Tag Archives: Zero Trust

Bridging Identity Governance and Dynamic Access: The Anatomy of a Contextual and Dynamic Access Policy

Posted on by
Reply

As organizations adapt to increasingly complex IT ecosystems, traditional static access policies fail to meet modern security demands. This blog instance continues to explore how identity attributes, and governance controls impact contextual and dynamic access policies—as highlighted previous articles; Governing Identity Attributes in a Contextual and Dynamic Access Control Environment and SailPoint Identity Security The foundation of DoD ICAM and Zero Trust, it examines the role of identity governance controls, such as role-based access (dynamic or policy-based), lifecycle management, and separation of duties, as the foundation for real-time decision-making and compliance. Together, these approaches not only mitigate evolving threats but also align with critical standards like NIST SP 800-207, NIST CSF, and DHS CISA recommendations, enabling secure, adaptive, and scalable access ecosystems. Discover how this integration empowers organizations to achieve zero-trust principles, enhance operational resilience, and maintain regulatory compliance in an era of dynamic threats.

Authors Note: While I referenced the DoD instruction and guidance, the examples in the document can be applied to the NIST Cybersecurity Framework, and NIST SP 800-53 controls as well. My next article with speak specifically to the applicability of the DHS CDM MUR and future proposed DEFEND capabilities.


Defining Contextual and Dynamic Access Policies

Contextual and dynamic access policies adapt access decisions based on real-time inputs, including user identity, device security posture, behavioral patterns, and environmental risks. By focusing on current context rather than static attributes, these policies mitigate risks such as over-provisioning or unauthorized access.

Key Features:

  • Contextual Awareness: Evaluates real-time signals such as login frequency, device encryption status, geolocation, and threat intelligence.
  • Dynamic Decision-Making: Enforces least-privilege access dynamically and incorporates risk-based authentication (e.g., triggering MFA only under high-risk scenarios).
  • Identity Governance Integration: Leverages governance structures to align access with roles, responsibilities, and compliance standards.

The Role of Identity Governance Controls

Identity governance forms the backbone of effective contextual and dynamic access policies by providing the structure needed for secure access management. Core components include:

SailPoint Bridging Identity Governance Blog Embedded Image
  • Role-Based Access Control (RBAC), Dynamic/Policy-based: Defines roles and associated entitlements to reduce excessive or inappropriate access.
  • Access Reviews: Ensures periodic validation of user access rights, aligning with business needs and compliance mandates.
  • Separation of Duties (SoD): Prevents conflicts of interest by limiting excessive control over critical processes.
  • Lifecycle Management: Automates the provisioning and de-provisioning of access rights as roles change.
  • Policy Framework: Establishes clear baselines for determining who can access what resources under specific conditions.

Balancing Runtime Evaluation and Governance Controls

While governance controls establish structured, policy-driven access frameworks, runtime evaluations add the flexibility to adapt to real-time risks. Together, they create a layered security approach:

  • Baseline Governance: Sets foundational access rights using role-based policies and lifecycle management.
  • Dynamic Contextualization: Enhances governance by factoring in real-time conditions to ensure access decisions reflect current risk levels.
  • Feedback Loops: Insights from runtime evaluations inform and refine governance policies over time.

Benefits of Integration

By combining governance controls with contextual access policies, organizations achieve:

  • Enhanced security through continuous evaluation and dynamic risk mitigation.
  • Improved compliance with regulatory frameworks like GDPR, HIPAA, and NIST standards.
  • Operational efficiency by automating access reviews and reducing administrative overhead.

The integration of contextual and dynamic access policies with identity governance controls addresses the dual needs of flexibility and security in modern cybersecurity strategies. By combining structured governance with real-time adaptability, organizations can mitigate risks, ensure compliance, and achieve a proactive security posture that aligns with evolving business needs and regulatory demands. This layered approach represents the future of access management in a rapidly changing digital environment.


To learn more about how SailPoint can support your organization’s efforts within identity governance, cybersecurity and Zero Trust, view our resource, “The Anatomy of a Contextual and Dynamic Access Policy.”


Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SailPoint, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Governing Identity Attributes in a Contextual and Dynamic Access Control Environment

Posted on by
Reply

In the rapidly evolving landscape of cybersecurity, federal agencies, the Department of Defense (DoD), and critical infrastructure sectors face unique challenges in governing identity attributes within dynamic and contextual access control environments. The Department of Defense Instruction 8520.04, Identity Authentication for Information Systems, underscores the importance of identity governance in establishing trust and managing access across DoD systems. In parallel, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) guidance and the National Institute of Standards and Technology (NIST) frameworks further emphasize the critical need for secure and adaptive access controls in safeguarding critical infrastructure and federal systems.

This article examines the governance of identity attributes in this complex environment, linking these practices to Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC) models. It highlights how adherence to DoD 8520.04, CISA’s Zero Trust Maturity Model, and NIST guidelines enable organizations to maintain the accuracy, security, and provenance of identity attributes. These efforts are particularly crucial for critical infrastructure, where the ability to dynamically evaluate and protect access can prevent disruptions to essential services and minimize security risks. By integrating these principles, organizations not only achieve regulatory compliance but also strengthen their defense against evolving threats, ensuring the resilience of national security systems and vital infrastructure.

SailPoint Governing Identity Attributes Blog Embedded Image 2025

Importance of Governing Identity Attributes

Dynamic Access Control

In a dynamic access control environment (Zero Trust), access decisions are made based on real-time evaluation of identity attributes and contextual information. Identity governance plays a pivotal role in ensuring that these attributes are accurate, up-to-date, and relevant. Effective identity governance facilitates:

  • Real-time Access Decisions: By maintaining a comprehensive and current view of identity attributes, organizations can make informed and timely access decisions, ensuring that users have appropriate access rights based on their roles, responsibilities, and the context of their access request.
  • Adaptive Security: Identity governance enables adaptive security measures that can dynamically adjust access controls in response to changing risk levels, user behaviors, and environmental conditions.

