Management Blog Embedded Image 2023

    Identity management establishes and manages the digital identities of anyone entering your environment – from employees and contractors to guest users. Identities could refer to people, but they could also be services or devices entering your environment.

    Identity management enables organizations to implement robust access controls, granting privileges based on roles – which is why identity management is an integral piece of Zero Trust. Without it, you will have no way to verify users and devices are who they say they are, let alone establish proper privileges and access, which are key Zero Trust principles.

    When done effectively, identity management provides the right access to the right individuals at the right time for the right reason. This process not only improves your security posture, but can streamline user access, reduce administrative overhead, and help you better meet your compliance obligations.

    Building Identity Management in Microsoft 365

    When building your identity management strategy in Microsoft 365, remember these three basic elements: identify, authenticate, and authorize.

    Here’s how to get started:

    • Identify: The backbone of identity management in Microsoft 365 is Azure Activity Directory (Azure AD). Azure AD provides a cloud identity for users, groups, and resources. It is where you build out your users’ identities and control access to internal and external resources – like your intranet or even Microsoft Teams. The solution will recognize users (based on Microsoft’s powerful machine learning and AI’s understanding of typical user and tenant behavior) and flag risks that fall outside of normal behavior, triggering the next steps of the process.
    • Authenticate: Multi-factor authentication (MFA) is today’s gold standard for authenticating identities. There are a variety of ways to do this, from smart cards to one-time passwords, that add layers of protection to your security. Microsoft’s Authenticator App helps implement MFA across your applications in a convenient and easy way for users, allowing them to verify their and their devices’ identities from their phones.
    • Authorize: It’s critical to grant access privileges based on the conditions specific to your organization. Conditional Access policies take a two-phased approach: first, it collects information about the person (their device, IP address, etc.) and then enforces any policies you have in place. This could mean if it detects a new device, it may enforce multi-factor authentication (MFA) or request the user sign in again. It could also prohibit access under certain conditions, like if a user is attempting access from a mobile device. These policies provide granular control over access while reducing the risk of authorized access.

    By following this framework, you can easily begin using the powerful tools Microsoft offers to build your identity management strategy, ensuring only authorized individuals have access to critical systems.

    Three Ways to Take a More Proactive Approach to Identity Management

    Once you’ve taken the initial steps to start building your identity management approach, take it to the next level to enhance your security:

    • Right-size your policies: Strict, one-size-fits-all rules can hinder productivity; if security is in the way of getting the job done, users will find a way around it. Customizing your policies to specific users, workspaces, or even content creates a more tailored approach to access control, striking a balance between security and productivity.
    • Implement lifecycles: Identities should not permanently exist in your environment. People switch jobs or upgrade their devices. Establish a process to evaluate and recertificate identities – whether users (both external and internal) or devices – to ensure they still require access to your content and workspaces.
    • Monitor your environment: Even with the best-laid security plans, things can still fall through the cracks. That’s why it’s critical to monitor your environment – including users, devices, locations, and behavior – to identify any anomalies or suspicious activities that should be addressed.

    These strategies can help you build a more proactive identity management approach that actively reduces risks and attack surfaces, allowing you to go beyond verifying identity to create a secure and efficient digital workplace.

    Build a Secure Digital Workplace with Zero Trust

    While identity management is an important aspect of building your secure digital workplace, ensuring only authorized individuals have access to your systems, it is not enough to protect your data or the workspaces where it lives in today’s ever-evolving cyber threat landscape.

    Public sector organizations must embrace a comprehensive Zero Trust security framework to effectively build a secure digital workplace. To do so, you must combine identity management best practices with other robust security measures, like role-based access controls, workspace governance policies, lifecycle management processes, and risk assessments. Together, these strategies can enhance the protection of your digital environment and minimize your risk of data breach or unauthorized access.

    Download the free AvePoint guide, “How to Achieve Zero Trust Standards Without Limiting Collaboration in Microsoft 365,” for more information about protecting your digital collaboration workspaces with a Zero Trust framework.

    Transforming Digital Services and Modernizing Risk Posture in Colorado

    Throughout Colorado State and Local departments, utilizing emerging technology is imperative to combating cyber threats and improving efficiency. At the Carahsoft Digital Transformation Roadshow in Denver, Colorado, Government IT and industry leaders engaged in dynamic discussions around transforming Colorado through technology.

    Transforming Technology in Government

    Reducing technical debt is a pivotal step in transforming the way Colorado responds to citizens and facilitates digital services. Modernization contributes to building a streamlined constituent experience, enabling data integration for better decision-making and lowering the cost of ownership. That further requires top technology talent to redesign aging technology systems and deliver better outcomes for the state.

