As the National Association of State Chief Information Officers (NASCIO) celebrates their 50th year, they also released their annual list of State CIO Top 10 Priorities. For the first time, identity and access management (IAM) were recognized on the top 10 list along with security and risk management and digital government. The priority list, which suggests vital areas for strategic and management focus for the coming year, comes out of the yearly survey of state CIOs.
When it comes to IAM, state governments are concerned about managing access for both their employees and the citizens they serve. According to Doug Robinson, NASCIO’s executive director, “enterprise IAM approaches and solutions are gaining more traction in the states and are essential for managing secure employee access and supporting digital government platforms for citizens.”
The perception that there is an urgent need for IAM at state governments has not always been the case. In fact, until recently, IAM was viewed by many as merely a technical issue for backend operations. Now that state governments are managing a growing number of systems and applications for both the citizens they serve and the employees who serve them, there is an increasing awareness of IAM’s value.
Rising Needs, Unmatched Adoption In a recent survey of IT professionals at state and local governments by StateScoop, more than 70 percent of respondents reported that they currently manage more than ten internal applications for employees that require sign-on privileges, with 24 percent of them supporting more than 30 employee applications. Most of them (including 59 percent of mainstream technology adopters) expect the number of employee applications to increase next year.
This data suggests that the need for IAM solutions will continue to grow in importance for state governments. Yet, only half of the respondents in the 2019 NASCIO survey reported that their agencies had implemented single sign-on (SSO) technology, which provides employees with the ability to use just one set of credentials to access any application, website and data for which they have permission.
In addition, the fact that more and more information is stored in the cloud means that government employees are accessing them from mobile devices from even more access points. When a government entity uses several cloud systems, the risk of leaving valuable or classified information vulnerable to unauthorized employees or outside attacks is even more challenging. According to the NASCIO report, “it’s not just state secrets being targeted – the personal data you hold on citizens and employees is also at risk.”
Employee Mischief Every industry faces different threats. Government entities, in particular, because of the significant numbers of staff they employ, are at higher risk of breaches of personal data. According to Verizon’s 2018 Data Breach Investigations Report, an annual survey of cybercrimes by industry, public administration “trails only Healthcare in the prevalence of insiders as causal actors in data breaches.” The survey indicated that 34 percent of data breaches experienced by these organizations are internal and, of the malicious or inappropriate behavior, the greatest misuse (78 percent) is privilege abuse, with mishandling of data and unapproved workarounds each accounting for 24 percent.
Employees can continue to pose risks when they leave state agencies, too. At that point, the IT department is responsible for disabling user access privileges. With one in six respondents from the StateScoop survey reporting that it takes about four hours or more to disable a user’s access privileges, it stands to reason that some of those departing employees may be accessing state systems long before their access privileges are cancelled.
And, what about disgruntled employees that are still on staff? A recent survey of IT security professionals at the federal level cited information leaked by disgruntled employees as the greatest identity management nightmare they face.
What's the Solution? An automated IAM solution can provide much-needed security and usability, ensuring that users are who they say they are, while maintaining efficiency and productivity—by giving users current authorizations and access to the information they need.
So, where are we now? While there is high awareness of the value of IAM tools among state CIOs across the country, the StateScoop survey found that less than 30 percent of state and local governments have implemented IAM tools or solutions. Why the delay? That same survey found a range of reasons, including a lack of IT expertise and competing priorities. The state governments that are pursuing IAM solutions cite increased security and implementation of privacy best practices, reduced costs and improved efficiencies as some of the main drivers for adoption.
Understandably, with so many priorities, it is difficult to find just the right expertise to help in selecting and implementing an IAM solution. At RF IDeas, we’ve invested in technology solutions that are straightforward and easy to implement. Through our unique expertise and partner ecosystem, we are ideally suited to help state governments enact an IAM solution that will protect your data, employees and citizens alike. The time to act is now.