Attribute Provenance

Attribute provenance refers to the history and origin of identity attributes. Understanding the provenance of attributes is critical for ensuring their reliability and trustworthiness. Identity governance supports attribute provenance by:

  • Tracking Attribute Sources: Implementing mechanisms to track the origins of identity attributes, including the systems and processes involved in their creation and modification.
  • Ensuring Data Integrity: Establishing validation and verification processes to ensure the integrity and accuracy of identity attributes over time.

Attribute Protection

Protecting identity attributes from unauthorized access, alteration, or misuse is fundamental to maintaining a secure access control environment. Identity governance enhances attribute protection through:

  • Access Controls: Implementing stringent access controls to limit who can view, modify, or manage identity attributes.
  • Encryption and Masking: Utilizing encryption and data masking techniques to protect sensitive identity attributes both at rest and in transit.
  • Monitoring and Auditing: Continuously monitoring and auditing access to identity attributes to detect and respond to any suspicious activities or policy violations.

Attribute Effectiveness

The effectiveness of identity attributes in supporting access control decisions is contingent upon their relevance, accuracy, and granularity. Identity governance ensures attribute effectiveness by:

  • Regular Reviews and Updates: Conducting periodic reviews and updates of identity attributes to align with evolving business needs, regulatory requirements, and security policies.
  • Feedback Mechanisms: Establishing feedback mechanisms to assess the effectiveness of identity attributes in real-world access control scenarios and make necessary adjustments.

Risks Associated with ABAC and RBAC

ABAC Risks

ABAC relies on the evaluation of attributes to make access control decisions. While ABAC offers flexibility and granularity, it also presents several risks:

  • Complexity: The complexity of managing a large number of attributes and policies can lead to misconfigurations and errors, potentially resulting in unauthorized access or access denials.
  • Scalability: As the number of attributes and policies grows, the scalability of the ABAC system can be challenged, affecting performance and responsiveness.
  • Attribute Quality: The effectiveness of ABAC is heavily dependent on the quality of the attributes. Inaccurate, outdated, or incomplete attributes can compromise access control decisions.

RBAC Risks

RBAC assigns access rights based on predefined roles. While RBAC simplifies access management, it also has inherent risks:

  • Role Explosion: The proliferation of roles to accommodate varying access needs can lead to role explosion, complicating role management and increasing administrative overhead.
  • Stale Roles: Over time, roles may become stale or misaligned with current job functions, leading to over-privileged or under-privileged access.
  • Inflexibility: RBAC may lack the flexibility to handle dynamic and context-specific access requirements, limiting its effectiveness in modern, agile environments.

Importance to a Zero Trust Model

The Zero Trust model is predicated on the principle of “never trust, always verify,” emphasizing continuous verification of identity and context for access decisions. Governing identity attributes is integral to the Zero Trust model for several reasons:

  • Continuous Verification: Accurate and reliable identity attributes are essential for continuous verification processes that dynamically assess access requests in real-time.
  • Context-Aware Security: By governing identity attributes, organizations can implement context-aware security measures that consider a wide range of factors, including user behavior, device health, and network conditions.
  • Minimizing Attack Surface: Effective governance of identity attributes helps minimize the attack surface by ensuring that access rights are tightly controlled and aligned with current security policies and threat landscapes.

Governing identity attributes is a cornerstone of modern access control strategies, particularly within the dynamic and contextual environments that characterize today’s IT ecosystems. By supporting dynamic access, ensuring attribute provenance, protection, and effectiveness, and addressing the risks associated with ABAC and RBAC, identity governance enhances the security and efficiency of access control mechanisms. In the context of a Zero Trust model, the rigorous governance of identity attributes is indispensable for maintaining robust and adaptive security postures, ultimately contributing to the resilience and integrity of organizational systems and data.

To learn more about SailPoint’s cybersecurity capabilities and how it can support mission-critical DoD initiatives, view our technology solutions portfolio. Additionally, check out our other blog highlighting the latest insights into “The Role of Identity Governance in the Implementation of DoD Instruction 8520.04”.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SailPoint, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Securing Systems Through Segmentation and Zero Trust

Posted on by
Reply

Zero Trust is a cybersecurity strategy that recognizes trust as a vulnerability that may potentially allow malicious actors to exploit system environments. Traditionally, systems operated by granting permissions, visibility and trust to a user once they gain access. Rather than minimize trust and opportunity for breaches, Zero Trust eliminates trusted packets, systems and users altogether.

Implementing Zero Trust’s Fundamental Design Concepts

While breaches are inevitable, agencies can equip themselves with a Zero Trust framework to prevent successful cyber-attacks. Zero Trust encompasses identity, access permissions and micro segmentation, per the National Institute of Standards and Technology (NIST) architecture. All three enforcement points are required to complete the Zero Trust model. While security products are a component of Government agency’s implementation of Zero Trust, it is a strategy that requires proper planning.

To successfully implement Zero Trust, agencies must understand its fundamental design concepts.

  • Focus on business outcomes: Determine key agency objectives and design strategies with those in mind.

  • Design security strategies from the “inside out”: Typically, networks are designed from the “outside in,” beginning with the software and moving onto data. This can introduce vulnerabilities. By designing software accessibility around data and assets that need to be protected, agencies can personalize security and minimize vulnerabilities.

  • Determine who or what needs to have access: Individuals should default with the least amount of privilege, having additional access granted on a need-to-know basis.

  • Inspect and log all traffic: Multiple factors should be considered to determine whether to allow traffic, not just authentication. Understanding what traffic is moving in and out of the network prevents breaches.

Fundamentally, Zero Trust is simple. Trust is a human concept, not a digital concept. Once agencies understand the basics of Zero Trust, they can decide which tactics they will use to help them deploy it across their network.

Breaking Up Breaches with Segmentation

Illumio Microsegmentation Zero Trust Blog Embedded Image 2024

In other security strategies, security is implemented on perimeters or endpoints. This places IT far from the data that needs monitoring. The average time between a breach and its discovery is 277 days and is usually discovered by independent third parties. With flat, unsegmented surfaces, once breachers gain access to a network, they can take advantage of the entire system. Zero Trust alleviates this by transforming a system’s attack surface into a “protect surface.” Through proper segmentation, systems make the attack surface as small as possible, then places users adjacent to the attack surface to protect it. This area then becomes a more manageable surface for agencies to monitor and protect, eliminating the time gap between breach and discovery.

