Kim has served as the website’s first deputy director since January following a five-year stint at Amazon, where she developed “cutting-edge AI-based technology to scale policy enforcement,” per a GSA email. Kim previously worked across the federal government, serving with the departments of State, Treasury and Defense.

Dan Lopez-Braus, the outgoing director of Login.gov, will transition into a senior adviser position with TTS. 

TTS Director Ann Lewis said in a statement that Kim “will lead the team to implement the recently-announced launch of an optimized pricing structure and a new pilot for selfie-based identity verification, both of which will empower even more agencies and programs to use Login.gov to benefit people nationwide.” 

The news of Kim’s appointment follows an announcement from Login.gov earlier this month that it will pilot biometric technology for identity verification. The tool would allow users to take a “selfie” as a complementary feature to the site’s efforts to protect against identity fraud attempts and cyberattacks. 

A Government Accountability Office report released Monday listed Login.gov as a federal government use case for biometric identification. The congressional watchdog said the Department of Veterans Affairs and the Social Security Administration use it for identity verification for members of the public to access websites and services. 

The GAO issued five recommendations for policymakers to address concerns regarding biometric technology: conducting comprehensive evaluations to provide more information about the effects of biometric tech, enacting privacy laws or guidance, offering tech users additional training and guidance on how they might select and use the biometric technology appropriately, more widespread information-sharing about the tech, and applying a “risk-based” approach in the development of regulations and guidance. 

Biometric identification tech varies in “accuracy for different populations,” the GAO stated, but  there have been advances over the past four years that have led to notable improvements.

Correction: Due to an editing error, Kim was initially identified as a deputy director for TTS rather than deputy director of TTS’ Login.gov.

The post GSA taps Login.gov deputy director to take top role next month appeared first on FedScoop.

With the loss of the ability to manage devices, control software updates and establish trust for users accessing government systems, CIOs and CISOs need to build security strategies that future-proof their agency against new threats and cyber risks, according to a new report.

Read the full report.

The FedScoop report, “Pandemic Forces Agencies to Accelerate Zero Trust Security Plans,” underwritten by Duo Security, looks at two key pillars of establishing zero trust: centralized authentication and strong digital identity capabilities.

Core tenets of zero trust

“Ideally, agencies want to get to a place where it doesn’t necessarily matter what credential an employee was issued, or whether or not the employee is using a managed device. With strong MFA and identity assurance, the organization can centralize a policy engine in such a way as to determine whether or not access should be granted,” says the report.

That means reprioritizing what security and access controls look like when establishing trust for bother users and devices, according Helen Patton, advisory CISO at Duo Security, now part of Cisco.

At the top of risks to address, says Patton, are compromised privileged accounts which allow for the lateral spread of breaches across the network. This is especially true with shared administrative accounts.

“If agencies are still using accounts with just a password and no multi-factor enacted, they are missing critical controls to authenticate that the user is who they say they are,” Patton warns.

She goes on to explain that in shared admin accounts, “agencies give multiple users access to a primary username and password. These are the kinds of weaknesses threat actors hope to exploit to gain access and move laterally across the network.”

Two of the core tenets of zero trust require that an organization see where authentication is occurring — at the application level — to enact policy engines where they will be most effective; and authenticate digital identity to gain insight into the network, the perimeter and what devices are accessing agency resources.

Zero trust controls in action

Patton illustrates how these modern security controls can work during an active security incident.

In January 2021, when Apple announced the iOS 14 vulnerability, Duo’s parent company, Cisco, implemented a policy change for access authentication.

“In a matter of minutes, Cisco rolled out the policy to all of its protected applications accessed by more than 400,000 endpoints, making it a requirement for devices to install the iOS 14.4 update before they were able to connect to the network,” explains Patton.

At the end of the day, dynamic policies helped Duo and Cisco push a policy updates across the network and place responsibility with the user to manage their device and access.

Read more about modernizing authentication controls to allow your agency to react quickly to the next security threat.

This article was produced by FedScoop and sponsored by Duo Security.

The post Using the momentum of the pandemic to advance zero trust security appeared first on FedScoop.

Andrew Whelchel, Principal Sales Engineer, Okta

The pandemic is speeding up plans of most organizations to embrace the cloud and meet new needs of a remote and hybrid workforce. But for federal agencies, even though the structure of the workplace has changed, federal regulations setting access and identity verification standards have not.

Cloud’s ability to bring greater speed, agility and security to the mission is within reach, as long as agencies can find provide access to cloud-based applications which meet Federal Identity, Credential and Access Management (FICAM) policies.

That’s been a challenge for many agencies. But it’s also the promise of a new partnership between Okta and Amazon Web Services. Okta Identity Cloud is now available through Amazon Marketplace, to give agencies access to a FedRAMP-approved cloud identity platform that supports their modernization goals.

