Approaches to Identity and Access Management for Local Governments, Employees and Citizens
Identity and access management (IAM) is top-of-mind for IT departments across state governments, municipalities, and other local areas. Government employees need properly-authorized access to relevant information so that state and regional agencies can perform their roles. At the same time, the need to balance ease-of-access to data with the sensitivity of information about individuals, organizations, and other parties is critical.
HID Global recently participated in an interactive roundtable with CIOs from Texas and New York, where the discussion focused on the best methods for approaching IAM, supported by relevant policies, training, and compliance. We’re delighted to share some of the key thinking below.
The Definition of Identity and Access Management
Identity and access management enables:
- The right person
- To access the right data
- At the right time
- For the right reasons
This is perhaps even truer for government organizations—as many state governments dwarf all but the largest enterprise businesses!
Government IAM Has Already Come a Long Way
The processes of credentialing employees and managing identity access in local governments have evolved significantly over the last few years. Fortunately, the days of staff accessing records from other areas and agencies because they “just needed to look something up” are well behind us, with Chief Information Security Officers and Chief Information Officers embedding strong policies throughout their organizations. IT across government agencies is taking advantage of sophisticated IAM platforms to manage authorization and access to sensitive systems and data. This is fortunate, as the methods used to implement IAM do vary widely.
Each State and Local Agency Takes a Unique Approach to IAM
One of the biggest challenges for state, regional, and local governments is how all of their disparate agencies and other organizations approach IAM. For example, Todd Kimball, Deputy Executive Director, Department of Information Resources, and Chief Information Officer of the state of Texas said, “We have a very federated state, and every agency is autonomous. As the state's CIO, I'm responsible for policy, education, vision, leadership, and technology direction. We set the strategic direction for the state, a total of around 355,000 employees. One thing that's true in Texas is that ‘one size fits one!’ From an identity access management perspective, each organization can make its own decisions in terms of the solutions and technology it is using to handle credentialing and IAM for state employees.”
This approach works for the state of Texas, although they’re working towards a new portal and digital assistant for citizens. Part of this rollout will also feature an option for state employee credentialing to aid with employee identity management.
A Desire for More IAM Standardization Also Has Proponents
Some organizations are pushing for more balance and standardization for government employee IAM. Doug Robinson, Executive Director of the National Association of State Chief Information Officers, prefers the approach cited in the Federal Identity Credential and Identity Management (FICAM) report, which recommends a federated roadmap and framework model within the states, but with common standards and attributes.
Doug understands that practicality and autonomy will win out, “We have to recognize that they're all in different governments. Some are going to use a highly centralized, enterprise-level identity and access management solution, while others are going to end up going agency by agency. Ultimately, I think we need to look towards a federated architecture for interoperability.”
This is something the state of New York has taken into account. Rajeev Rao, Chief Technology Officer, Office of Information Technology Services in the state of New York explains, “The governor's vision was for IT to be consolidated. We started this process of consolidating core services, and we got all of our agencies, about 46 of them, into a single data center and started to identify core services that would be standardized. One of them was identity management. We’ve now finished consolidating everything into a single identity store, with a single policy that's governed from the top down.”
Policy and Compliance Must Lead IAM for State and Local Governments
One thing is clear—whatever approach states and local governments take, IAM must be driven by strong state and local government policies and meet rigorous compliance standards. As Jerry Cox, Director of Business Development at HID Global explained, “Identity and Access Management is still about making sure you know who is accessing your systems. What's changed is the platform, not the ideas. It's really a policy discussion—credentialing and identity access is all about the policy that supports a solid strategy and approach.” Jerry goes on to say, “That's driven by business compliance requirements. The new standards that drive how an agency operates need to be in compliance. Consolidation allows that to happen faster.”
The Right Identity and Access Management System
Economies of scale need to feed into state government choices for the right IAM platforms to meet agency needs. Interoperability is key, so centralizing standards, approaches, and technology in a single IAM platform―then letting each agency integrate in a way that works for them―makes sense. That way, you get the best of both worlds—the confidence of a consolidated, integrated approach, with the right level of autonomy to engage employees across agencies.
What Approach Is Right for Your Local Government IAM Needs?
The different approaches from various state and local governments are creating tension between agencies and central IT functions. In fact, IAM is now in the top ten list of concerns for government CIOs. That said, there’s still a gap between “knowing” and “doing” when it comes to IAM. The consensus seems to be that a federated approach will work best―where agencies can make their own decisions about IAM―balanced with a strong policy framework, interoperability, and a foundational set of compliance and standards.
Get the latest blogs on identity and access management delivered straight to your inbox
Yves Massard is responsible for the product marketing effort in HID Global’s Identity and Access Management (IAM) government business. While at HID, Yves assisted in creating the US DoD Common Access Card, ActivID™ CMS—the market-leading PIV credential management system—and ActivClient™, market-leading middleware. Yves received a Masters Degree in Computer Science from the Institut National des Sciences Appliquées de Rennes and an MBA from Saint Mary’s College, California.
Sources and expertise include:
- Todd Kimball, Deputy Executive Director, Department of Information Resources, and Chief Information Officer of the State of Texas
- Rajeev Rao, Chief Technology Officer, State of NY Office of Information Technology Services
- Doug Robinson, Executive Director, National Association of State Chief Information Officers
- Jerry Cox, Director of Business Development, HID Global