Once the strategy method is chosen, agencies must decide which tactics and tools they will use to deploy Zero Trust. Here is a simple, five-step process for deploying Zero Trust.

1. Define the protect surface: It is important to start with knowing what data needs protection. A great first step is to follow the DAAS element—protect data, assets, applications and services. Segmentation can help separate these four elements and posit each on its own protect surface, giving IT employees a manageable surface to monitor.

    2. Map transaction flows: With a robust protect surface, agencies can begin tailoring their Zero Trust environment. Understanding how the entire system functions together is imperative. With visibility into transaction flow mapping, agencies can build and architecture the environment around the protect surface.

    3. Architect a Zero Trust environment: Agencies should personalize their security to best fit their protect surface. That way, Zero Trust can work for the agency and its environment.

    4. Create policy: It is important to ask questions when creating policy, as Zero Trust is a set of granular allowance rules. Who should be allowed access and via what application? When should access be enabled? Where is the data located on the protect surface? Why is the agency doing this? These questions help agencies map out their personalized cybersecurity strategy.

    5. Monitor and maintain the protect surface: By creating an anti-fragile system, which increases its capability after exposure to shocks and violations, agencies can adapt and strengthen from stressors.

    Segmentation is vital to the theory of Zero Trust. Through centralized management, agencies can utilize segmentation to their benefit, positing IT adjacent to the specialized surface they protect. Zero Trust can be a learning curve. By implementing each protect surface individually, agencies can avoid becoming overwhelming. Building from the foundation up allows agencies to control their networks. Additional technologies, such as artificial intelligence (AI) and machine learning (ML), help give defenders the advantage by enabling them to focus on protect surfaces. Through a personalized and carefully planned Zero Trust strategy, agencies can stop breaches and protect their network and data.

    Illumio & Zero Trust

    Zero Trust often incorporates threat-hunting solutions, to detect a problem and then try to block or remove it. But no solution will ever be 100% and it must be assumed that eventually a threat will slip through, undetected. Undetected threats will eventually move between workloads, further compromising the network. Illumio, a cloud computing security company that specializes in Zero Trust micro segmentation, can future-proof agencies against malware.

    While threat-hunting tools focus on the workload, Illumio focuses on the segment, which means that Illumio enforces the Protect Surface via the vectors used by any and all threats that try to breach it. Any complex AI-generated malware which will appear in the near future will also want to move across segments, and Illumio will protect the environment today against threats which will appear tomorrow.

    To learn more about Zero Trust and Segmentation, visit Illumio’s webinar, Segmentation is the Foundation of Zero Trust.

    Highlights from the SANS Government Security Forum on Zero Trust, CMMC Compliance and AI

    Posted on by
    Reply

    Carahsoft Technology Corporation, a leader in Government IT solutions, partnered with the SANS Institute for the fourth year in a row to host the 2024 Government Security Solutions Forum. The event gathered cybersecurity professionals and Public Sector leaders to address evolving cyber threats facing Government agencies. Experts led discussions on key topics, including Zero Trust implementation, achieving Cybersecurity Maturity Model Certification (CMMC) compliance and harnessing artificial intelligence (AI). This blog highlights key takeaways from three of the six sessions surrounding these imperative industry topics, providing actionable insights to strengthen cybersecurity defenses in today’s digital landscape. During the event a visual artist Ashton Rodenhiser summarized the sessions which are featured in this blog.

    Carahsoft SANS Government Security Solutions Forum Blog Zero Trust Image 2024

    Zero Trust Implementation

    During the session “Zero Trust Implementation Strategies,” experts explored the growing challenges security professionals face with emerging technologies and provided key insights into building a robust Zero Trust framework.

    As new technologies rapidly emerge, security professionals face increasing challenges in keeping pace, especially with the integration of on-prem environments and the cloud. A key principle of Zero Trust is the enforcement of least privilege policies, which requires a shift in how identity management is applied. This begins with strong governance to ensure the accuracy and reliability of policies and attributes.

    Building a comprehensive security framework also involves implementing contextual authorization through micro-segmentation, considering factors like device, location and time to create a robust protective barrier. Furthermore, integrating identity management with Endpoint Detection and Response (EDR) tools is becoming increasingly important for tracking authorized processes and addressing the extended presence of threat actors who exploit admin identities to execute malware.

    One of the biggest challenges in managing security policies is their complexity. Many security policies lack human readability due to their intricate structure, making automation essential for managing actions and enforcing compliance. The National Security Administration’s (NSA) recent Zero Trust guide emphasizes automation as a key pillar, highlighting its importance in responding to data flow deviations and maintaining security.

    Despite the advanced systems in place, human error continues to be a major vulnerability. Employees can unknowingly compromise security through phishing attacks or by interacting with malicious links. To mitigate this, organizations must prioritize improving employee awareness and addressing the human factor as a critical component of cybersecurity.

    Explore how Carahsoft’s Zero Trust portfolio can help Government implement a comprehensive Zero Trust strategy, strengthening organization’s security and protecting critical assets.

    Carahsoft SANS Government Security Solutions Forum Blog CMMC Image 2024

    Achieving CMMC Compliance

    The session “Navigating Supply Chain Security and CMMC Compliance” provided valuable insights into the upcoming implementation of the CMMC framework and its implications for Defense Industrial Base (DIB) organizations. This certification will ensure that DIB organizations meet stringent cybersecurity standards through third-party assessments and will soon be mandatory for both prime contractors and subcontractors working with the Department of Defense (DoD).

    CMMC consists of multiple certification levels, with Level 1 covering basic practices for Federal Contract Information (FCI) and Level 2 addressing 110 practices based on NIST 800-171, extending to around 320 actions. To prepare, organizations should work with Registered Practitioner Organizations (RPOs) to assess their readiness. These RPOs employ Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs), who are trained and certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO), a subsidiary of Cyber AB, which oversees the curriculum and training programs.