Access tools that minimize cyber risk

The uptick in security threats — like recent ransomware attacks and compromised supply chains — continue to put agencies at risk. Systems are increasingly interconnected. That makes FICAM more than a just a check box to meet federal security regulations. FICAM lays the groundwork for agencies to implement modern identity and access controls and ultimately paves a path forward to architecting a zero-trust environment.

The remote and hybrid workforce increases agencies’ cyber risk as long as employees are not working inside government buildings. It is critical that federal IT infrastructure moves away from traditional credential validation, like PIV and CAC, and traditional remote access security such as VPN, to an access solution that solidifies a zero-trust security posture.

Those organizations which have already fallen victim to a ransomware attack learned that in the event of a breach or attack, IT security teams can benefit from segmentation, to isolate threats quickly. But at the same time, multiple accounts create more access complexity. Organizations with hundreds and thousands of users will exponentially increase the number of accounts per person.

Without a tool like Okta’s Identity Cloud, users have to remember a lot of passwords and credentials. Consequently, IT administrators need to be mindful that with segmentation also comes the need to take a heightened management posture for access and identity verification controls.

Okta’s single sign-on and multifactor authentication solutions comply with a number of FICAM policies — not just for access controls, but for logging, auditing and even providing attestations that someone should continue to have the rights that they have. The universal directory consolidates users, groups and devices into a single directory, giving administrators the ability to manage the lifecycle of users’ access.

Additionally, Okta Identity Cloud operates both on-premises and in cloud environments and supports agencies’ moves to embrace either hybrid or multi-cloud infrastructure. Ultimately, the goal is to create a more resilient infrastructure against cyber threats that doesn’t complicate the user’s experience.

Testing the waters with pilot projects

Using Okta with AWS’ cloud infrastructure offers both speed and agility of access that agencies are looking for their applications today and in the future. By getting users approved for certain capabilities, and then mirroring those attributes inside of AWS, agencies can have certainty that the right people are the right privileges to access federal data. That includes employees, contractors, partners and citizens who interact with the government at different levels.

Those who are hesitant to move forward need only test this concept with a pilot program to get started. Those who’ve already begun testing workloads related to home connectivity, zero-trust connectivity, ticketing management or automation software are seeing the benefits almost immediately. And because these pilot tests are managed in the cloud, there are no setup costs and no provisioning to spin up a Okta’s tool inside AWS.

Once agencies understand how easy it is to move their data and connect their identity to that cloud, it doesn’t take long to begin moving a lot more projects and workloads to the cloud.

Okta is a leader in the identity space, and its broad network of application integrations simplifies the deployment and management of cloud apps, services and infrastructure for those organizations migrating to the cloud.

Also, read more from leaders about how state and local agencies are modernizing identity authentication.

Learn more about the availability of Okta Identity Cloud and its products in AWS Marketplace.

The post New industry partnership promises to strengthen authentication security appeared first on FedScoop.

For government agencies, the massive shift to telework presented a significant security challenge. Authentication tools for users and devices weren’t built to handle the shift from mostly on-premises devices to user’s devices accessing resources remotely.

Bryan Rosensteel, Cybersecurity Architect, Public Sector, Cisco’s Duo Security

One of the biggest hurdles for enterprise leaders during this transition was their perceptions about what constitutes reliable authentication of a user’s identity. That isn’t entirely surprising. Federal guidance on authentication technologies hasn’t been updated to reflect the access requirements that agencies face.

The administration’s guidance on “Managing Information as a Strategic Resource,” for example, is more than four years old, and still directs agencies to use PIV or derived PIV to access resources on the network. This perspective on authentication makes general assumptions that an employee will only use a managed device. Though that policy worked five to 10 years ago, in-person identity proofing is extremely difficult today, and the additional challenges remote and cloud environments present demand more than strong proof of possession that authentication has been traditionally built around.

Consequently, it’s important that both policy and tools reflect modern technology needs, and core to that is understanding how digital identity changes authentication requirements. Our view is that a user’s digital identity goes beyond identifying the person behind the keyboard and encompasses a more holistic view of both the user and devices involved in the authentication request.

This expanded view of identity has been happening for some time, but the events of 2020 accelerated that understanding, and the National Institute of Standards and Technology (NIST) guidance is certainly helping agencies move in the right direction in adopting dynamic authentication as part of broader recommendations to achieve a zero-trust operating environment.

Authentication and device health is central to zero trust

Zero trust always starts from an assumption that a machine or a user’s credentials have been compromised, or in some way they are not trustworthy and should never be allowed to access agency resources without ongoing authentication.

