Improving Collaboration through Identity Management · An “Identity Ecosystem” that links an electronic identity across multiple platforms could improve collaboration and efficiency

Improving Collaboration through Identity Management A Candid Survey of Federal Managers

February 2014

Purpose Driven by White House and Congressional directives such as HSPD-12, the National Strategy for Trusted Identities in Cyberspace (NSTIC), Insider Threat Task Force, and FICAM, federal agencies are focused on identity management like never before. Agency leaders face a difficult task in ensuring secure access to agency resources by the right people, at the right time, and for the right reasons, without restricting the organization’s operational effectiveness. Understanding the difficult task of balancing these two priorities, Government Business Council (GBC), Symantec, and HP undertook a study to explore the current state of identity and access management (IAM) in the federal government.

2

Methodology To assess the perceptions, attitudes, and experiences of federal executives regarding IAM, GBC deployed a survey to a sample of Government Executive’s online and print subscribers in December 2013. The pool of 975 respondents includes those of GS-11 through 15 grade levels and members of the Senior Executive Service in defense and civilian agencies.

Table of Contents

1 Executive Summary 4

2 Respondent Profile 6

3  Research Findings 10 i. Current State of Federal IAM 11 ii. Security Concerns Can Limit Mission 15 iii. The Need for an Identity Ecosystem 21 iv. Public-Private Partnerships in IAM 26

4 Final Considerations 30

3

4

1 Executive Summary

Executive Summary Federal leaders are confident in identity management within their own agencies

A majority of respondents (72 percent) are confident or very confident in their agency’s ability to ensure appropriate physical access to resources. Slightly fewer (63 percent) are equally confident in their agency’s ability to ensure appropriate logical access. For many, the two are linked: 71 percent of respondents indicate that their agencies have integrated physical and logical IAM.

Outside of one’s own agency, security concerns limit collaboration

Nearly all respondents interact with groups outside of their agency, but security concerns limit their ability to provide services to these groups over the Internet. While respondents view the growth of mobile devices as an opportunity to improve collaboration, security concerns have limited their uptake in federal agencies.

An “Identity Ecosystem” that links an electronic identity across multiple platforms could improve collaboration and efficiency while lowering costs

The idea of a common framework for establishing trusted identities is a new concept for some federal leaders, but anticipated effects are largely positive. A majority of respondents expect an “Identity Ecosystem” to increase efficiency and confidence in using online services, among other benefits. To create an “Identity Ecosystem,” respondents are open to public-private partnerships, but security, privacy, and liability concerns will need to be addressed.

5

6

2 Respondent Profile

2%

4%

16%

28%

23%

22%

5%

0% 10% 20% 30%

Other

GS/GM-11

GS/GM-12

GS/GM-13

GS/GM-14

GS/GM-15

SES

Survey respondents are senior federal executives

7

41%

21%

21%

7%

7%

3%

0% 20% 40% 60%

None

1-5

6-20

21-50

51-200

Over 200

Job Grade Reports/Oversees

Percentage of respondents, n=975

78% of respondents are GS/GM-13

or above

59% of respondents oversee at least

one report

Most respondents work in operations

▶  Most respondents work in operations, a category that includes program/project managers and logistics specialists.

▶  “Other” includes categories such as legal, research, management, technical professionals, and auditors.

8

Job Function

16%

3%

3%

5%

5%

6%

8%

11%

12%

32%

0% 10% 20% 30% 40% 50%

Other

Communications and telecommunications

Facilities, fleet and real estate management

Information technology

Legislative

Acquisition and procurement

Finance

Engineering

Human capital

Operations


Most Represented Agencies Department of Treasury Department of Agriculture Department of the Interior Department of Transportation Department of Commerce General Services Administration Environmental Protection Agency National Aeronautics and Space Administration Social Security Administration Department of Housing and Urban Development Department of Energy Department of Labor United States Government Accountability Office Department of State Department of Education

Office of Personnel Management Small Business Administration United States Postal Service Department of Homeland Security United States Agency for International Development Nuclear Regulatory Commission Department of Health and Human Services Department of Veterans Affairs National Science Foundation Executive Office of the President (including OMB) Department of Defense (OSD, DISA, DIA, DLA, etc.) Department of Justice Department of the Army Other independent agency

9

Agencies listed in order of frequency

10

3 Research Findings

11

i. Current State of Federal IAM

What is Identity and Access Management?