    After preparation, organizations will undergo an official assessment by a CMMC Third-Party Assessment Organization (C3PAO), which hires CCPs and CCAs to evaluate the cybersecurity measures in place. As the CMMC rule takes effect, organizations must ensure they work with certified professionals listed on the Cyber AB marketplace, as uncertified entities will not be recognized by the DoD.

    Given the complexity of CMMC and the fact that preparation for certification can take at least six months, organizations are encouraged to start early to meet the new requirements.

    Carahsoft is proud to be part of the CMMC ecosystem, with around 800 employees focused on cybersecurity and partnerships with over 150 vendors. By closely tracking policies and industry trends, Carahsoft aligns customer needs with relevant technologies, promoting “better together” integrations to maximize the value of existing investments. Carahsoft works with vendors that address every CMMC maturity level and capability domain, guiding customers through the complex decision-making process to ensure that they select the most suitable technologies to fill security gaps effectively and efficiently. Explore Carahsoft’s CMMC portfolio.

    Carahsoft SANS Government Security Solutions Forum Blog AI Image 2024

    Harnessing AI

    Amid the complexities of cybersecurity, effective threat detection and response are increasingly reliant on advanced technologies like AI. The session “Harnessing AI for Advanced Threat Detection” explored the benefits and risks of integrating AI into security operations, highlighting key strategies for balancing automation with rigorous security practices.

    “Advanced threat detection” spans various aspects of security operations, including the development and collection of threat intelligence. AI offers significant benefits in early threat detection, helping organizations quickly identify and respond to malicious activity. However, its use must be approached cautiously across the entire security chain.

    With the rise of generative AI, industries are applying AI to automate time-consuming tasks. A key benefit is AI’s ability to condense information quickly. Tasks like threat searching or intelligence analysis, which once took hours, can now be completed in minutes, freeing experts to focus on higher-level tasks. This “toil reduction” is vital, as AI automates routine work and creates immediate efficiencies with minimal effort.

    While AI brings advantages, there are inherent risks in implementing AI models and infrastructure. It is crucial to approach AI from two perspectives: using it to enhance security while ensuring the security of AI itself.

    Organizations must also consider how they can trust AI-generated information. Trust and validation are essential. Provenance—knowing the source of data and models—is key to building confidence. While AI can handle most of the work, experienced engineers and analysts are still needed to verify and analyze the results so security teams can focus on more complex matters.

    The siloed nature of work within security operations may limit intelligence sharing. Maintaining control of input data is critical, especially with public models hosted by technology vendors. If training data enters public models, organizations may compromise sensitive information. In regulated environments, private models offer safer options, allowing companies train AI while retaining control.

    When integrating AI into security operations, organizations should build trust by validating each use case, allowing AI to be operationalized while ensuring accuracy. Experimentation is key to identifying where AI can provide a return on investment. However, implementing AI requires careful consideration of security models, AI safety and governance, particularly as organizations scale AI into operations.

    Unlock the potential of AI to drive innovation and efficiency in Government organizations with Carahsoft’s AI and machine learning portfolio.

    Frank Briguglio, Federal CTO at SailPoint, and Fatih Akar, Security Product Manager at VMRay, led the discussion on Zero Trust. Melanie ‘Kyle’ Gingrich, Interim Executive Director at The Cyber AB, provided guidance on navigating CMMC compliance. Josh Lemon, Director of Managed Detection and Response at Uptycs, and Ron Bushar, Managing Director of Mandiant Solutions at Google Public Sector, explored the role of AI in advanced threat detection.

    Explore more insightful sessions on how Public Sector cybersecurity teams are strengthening their security posture by watching the SANS 2024 Government Security Forum in partnership with Carahsoft.

    The Role of Identity Governance in the Implementation of DoD Instruction 8520.04

    Posted on by
    Reply

    On September 3, 2024, The Department of Defense (DoD) released Instruction 8520.04, titled “Access Management for DoD Information Systems,” that serves as a foundational policy guiding the secure and efficient management of access to DoD information systems. The instruction mandates protocols for managing access across various environments, including military networks and systems used by both person entities (PEs) and non-person entities (NPEs) such as devices, applications, and automated processes. At the core of this policy is the principle of identity governance, which is essential for ensuring that access to sensitive systems and data is granted, monitored, and revoked based on verified identity attributes and defined security policies.

    In the dynamic cybersecurity landscape, the concept of identity governance refers to the frameworks and processes that manage the lifecycle of digital identities. This includes the creation, management, and deletion of user accounts as well as the provisioning and de-provisioning of access rights based on a combination of user attributes, roles, and organizational policies. Identity governance is critical for compliance with the DoD’s Zero Trust Architecture, as outlined in the DoD Zero Trust Strategy. It emphasizes least privilege, continuous verification, and dynamic access control, all of which are key components of DoD Instruction 8520.04​.

    The policy serves as maturation of the departments ICAM initiatives over the past few years and highlights some key concepts that need to be adopted across the departments ecosystem. Here are some key examples of how identity governance aligns with and strengthens this policy:

    1. Access Control and Provisioning

    One of the primary elements of identity governance is the effective provisioning and de-provisioning of access. This aligns with Section 4 of DoD Instruction 8520.04, which mandates that access to systems be carefully controlled through explicit or dynamic mechanisms. Explicit access involves manually provisioning access rights to specific users, which must be meticulously documented and approved by system or resource owners. On the other hand, dynamic access relies on real-time attribute verification to grant or deny access based on the most current information available, such as the user’s role, location, or security clearance​.

    SailPoint Identity Governance for the DoD Blog Embedded Image 2024

    Identity governance solutions play a crucial role in these processes by automating provisioning and de-provisioning based on predefined policies. When a user’s role changes or they leave the organization, governance systems automatically adjust access rights, ensuring compliance with de-provisioning requirements. This automatic adjustment helps prevent orphaned accounts—user accounts that are no longer needed or authorized—which can pose serious security risks if left unmanaged.