    The Digital Government strategic plan gathered over 2,000 Coloradans to understand their experience with Digital Government. The group heard from citizens requesting easier forms and more accessible Government services. From that survey, administration learned that State and Local departments can make an impact through three initiatives: expanding broadband access, making Government accessible by reducing burden of access for constituents and reducing poverty.

    Carahsoft Florida Colorado State and Local Roadshow Blog Embedded Image 2023Change and increased needs seem to be the only constants in today’s world. Workloads are ever increasing and requirements from new and unexpected sources are creating backlogs that are becoming critical. This can put an incredible burden on plans, resources and personnel. The next step is looking at how technology and innovation can improve these new processes and address new demands through live chats, Artificial Intelligence (AI) modeling, etc. There is immense opportunity for Local agencies in Colorado to use this technology to make workflows more efficient, learn about their citizens and offer that instant gratification that customers have come to expect.

    One of the biggest challenges Local Government faces is the interoperability across departments to share resources and capabilities. By focusing on utilizing new technologies to encourage that interoperability and optimize through data, user experience improves. There also must be a balance when handling sensitive data within these departments, as well as an effort to avoid technology sprawl and cost complexity. Automation and AI is foundational when it comes to daily operations and best practices as innovative technical solutions continue to make access from the edge easier, more transparent and secure.

    The Role of Emerging Technologies in Digital Government

    By eliminating legacy systems and investing in emerging enterprise technologies, agencies are generating cost savings, increasing security and accessibility and providing a more holistic, human-centered Government experience for Colorado.

    Understanding how Colorado is securing the remote workforce in light of the telework and deployment explosion is important to connect where those emerging technologies can improve communication and networking issues. It is important that the state gets broadband access to its most rural and underserved communities to expand high-speed internet and 5G to increase citizen engagement with Government services. By utilizing endpoint detection, multi-factor authentication and mobile device management, Colorado protects citizens’ data and gains an understanding of user behavior to protect the data from any cyber threats.

    The emerging technology approach is also about an innovative mindset to use tools in a better way that improves citizens’ digital experience. Colorado has been modernizing its approach to citizen-facing services by consolidating into simple, quick and more digital interactions to ease how citizens access essential services and programs with the state.

    Technology acceleration takes center stage as part of Colorado’s Digital Government Strategic Plan. For the City and County of Denver, collaboration is imperative for coordinating technology deployment across the State and Local Government and within communities, at speeds capable of meeting the plan’s timelines. With these modernization efforts and changes across the state, agencies must invest in change management by preparing citizens for more digitized services. This includes walking residents through new processes and applications as incremental changes occur.

    Combating Cyber Threats in Government

    As their communities increasingly become targets of hackers and other cyber criminals, State and Local agencies must stand united to prevent and recover from cyberattacks. Cybersecurity risks range from data exploitation, insider threats, third-party practices as outsourcing increases, ransomware, identity theft and fraudulent access to State Government services.

    Risk tolerance and risk posture must factor in human risk, application risk, physical security risk, datacenter risk and cloud risk to comprehensively assess cyber threats. As a result of the COVID-19 pandemic, the workforce access changed overnight, creating an even greater need for multi-factor authentication, password management, cloud security and Zero Trust compliance.

    Data integrity attacks include unauthorized insertion, deletion or modification of data to Government information such as emails, employee records, financial records and citizen data. Public facing identity is a big aspect going forward for Colorado agencies.

    The safeguards in use today ensure data is secure, protected and effectively backed up, yet readily available when needed. Lifecycle management is critical to making sure users have the right level of access to the right applications. Today, most agencies are in a position where if someone logs in, they make an identity claim with a username and password and a one-time code. The agency should then know what application that user accessed, and the process stops there; however, with the diversity in endpoints, more information needs to be acquired. Agencies can then make better risk-based decisions on who is allowed to log in, thereby protecting their environment, detecting and remediating threats while continuing to modernize their risk posture.

    Emerging technologies and new digital services provide State and Local agencies more opportunities to easily connect with their citizens and make sure the user experience is as smooth as possible. As increased access to applications and Government data continues, agencies must continuously improve their risk posture to protect citizens’ sensitive information by upholding Zero Trust best practices.

     

    Visit our roadshow resource hub to learn more about the State and Local Roadshow Series: Digital Transformation.

    4 Steps to Applying Zero Trust to Content Security

    As organizations adopt zero trust architectures, there’s one key area that seems to be overlooked: the content layer. And yet, security vulnerabilities at this layer pose significant, and extremely common threats. In fact, research reveals that a large portion of companies share sensitive content with over 2,500 third parties and use multiple tools for content communications.