12

▶ As used in this report, identity and access management (IAM) refers to a security practice that ensures access by the right people, at the right time, and for the right reasons.

▶ IAM can be used in reference to both physical access (e.g., to facilities, areas, or rooms) and logical access (e.g., to networks or files).

Federal leaders are confident in IAM within their own agencies

Physical access (e.g., to facilities, areas, rooms)

Logical access (e.g., to networks, files)

13

29%

43%

21%

7% 1%

19%

44%

26%

8% 2%

Very confident

Confident

Somewhat confident

Not confident

DK

63% of respondents are very confident or

confident

72% of respondents are very confident or

confident

Percentage of respondents, n=975 and n=974, respectively

For many, physical and logical access are interconnected

▶  A majority of respondents indicate that their agencies have integrated physical and logical IAM.

▶  Typically, integration involves using a common card or device to access the agency’s building and computer networks.

14

Has your department/agency integrated physical and logical IAM?

Yes 71%

No, but considering

15%

No, not considering

5% Don’t know

9%


15

ii. Security Concerns Can Limit Mission

94% of federal leaders interact with external groups, especially other agencies

85%

56% 56% 49%

8% 6%

Other federal departments/

agencies

Citizens State, local, regional

government departments/

agencies

Industry partners Other None of the above

16

Groups interacted with through the course of work


27% of respondents interact with

other federal agencies, citizens, state/local/regional government agencies, and industry partners

Security concerns limit service provision

9% 22% 44% 24%

Security concerns prevent my department/ agency from offering certain services online.

Strongly disagree Disagree Agree Strongly agree

17

A majority of respondents (68 percent) indicate that security concerns limit online service provision. Even those who are currently providing services to citizens believe they are limited: 72 percent identify limits to online service provision.

68% of respondents agree

or strongly agree

Percentage of respondents, n=825 “Don’t know” not included

Mobile devices offer an opportunity to enhance interaction with external groups

9% 10% 57% 24%

Mobile device usage presents an opportunity for my department/agency to enhance interaction with other groups.


18


or strongly agree


…but security concerns limit mobile expansion

5% 30% 46% 19%

Security concerns present an obstacle to my department/agency using mobile devices to interact with other groups.


19


or strongly agree


The lack of a common framework for establishing trusted identities limits interaction with external groups

7% 36% 41% 16%

The lack of a common framework for establishing trusted identities limits my department/agency’s interaction with other groups.


20


or strongly agree


21

iii. The Need for an “Identity Ecosystem”

The White House has called for the creation of an “Identity Ecosystem”

▶  April 2011’s National Strategy for Trusted Identities in Cyberspace (NSTIC) highlights the need for an “Identity Ecosystem” where individuals and organizations leverage universally-recognized digital identities to securely interact with one another.

▶  By linking an individual’s electronic identities across multiple websites, NSTIC envisions that the “Identity Ecosystem” will provide online services in a manner that promotes confidence, privacy, choice, and innovation.

22

National Strategy for Trusted Identities in Cyberspace, April 2011.

Sizable amounts of respondents are unsure of the effect that an “Identity Ecosystem” will have on efficiency, confidence, cost-effectiveness, citizen service quality, privacy, help desk calls, and security (23-34 percent select “don’t know”). Of those respondents who have an opinion, most anticipate positive effects:

Federal leaders expect largely positive effects from the creation of an “Identity Ecosystem”

30%

10%

15%

9%

15%

7%

11%

28%

38%

28%

34%

26%

29%

23%

42%

52%

57%

58%

60%

64%

66%

Security risks

Help desk calls

Privacy protections

Quality of citizen services

Cost-effectiveness

Confidence in using online services

Efficiency

Increase No change Decrease

23

Expected effects of an Identity Ecosystem

Percentage of respondents, n varies “Don’t know” not included

Respondents identify additional benefits of an “Identity Ecosystem,” including…

Better data quality. Streamlined security clearance processes and better tracking of individuals.