    2. Authoritative Attribute Services

    DoD Instruction 8520.04 emphasizes the importance of authoritative attribute services (AAS) in maintaining the accuracy, integrity, and security of identity attributes used in dynamic access decisions. Identity governance frameworks are designed to integrate with these authoritative services, ensuring that identity attributes such as security clearance levels, employment status, and role-based entitlements are accurate and up-to-date. This enables the DoD to enforce dynamic access control based on real-time identity data​.

    For example, a DoD system that relies on dynamic access might check a user’s current security clearance, job function, or location in real time before granting access to a sensitive file or system, or assign a critical role. These checks are enabled by robust identity governance systems that pull data from authoritative attribute services and apply organizational policies to ensure that access is only granted to those who are fully authorized and meet the predefined criteria.

    3. Least Privilege and Separation of Duties (SoD)

    The concept of least privilege—granting users the minimum level of access necessary to perform their duties—is another foundational principle of both identity governance and DoD Instruction 8520.04. In Section 4.2 of the instruction, system and IT resource owners are required to document and implement explicit access policies that adhere to least privilege standards. Furthermore, systems must implement SoD controls to prevent a single user from having conflicting roles, such as both creating and approving financial transactions​.

    Identity governance frameworks are uniquely equipped to manage SoD by automating the assignment of roles and enforcing policies that prevent users from being granted conflicting privileges. Governance solutions continuously monitor user access and provide alerts if SoD violations occur. By integrating these capabilities with the DoD’s access management protocols, identity governance helps ensure that users cannot escalate their privileges or circumvent access controls, thereby reducing the risk of insider threats and security breaches.

    4. Continuous Auditing and Compliance

    Continuous auditing and monitoring of user access is a critical requirement under DoD Instruction 8520.04, particularly for privileged users. Identity governance solutions enable DoD components to implement robust audit trails that track every access request, change in privileges, and system interaction. This is particularly important for IT privileged users—those with elevated access to critical systems and sensitive data—who require enhanced monitoring to detect and respond to suspicious activity​.

    Through the use of identity governance tools, DoD organizations can enforce periodic access reviews, as mandated by the instruction, to ensure that users only have the access they need and that privileged access is justified and properly documented. These reviews are automated and documented within governance systems, reducing the manual workload on administrators and enhancing the overall security posture by ensuring compliance with regulatory requirements.

    5. Integration with Zero Trust Architecture

    The DoD Zero Trust Strategy emphasizes the need for continuous verification of users and devices as they request access to systems and data, rather than assuming trust based on their presence inside the network perimeter. Identity governance systems are integral to the implementation of Zero Trust principles within the DoD, as they enable real-time verification of identity attributes and ensure that access is granted only after all conditions are met​.

    For instance, an identity governance system might check not only a user’s identity but also their security status, the network they are using, and the time of the access request before enabling access to sensitive data. This multi-layered approach to access control ensures that even if one security measure is compromised, others are in place to protect critical resources.

    In Conclusion

    Identity governance is a foundational element of the DoD’s efforts to secure access to information systems under DoD Instruction 8520.04. By providing a structured approach to managing digital identities, provisioning access, enforcing least privilege and separation of duties, and maintaining continuous auditing and compliance, identity governance systems enable the DoD to meet the stringent security requirements laid out in the instruction. Furthermore, identity governance is a critical enabler of the DoD’s shift toward a Zero Trust Architecture, ensuring that access to sensitive systems is dynamically controlled based on real-time identity attributes and organizational policies.

    As cyber threats continue to evolve, the integration of identity governance with access management protocols like those found in DoD Instruction 8520.04 will be crucial in maintaining the security and integrity of the DoD’s information systems and the data they protect.

    For a details of how SailPoint Identity Security supports the departments current ICAM and Zero Trust initiatives, and specifically how the capabilities of the platform align with the requirements of the policy, please download the report here.

    Google and Okta Partner to Modernize Identity Management in Higher Education

    Posted on by
    Reply

    Online collaboration is an essential part of the workplace and the educational sphere. To ensure this collaboration is done securely, Okta and Google have partnered to enhance and automate identity management at scale.

    Okta is a neutral, AI powered, extensive platform that puts identity at the heart of any IT stack. No matter the industry, use case or level of support needed, Okta facilitates Identity Access Management (IAM) while keeping security at the core of the integration. Google Workspace is a collection of collaboration tools, and with more than three billion users, it aims to meaningfully connect users to facilitate partnerships and growth. While identity management can be complex, it does not need to be. Together, this partnership makes the path towards modern identity management as neutral, simple, secure and straightforward as possible.

    With their recent partnership, customers can now:

    • Automate identity processes at scale
    • Unlock productivity with optimal security
    • Collaborate with each other, seamlessly and securely
    • Use their Google credentials across over 7,500 different apps
    • Gain cross-platform login privileges across Google Workspace and Okta
    • Access accounts with new, simplified user permissions and automated access management

    Every organization strives to modernize and adopt cloud technology. This is also true within the higher education market, which is continuing to refine the trend of remote and hybrid learning following the pandemic. The applications and resource solutions that Google provides to higher education, along with the integration of Okta’s IAM capabilities, is immensely beneficial to the agency’s journey in adapting modern cloud technology and security.

    Leading the Modernization of Identity Management in Education

    Okat Google Higher Education Partnership Blog Embedded Image 2024

    With the influx of hybrid and online learning, higher educational institutions are still learning how to orient solutions towards online learning and teaching. From an IAM perspective, higher education is one of the most complex environments with regards to the vast array of users. Within one network, an institution has faculty, staff, professors and a yearly lifecycle of students that range from applicants to alumni. The process of onboarding and offboarding students and faculty can be time consuming and requires multiple digital programs to facilitate. Okta provides a frictionless onboarding and offboarding experience for administrations that deal with changes in the student body. There are also external users such as partners, contractors and subcontractors, such as medical centers and food providers, that universities must consider. Okta’s open, neutral and independent identity platform can integrate with technologies commonly used by institutions, such as Enterprise Resource Planning (ERP) and Student Information System (SIS), allowing universities to build off of software they are already using. Depending on the role of the individual accessing the software, the identity gains access to personalized experiences.