    Given the vulnerable nature of content exchange, it’s important to extend zero trust principles right down to the emails, documents, and files that we all share every day. But there are reasons why organizations do not do this regularly. For example, enforcing access rights can be tricky, especially in large organizations or companies with significant turnover. Tracking and monitoring every file type is impossible, as is adequately classifying every type of content.

    Forcepoint Kiteworks Collaboration Zero Trust Blog Embedded Image 2024

    Forcepoint’s new partnership with Kiteworks, a leader in data privacy and compliance for sensitive content communications, changes everything. Together, we’ve developed the industry’s most powerful solution for true zero trust security at the content layer. It combines Forcepoint’s Content Disarm & Reconstruction (CDR) and Data Loss Prevention (DLP) solutions with Kiteworks’ Private Content Network (PCN).

    This combination allows organizations to take a highly effective four-step approach to zero trust content security by:

    1. Making all content untrusted by default – Applying zero trust at the content layer entails assuming that all data is malicious until proven otherwise. Ensuring content is secure and delivered safely requires deconstructing—and reconstructing—the information that’s being sent. Forcepoint’s Zero Trust CDR extracts information from files, verifies that the information is secure, and builds new, functional files to carry the information to its ultimate destination.
    2. Enforcing least-privilege content access – Least-privilege access management is a core tenet of zero trust security; our solution extends this practice to the content layer. It applies access control for applications to all content assets and allows organizations to assess who is sending, sharing, receiving, viewing, altering, or saving content. Companies can also monitor from where and to that content is being sent.
    3. Monitoring content for potential vulnerabilities – Most organizations employ some form of network monitoring and have done so for years. Effective content monitoring employs the same principles of complete, real-time visibility and unified control. Our joint solution consolidates content communication channels for easy management and closely monitors each asset to ensure content is free of vulnerabilities.
    4. Integrating policy management tracking and controls for data loss prevention – Tracking and monitoring content collaboration and communications is essential to prevent sensitive content from falling into the wrong hands. Our solution allows organizations to discover, classify, monitor, and protect data, track and control sensitive content, and audit user behavior—mitigating data loss.

    This “trust no content” approach addresses all content security gaps. It provides organizations with assurances that the content their users are reading, sharing, and using is well-protected and free of malware.

    Moreover, it makes implementing and managing zero trust content security an easy, frictionless experience for both administrators and users alike. Admins have everything they need to manage content security from a central location, and users will not experience any delays or inhibitions in their ability to collaborate or communicate.

    Contact a member of our team today to learn more about Forcepoint’s and Kiteworks’ new solution and schedule a demo to start taking the steps necessary to bring zero trust security to your content.

    Sea-Air-Space 2023 Showcases Strategic Insights for the Navy

    As the landscape of defense technology across the United States Armed Forces continues to advance and transform, the military must also evolve and adapt with it. At Sea-Air-Space 2023, the Navy League’s Global Maritime Exposition, key leadership from the U.S. defense industry and government technology experts came together for educational and collaborative sessions across a variety of topics. A record number of attendees gathered for the three-day conference where many vendors including Carahsoft and 45 of its partners demonstrated their technology solutions to meet military needs. Fed Gov Today joined Carahsoft on the show floor to speak with military thought leaders on staffing, cybersecurity and more.

    Carahsoft Sea-Air-Space Recap Tradeshow Blog Embedded Image 2023Sea Service chiefs attending the conference noted that currently, maintaining and developing the workforce is a high priority for the military as it emphasizes the role of people as resources. Defense agencies are looking to engage young, talented individuals interested in serving the armed forces.

    “Whenever you see the defense budget start to go down…a lot of times you’ll see training and education reduced,” Carahsoft’s Program Executive of Navy and Defense Strategy, Mike McCalip, said. “What you end up with is a workforce that can be five or 10 years behind in technology.” To mitigate this, McCalip sees this as an opportunity for industry vendors to “help [the Navy] to educate and keep their workforce on the tip of the spear when it comes to technology.”

    Another important concept discussed at Sea-Air-Space was the Department of Defense’s shift to ever evolving Zero Trust. Throughout the conference, Sea Service chiefs and tech vendors fielded many questions and conversations surrounding cybersecurity’s role within defense strategy. Military leaders and vendors shared an eagerness to collaborate and explore opportunities for growth together in the future.

     

    Check out the rest of my industry insights and highlights from the event floor at Sea-Air-Space 2023 in my full blog at FedGovToday.com.