The ability to work more effectively outside the office environment. It would give me access to sites that I need to use but are restricted if not on a government system.

Improved intergovernmental activities.

24

“ ”

” “

” “

Sampling of open-ended responses

” “

“Identity Ecosystem” may be far off

2%

30%

24%

11%

3%

30%

0-1 years

2-5 years

6-10 years

More than 10 years

Never

Don't know

25

How soon do you think government could achieve an “Identity Ecosystem”?


56% of respondents

think government can achieve

Identity Ecosystem in the next 10 years

26

iv. Public-private Partnerships in IAM

To reach “Identity Ecosystem,” the federal government supports public-private partnerships in IAM

27

“The private sector will lead the development and implementation of this Identity Ecosystem, and it will own and operate the vast majority of the services

within it.”

-National Strategy for Trusted Identities in Cyberspace, April 2011

"The Obama administration is committed to supporting public-

private partnerships that both enhance consumer privacy and ensure the

Internet remains a driver of innovation and economic growth."

-Secretary of Commerce Penny Pritzker, September 2013

National Strategy for Trusted Identities in Cyberspace, April 2011. NIST.gov, “NIST Awards Grants to Improve Online Security and Privacy,” September 2013.

Though few respondents are opposed to public-private partnerships in IAM, many are unsure

31% 31%

18% 20%

0%

10%

20%

30%

40%

50%

Support Neither support nor oppose

Oppose Don't know

28

Opinion of public-private partnerships in IAM


Security, privacy, and liability top the list of concerns about public-private partnerships in IAM

29

Concerns about public-private partnerships in IAM


5%

15%

7%

14%

30%

40%

50%

51%

55%

None of the above

Don't know

Other

Loss of IT jobs

Vendor lock-in

Changes in work/operational flows

Liability

Privacy

Security

30

4 Final Considerations

When considering an IAM strategy in your agency… Make room for mobile.

Though federal agencies may be late mobile adopters, citizens using government services are more and more likely to be doing so from a mobile device. As this trend continues, providing a secure, usable mobile interface for citizen services will be essential to mission effectiveness.

Look to agencies already experiencing IAM success.

The Federal Cloud Credential Exchange (FCCX), run by GSA and USPS is a good look into the future of identity management. FCCX will unify six different civilian agencies using FICAM authentication standards to allow the public to securely access online services through a single sign-on. This streamlined authentication will reduce costs for participating agencies, while providing a “secure, privacy-enhancing, easy-to-use-solution.”

Count all costs, including the hidden expense of forgotten passwords.

Forgotten passwords are expensive. Agencies should look at how they can reduce operational costs by passing those expenses on to credential service providers—federal or commercial—who can unify services around a single sign on.

31

USPS participating in creation of digital Federal Cloud Credential Exchange program

Underwritten by

About HP and Symantec

For over 20 years, HP and Symantec have delivered joint technology solutions and services that enable organizations worldwide to secure and manage their most critical information. HP integrates Symantec into security, storage, server, and client solutions, and delivers enterprise services based on market-leading Symantec solutions.

About GBC

Contact

Zoe Grotophorst Manager, Research & Strategic Insights

Tel. 202.266.7335 [email protected]

govexec.com/GBC @GovBizCouncil

Our Mission

Government Business Council (GBC), the research arm of Government Executive Media Group, is dedicated to advancing the business of government through analysis and insight. GBC partners with industry to share best practices with top government decision-makers, understanding the deep value inherent in industry’s experience engaging and supporting federal agencies.

33

Improving Collaboration through Identity Management A Candid Survey of Federal Managers

February 2014

Documents

Improving Collaboration through Identity Management · An “Identity Ecosystem” that links an electronic identity across multiple platforms could improve collaboration and efficiency