    Okta offers the capability to combine and manage various groups and processes in a single, secure platform. The partnership between Okta and Google enhances the student experience from their perspective, too. Okta’s single platform can solve student-specific challenges, such as managing multiple accounts and logins across an array of learning tools, enabling smoother daily operations and access. With cross platform log in, students can securely access Google Chatroom and Classroom features with IAM capabilities. By implementing Google Cloud capabilities into daily functions, higher education institutions can create a more modern experience for students while reducing costs. For example, artificial intelligence (AI) virtual agents are used to answer student questions and direct them to services, and mobile apps are utilized for mental health check-ins and other well-being services.

    How Okta and Google uphold Zero Trust and Cybersecurity

    Identity is one of the key pillars within the Cybersecurity and Infrastructure Security Agency (CISA)’s Zero Trust Architecture (ZTA). Okta upholds Zero Trust principles by ensuring that through methods such as multi factor authentication, the person gaining access is who they say they are. By only allowing access to devices that are up to date, Okta prevents bad actors from hacking older systems with commonly known security vulnerabilities. By sustaining a strong ZTA baseline, Google and Okta establish a secure experience for students, staff and faculty.

    Okta gives customers a neutral, powerful and extensible platform that puts identity at the heart of information technology (IT) stacks. No matter what industry, use case or level of support is needed, Okta has customers covered. Okta and Google integrate with technology partners, alliance partners and vendors to uphold and exemplify security principles. In doing so, they ensure that every user on campus networks are safe and secure.

    To learn more about Okta and Google’s partnership and the benefits to cloud and IAM security, visit the Carahsoft-hosted webinar on the company’s newfound partnership: Securing Productivity with Google Workspace + Okta.

    Contact our Okta solutions experts today to discover the power of Okta and Google together, and how these industry leading organizations can support your higher education initiatives.

    Okta and ServiceNow: Modernizing Public Sector Operations

    Posted on by
    Reply

    Federal, state, and local agencies and educational institutions are facing a surge in targeted cyberattacks. With increasing return-to-office mandates, they face further challenges balancing security with the need to deliver frictionless experiences for users and systems, both within and beyond the premises of agencies and campuses. Public sector organizations can lean further on industry partners to help them modernize operations to improve cybersecurity, support distributed workforces and users, remain compliant with audit and policy mandates, and, ultimately, better serve the public.

    Roadblocks to Modernization

    To modernize operations, agencies and institutions need to transition from legacy systems to cloud-based tools. Creating collaborative, seamless, and secure work environments that not only attract and retain top talent but also comply with key audit and policy mandates is necessary.

    But building this kind of robust environment that can securely support mission-critical work isn’t easy.

    Okta ServiceNow Modernizing Public Sector Operations Blog Embedded Image 2023

    For one, as the public sector implements cloud-based tools that deliver modern, continuous digital services, they must also ensure the new technology works seamlessly alongside existing processes. And securing work environments both in-office and remotely has never been more challenging, with a 40% increase in cyberattacks against government and public service organizations from Q2 2023 to Q3 2023. Unfortunately, busy IT teams’ resources are too often spent completing manual work instead of implementing changes needed to focus on the high-value work that propels their missions.

    How Okta and ServiceNow Solutions Help With Modernization and Automation

    Okta and ServiceNow solutions enable agencies and institutions to overcome these obstacles by providing tools that enhance security, modernize operations, comply with strategic policies, and improve service delivery to meet critical mission goals.

    Together, Okta and ServiceNow help with:

    • Identity and access management: A centralized Identity solution offers a complete view of users and phishing-resistant authentication to protect accounts from cyberattacks and least-privilege access. This gives users just the right access at the right time for the right purposes.
    • User lifecycle and workflow automation: Advanced algorithms and customizable templates streamline onboarding and offboarding for IT teams, reducing time-consuming work, eliminating manual, repetitive tasks, and increasing productivity.
    • Compliance and policy oversight: Detailed logs and refined reporting capabilities perform automated compliance checks, and policy enforcement mechanisms help reduce the risk of non-compliance.
    • No-code automation: No-code/low-code automation enables IT teams to quickly launch modern services while still adhering to Zero Trust integrations.
    • Risk management and monitoring: Advanced analytics and real-time reporting enable continuous visibility of all systems, improving service availability and accelerating incident response that can better protect the sensitive information of public sector organizations.
    • System integration: API management and middleware tools enable seamless integration with automated data exchange to improve communication and reduce errors.

    Why Okta and ServiceNow are Better Together

    These solutions combine ServiceNow’s expertise in policy and compliance management and internal and vendor risk management with Okta’s expertise in Identity and access management, such as single sign-on (SSO) and multi-factor authentication (MFA).

    More specifically, with a rich, bidirectional integration, Okta and ServiceNow work seamlessly together, empowering public sector organizations to modernize and automate their services to support their evolving missions with:

    • Okta Integration Network (OIN)
    • ServiceNow Security Incident Module
    • StateRAMP Ready authorization
    • FedRAMP High authorization
    • Department of Defense Impact Level (IL) 4 and IL5 workloads

    Contact our team today to learn more about about how, together, Okta and ServiceNow provide the public sector with an open, future-ready platform to automate, secure, orchestrate, and simplify their workflows.

    Software, AI, Cloud and Zero Trust as Top Priorities for the Army and DoD at Large at TechNet Augusta 2023

    Posted on by
    Reply

    Many of the major cybersecurity, data, DevSecOps and other trends from the past couple of years continue to grow and be top priorities for every segment of the Department of Defense (DoD). At TechNet Augusta 2023, Government and industry experts shared the specific needs of their organizations across those areas and solutions to help achieve their goals. The main theme of the event was “Enabling a Data-Centric Army” and expanding those principles and their mobilizing technologies to the entire DoD. For the Army in particular, the shift from hardware to software, the use of artificial intelligence (AI), cloud capabilities and Zero Trust were headlining topics at the conference.

