Security Parameters: A Look at Identity Access Management and Hybrid Cloud Computing
Published: November 07, 2019
As the government continues its drive to reduce its reliance on legacy systems and move to cloud-based computing, both the issue of security as well as a full transition to hybrid systems, are taking an even more important role as primary components of the modernization process.
Agency personnel operate across multiple government-wide systems with varying levels of security clearance. These complex system transitions and data sharing efforts compound the technical security obstacles in regards to software engineering and platform transitions. There are also accompanying cultural obstacles, with agencies hesitant to abandon their legacy systems and move data to the cloud for security and practicality reasons. Regardless, agencies need to preserve a method of Personal Identity Verification for their personnel, as well as maintain an Identity Access Management System (IAMS) for continued future development.
Agency Standards and Solutions
Due to the scope of the modernization process, the government is having to rely on third-party contractors to facilitate their identity management needs. Since the public sectors’ cybersecurity modernization efforts are behind in development as compared to those of the private sector, there are a variety of currently existing companies offering tested and proven Identity Management security-related products. However, government offices are increasingly concerned with third party access.
The government’s current Identity, Credential, and Access Management (ICAM) efforts are currently being coordinated between the GSA, DHS, and the OMB, setting standards and expectations, as well as providing information resources for agencies as they procure the ICAM programs. The directives and expectations for agencies include:
- Maintenance and support of the evolution of the government-wide Federal Identity, Credential and Access Management (FICAM)
- Architecture and associated guidance; to innovate using the Federal Information Processing Standard (FIPS)
- A 201 evaluation process, and associated Approved Products List to benefit acquisitions; to determine the feasibility of establishing a public or private sector capability for accrediting ICAM products and services available on GSA acquisition vehicles
- Confirm the capability leverages NIST (National Institute of Standards and Technology) developed criteria to innovate and update federal public key infrastructure to provide a trust infrastructure for administering authentication solutions; and
- Ensure that all GSA acquisition solutions for ICAM meet all relevant law, OMB policies, Federal Acquisition Regulations and NIST standards
User culture and behaviors are also changing. As the public and private workforces become increasingly mobile, single sign-on security and verification methods are becoming even more popular, and in many ways preferred. A cloud-centric security system is being favored, but government agencies require security verification methods that are compatible with both cloud-based systems as well as legacy systems. As agencies contract these tools, regulatory agencies such as the SBA are observing and leveraging success stories and in order to make recommendations and assist other agencies in the modernization efforts.
Hybrid Cloud Computing: Cloud First to Cloud Smart and Beyond
As offices transition their data and administrative systems to the cloud, they are not necessarily moved completely or instantaneously. Many agencies require the ability to access their legacy, as well as the newly formed cloud-based systems in tandem, in order to perform their mission objectives. This has required the government to adopt hybrid models of identity management whereby both are often accessed simultaneously. With the original introduction of the Cloud First initiative, the concept of the hybrid model has evolved over time.
In 2010, the government introduced the Cloud First program, originally intended to provide efficiency, agility, and innovation across agencies, according to then US CIO Vivek Kundra. This effort, as the name implies, was the first system of its kind, detailing the need for security and standards within and among federal offices. At the time, such agencies included HHS, GSA, DoD, and the Department of Agriculture.
Eight years later in 2018, the government updated its efforts as technology matured, and reworked its concept of moving to the cloud as part of the Cloud Smart initiative. This program adopted an arguably more intentional, flexible and hybridized approach, whereby agencies have since looked to transition programs purposefully and more methodically over time while still maintaining legacy systems when necessary. According to Federal CIO, Suzette Kent, "To keep up with the country’s current pace of innovation, President Trump has placed a significant emphasis on modernizing the Federal government. By updating an outdated policy, Cloud Smart embraces best practices from both the federal government and the private sector, ensuring agencies have the capability to leverage leading solutions to better serve agency mission, drive improved citizen services and increase cybersecurity.” Throughout 2019, we have seen the growth of this initiative, evident in both federal-wide events, as well as agency-specific opportunities focused on hybrid and cloud migration across the Govwin database spotlighted below.
GovWin Opportunities to Watch
DHS IT Compute and Storage Modernization Cloud Migration and Data Center Optimization (GovWin ID 177168)
According to the associated RFI previously released by DHS in early 2019, this effort seeks to modernize legacy IT computers and storage, migrate to the cloud, and optimize remaining data center environments within the Department of Homeland Security. Feedback was previously requested from industry in March 2019, and the effort remains in the Pre-RFP stage with likely further movement as early as Spring 2020.
Judiciary Cloud Services (GovWin ID 185241)
A Sources Sought Notice was just released in October 2019 requesting responses from interested vendors by November 5, 2019. The government notes:
“The Judiciary is seeking to establish an enterprise hybrid cloud environment to support The United States Judiciary’s current and future IT computing and storage needs. As they proceed through their multi-phase approach for cloud adoption, the Technology Solutions Office (TSO) will refine and build upon its strategy and plans, as well as mature existing guidance. The Judiciary has implemented an on-premise cloud using VMWare and Red Hat OpenStack Platforms and anticipates expanding its cloud offerings to include off-premise cloud services. The Judiciary is also using O365 in an Azure environment.”
As responses were recently collected, Deltek does not anticipate movement on this effort for at least several months following review by procurement officials.
The Future of a Secure Operating Cloud Environment
The last nearly ten years have provided a roadmap full of twists and turns for all federal government agencies as they have and continue to navigate through the various security and technological advances required by a state of the art cloud computing atmosphere. We’ve seen many positive steps forward by agencies, while also noting areas that are better suited for a hybridized, slower approach to migrating a vast amount of systems. What began as an industry-revolutionizing announcement to overhaul entire systems’ architecture years ago is now showing evidence of a real shift in its transformation. It will certainly be quite some time before the government’s legacy systems are all retired and new systems highly secured, but it’s clear from the most recent years’ work in procurement that many offices are well on their way to a total cloud-based future.