    Shifting from Hardware to Software

    In an effort to increase agility and expand access to resources, the Army is transitioning its equipment from hardware to software. Amending its materiel release process to decouple software from hardware allows the Army to deploy software outside of the long hardware acquisition cycle. To mobilize this endeavor, the Army Futures Command (AFC), is modifying its software requirements to focus on high-level overviews that are then refined by operators. Alongside this shift, the Army and other departments requested that technology providers ensure that their software solutions integrate with each other. Going forward, the Army also asked industry to provide software that is not tied to specific hardware. This separation will be key to establishing data-centricity. Nearly every speaker echoed the importance of this shift for their departments.

    Utilizing AI

    With this major transition to a software-heavy environment, Army Chief Data and Analytics Officer David Markowitz believes it will be an ideal use case for generative AI in software development. Having a controlled environment in software development would make it easier to properly govern compared to the complexity of some of the other uses. As AI usage increases across the DoD, military leaders requested industry create AI platforms with layered complexity of features enabling users of any skill level to utilize the technology effectively. In regard to AI applications for data, Army CIO Leonel Garciga stated that additional guidance on “Data Use on Public/Commercial Platforms” would be released soon to clarify its policy. Overall, officials concurred that the DoD is not looking to become 100% reliant on AI aid but instead maximize AI’s strengths to augment human critical thinking and empower commanders to make data-driven decisions.

    Enabling Cloud Capabilities

    Over the past year, the Army has exponentially increased its cloud migration and virtualized capabilities. Housing information in the cloud optimizes data storage and simplifies ease of access particularly with the increase in data output, and the push for AI data analytics and data-driven decisions. Hybrid cloud solutions offer the readiness, adaptability and duplication of vital information necessary for military operations to continue smoothly in any situation. Currently, DoD leaders seek industry solutions for modernizing and moving applications to the cloud simultaneously. Acquiring technology with this ability would reduce both the security risk and the work required from the military to implement it.

    Expanding Zero Trust

    Overarching every aspect of the DoD is the critical need for cybersecurity. Garciga plans to emphasize Zero Trust implementation heavily in conjunction with improving user experience and cyber posture. While multi-factor authentication offers a great starting point, military leaders explained that it is not enough and that they look to partner with industry to close virtualization vulnerabilities through continuous monitoring and regular red teaming. At the conference, the Army Cyber Command (ARCYBER) outlined seven principles for IT providers to follow for all capabilities they deliver:

    • Rapidly Patch Software
    • Assess All Production Code for Security Flaws
    • Improve Security of Development Networks
    • Isolate Development Environments from the Internet and from the Vendor Business Network
    • Implement Development Network Security Monitoring
    • Implement Two-Factor Authentication (2FA) on Development Network and Testing Services
    • Implement Role-based Permissions on Development Network

    Empowering DoD Success

    A consistent thread woven throughout the event was the vital nature of open communication and partnership between the DoD and technology companies to achieve the established goals. Within each of these areas including the shift from hardware to software, use of AI, cloud capabilities and Zero Trust, the DoD looks to innovate and explore new methods and solutions to stay ahead on the world platform. Together through collaboration, industry can have a vital role in keeping American citizens safe one technology update at a time.

     

    Explore our Federal Defense Technology Solutions Portfolio to learn how Carahsoft can support your organization through innovative, agile defense resources and IT capabilities.

    *The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at TechNet Augusta 2023.*

    Three Strategies for Minimizing Insider Threats

    Posted on by
    Reply

    Insider threats (alternatively known as careless or untrained insiders) continue to be a problem for the public sector. According to SolarWinds 2023 Public Sector Cybersecurity Survey, 68% of respondents cited careless or untrained employees as one of the highest sources of security threats, second only to foreign governments.

    Insider threats have continued to increase over the past few years. Mobile work has become commonplace, and more employees have begun using unsanctioned applications, leading to incidents of shadow IT. Meanwhile, hackers have become adept at targeting government employees through phishing and ransomware attacks, which succeed due to human error.

    Educating your employees about the dangers of these attacks and putting in proper safeguards to prevent them is critical. Here are three strategies to help employees become more aware of threats and build a better security posture from the inside.

    Understand while not everyone is a trained security expert, everyone can play their part

    SolarWinds Cybersecurity Against Insider Threats Blog Embedded Image 2023

    Some organizations tend to say, “Everyone is responsible for cybersecurity,” which is not entirely true. An employee in charge of processing applications for social security benefits is in charge of processing applications for social security benefits, not protecting the agency from a cyber attack.

    However, there are little things everyone can do to prevent threats–they just need to know what those things are. It’s more than not opening emails from unknown senders or clicking on suspicious-looking attachments. It’s being vigilant, even when someone is feeling overworked. It’s also knowing who to report these incidents to if and when they occur and how and when to share information with colleagues about potentially suspicious activity.

    Other things you can do to help employees protect your agency include:

    • Implementing company-wide password protocols, including two-factor authentication
    • Mandating employees to change their passwords every few months
    • Adding context to communications around cybersecurity to help employees understand the ramifications of cybersecurity incidents (for example, illustrating how a breach could impact employees’ jobs)

    While rigorous training isn’t necessary, you can aim to make safe security practices a part of your day-to-day efforts. For example, periodic email reminders, replete with simple and easy-to-follow best practices and sent from the CIO or security team, can help improve your organization’s security posture.

    Conduct simulations to help employees understand how to respond to possible threats

    Email reminders are important, but nothing beats practicing what to do in the event of a threat. Which is where Breach and Attack Simulations (BAS) come in.

    BASs can be used to simulate just about any type of attack your employees might be exposed to, including phishing, malware, and more. Employees are asked to spot, respond to, and prevent an attack in a simulation. Managers can assess employees’ responses and reactions and discover where more education is needed.

    Simulated attacks are also great for increasing employee vigilance and education. The more employees are exposed to simulated threats, the more knowledgeable they become about those threats–and the less likely they will be to fall prey to them.

    Build a zero-trust foundation that is secure by design

    While employees should always be your first line of defense against cyberattacks, no defense is ever foolproof, even those that have been adequately trained and prepared. Implementing a secure by design zero-trust cybersecurity environment can ensure weaknesses aren’t exploited.

    In a secure-by-design environment, security is inherent in every aspect of the organization. Employees are aware of possible cybersecurity risks and know how to prevent them. Security is baked into the agency’s technology infrastructure and software development processes, and all technologies an agency procures have security as a standard feature, not an add-on.

    Security by design goes hand-in-hand with zero trust. Zero-trust cybersecurity models are based on an “assume breach” mentality, where every request to access information could pose a threat. Therefore, all requests must be carefully verified, and all employees should only have access to the information they need.

    Remember: while employees can be your agency’s best defenders, they’re also human. They can and will make mistakes. It’s essential to put in place safeguards to mitigate those mistakes. Education is important, but so is having a backup plan in case something fails. By covering all angles you’ll have a better chance of preventing the next employee-centric cyberattack.

    For more guidance on how to better enhance your agency’s cybersecurity posture, visit SolarWinds’ Secure by Design resource center.

    Securing the Digital Workplace: Microsoft 365 Identity Management for Public Sector Leaders

    Posted on by
    Reply

    Zero Trust is a critical focus for public sector organizations as they navigate today’s evolving digital workplace and cybersecurity landscape. But one issue is emerging as increasingly troublesome: insider threats.

    The 2022 Cost of Inside Threats: Global Report found incidents involving insider threats surged 44% over the past two years. While some of these threats may be malicious insiders, seeking to misuse their authorized access for personal gain or harm, many are the result of cybercriminals exploiting vulnerabilities in identities to enter your environment. These criminals use tactics like compromised credentials – the leading cause of data breaches – as well as phishing scams and social engineering to impersonate identities and gain unauthorized access.

    To effectively counter these increasingly sophisticated threats, organizations must strengthen identity management. When executed properly, identity management not only enhances the security of your digital workplace but enables a Zero Trust strategy.

    Let’s discuss what identity management is, how to build a comprehensive strategy in Microsoft 365, and how it can fortify your Zero Trust deployment.

    What is Identity Management?

    AvePoint Identity Management Blog Embedded Image 2023

    Identity management establishes and manages the digital identities of anyone entering your environment – from employees and contractors to guest users. Identities could refer to people, but they could also be services or devices entering your environment.

    Identity management enables organizations to implement robust access controls, granting privileges based on roles – which is why identity management is an integral piece of Zero Trust. Without it, you will have no way to verify users and devices are who they say they are, let alone establish proper privileges and access, which are key Zero Trust principles.

    When done effectively, identity management provides the right access to the right individuals at the right time for the right reason. This process not only improves your security posture, but can streamline user access, reduce administrative overhead, and help you better meet your compliance obligations.

    Building Identity Management in Microsoft 365

    When building your identity management strategy in Microsoft 365, remember these three basic elements: identify, authenticate, and authorize.

    Here’s how to get started:

    • Identify: The backbone of identity management in Microsoft 365 is Azure Activity Directory (Azure AD). Azure AD provides a cloud identity for users, groups, and resources. It is where you build out your users’ identities and control access to internal and external resources – like your intranet or even Microsoft Teams. The solution will recognize users (based on Microsoft’s powerful machine learning and AI’s understanding of typical user and tenant behavior) and flag risks that fall outside of normal behavior, triggering the next steps of the process.
    • Authenticate: Multi-factor authentication (MFA) is today’s gold standard for authenticating identities. There are a variety of ways to do this, from smart cards to one-time passwords, that add layers of protection to your security. Microsoft’s Authenticator App helps implement MFA across your applications in a convenient and easy way for users, allowing them to verify their and their devices’ identities from their phones.
    • Authorize: It’s critical to grant access privileges based on the conditions specific to your organization. Conditional Access policies take a two-phased approach: first, it collects information about the person (their device, IP address, etc.) and then enforces any policies you have in place. This could mean if it detects a new device, it may enforce multi-factor authentication (MFA) or request the user sign in again. It could also prohibit access under certain conditions, like if a user is attempting access from a mobile device. These policies provide granular control over access while reducing the risk of authorized access.

    By following this framework, you can easily begin using the powerful tools Microsoft offers to build your identity management strategy, ensuring only authorized individuals have access to critical systems.

    Three Ways to Take a More Proactive Approach to Identity Management

    Once you’ve taken the initial steps to start building your identity management approach, take it to the next level to enhance your security:

    • Right-size your policies: Strict, one-size-fits-all rules can hinder productivity; if security is in the way of getting the job done, users will find a way around it. Customizing your policies to specific users, workspaces, or even content creates a more tailored approach to access control, striking a balance between security and productivity.
    • Implement lifecycles: Identities should not permanently exist in your environment. People switch jobs or upgrade their devices. Establish a process to evaluate and recertificate identities – whether users (both external and internal) or devices – to ensure they still require access to your content and workspaces.
    • Monitor your environment: Even with the best-laid security plans, things can still fall through the cracks. That’s why it’s critical to monitor your environment – including users, devices, locations, and behavior – to identify any anomalies or suspicious activities that should be addressed.

    These strategies can help you build a more proactive identity management approach that actively reduces risks and attack surfaces, allowing you to go beyond verifying identity to create a secure and efficient digital workplace.

    Build a Secure Digital Workplace with Zero Trust

    While identity management is an important aspect of building your secure digital workplace, ensuring only authorized individuals have access to your systems, it is not enough to protect your data or the workspaces where it lives in today’s ever-evolving cyber threat landscape.

    Public sector organizations must embrace a comprehensive Zero Trust security framework to effectively build a secure digital workplace. To do so, you must combine identity management best practices with other robust security measures, like role-based access controls, workspace governance policies, lifecycle management processes, and risk assessments. Together, these strategies can enhance the protection of your digital environment and minimize your risk of data breach or unauthorized access.

    Download the free AvePoint guide, “How to Achieve Zero Trust Standards Without Limiting Collaboration in Microsoft 365,” for more information about protecting your digital collaboration workspaces with a Zero Trust framework.