When agencies sent their workforces home during the pandemic, IT leaders became acutely aware of the inherent weaknesses of the existing PIV and derived PIV authentication workflows — and a wider concern that strong authenticators don’t necessarily equate to reliable authentication.

Cryptographic smart cards serve as an incredibly strong authenticator, but, like all authenticators, only provide proof of possession of that authenticator. This asserts proof of an individual’s identity and, traditionally, this was enough to provide secure authentication.

But in the early part of March 2020, agencies reached out to us with a new security problem. GFE equipment shortages and supply chain issues forced some agencies to adopt the use of personal devices. The challenge they faced was how to secure authentication requests from these devices. But even with derived credentials — or virtual smart cards — IT leaders said they couldn’t trust the authentication because it was coming from personal devices and there was no way for agencies to verify their health and trustworthiness. These agencies had strong authenticators, but that was not enough to establish the necessary trust to authenticate these devices. Dynamic Authentication was needed.

Though organizations have tools that conduct health checks, most work retroactively rather than as a part of a real-time authentication process. In addition, known vulnerabilities in software and applications can often go unchecked, posing a significant threat to agency networks. One of the most glaring concerns for agencies, for example, is the number of Windows 7 workstations still operating on their networks. Apart from physically uninstalling or disabling vulnerable software, many agencies aren’t equipped to fully secure these devices.

How dynamic authentication improves the security posture

That’s one reason why agency leaders need to deepen their understanding of dynamic authentication and how it helps them achieve a zero-trust operating environment.

Currently, agencies already use identity binding — biometrics or a PIV credential to claim the identity of the person — as the standard for identity authentication.  Many have also adopted two-factor or multifactor authentication tools to ascertain the user is who they say they are.

However, under current remote work conditions, agencies also need the ability to pair information about the user and their device at the point of authentication.

Dynamic authentication combines cryptography and policies to create a per-session authenticator, which changes with each authentication session. The organization creates the policies for authentication to require confirmation of the correct authenticator tool, the correct account and a healthy device to allow authentication to proceed.

Duo Security customers put this capability to full effect during the 2019 code execution exploit discovered in Chrome. Dynamic authentication tools allowed customers to implement a policy saying, “no Chrome browsers allowed for authentication.” It didn’t require IT teams to physically uninstall or disable Chrome. Rather, the system detected the Chrome version during authentication and did not allow the authentication to proceed. After Chrome released a patch, customers adjusted the policy to allow only the latest version of Chrome.

As a result, Duo saw a 79 percent increase in the number of customers who blocked access to data and applications from out-of-date browsers, thereby protecting themselves from the vulnerability until Chrome released a patch.

These changes were able to be implemented in near-real time, allowing for a speed to security only offered through zero-trust best practices and principles

And these same zero-trust principles allowed Cisco and Duo Security to quickly move to a near 100% remote workforce in early 2020, without significant loss of productivity or security.

Moving into 2021, the lessons from the past year are more important than ever. The strength of the authenticator does not equate to the strength of an organization’s ability to authenticate their user population. Organizations will need enhanced authentication policies that meet today’s authentication workflow requirements.

Learn more about how Cisco’s Duo Security can your organization with two-factor authentication controls.

The post Authentication tools alone will not be enough to secure networks appeared first on FedScoop.

With an estimated 1 in 5 U.S. residents served by a government program, and more than 175 million citizens receiving some form of federal or state public assistance, public sector agencies need identity management that certifies citizens are who they say they are.

Read the full report.

And as a result of the pandemic, large-scale unemployment demands also means agencies will be serving even more people over the coming months.

In a white paper, LexisNexis Risk Solutions encourages public sector agencies to keep vulnerable citizens in mind when considering modern identity tools. A strong identity management strategy can proactively offer public healthcare and social service programs to those in need, while also cutting down on instances of fraud.

The challenges facing agencies are vast. Whether it’s resource limitations, vulnerability to data breaches, inconsistent data entry on applications and rapidly growing caseloads. Agencies need a new approach to identity management that centers around proofing and verification, according to the white paper.

To combat these challenges, agencies need to:

• Leverage their network of supporting intelligence to assess all aspects of a transaction
• Provide a single physical and digital view of identities
• Enable real-time intelligence
• Capitalize on behind-the-scenes verification mechanisms to minimize friction
• Use more accurate up-front identity verification to identify fraud and minimize future investigations or losses
• Address the needs of diverse populations

These steps are key, especially as states like Washington grapple with unemployment fraud scams from ransomware attackers. By combining commonly used identity elements — like a passport and driver’s license — along with alternative methods, agencies can analyze and assess the risk of fraud.

In addition, the use of identity proofing and authentication can speed up the application process, reduce delays, optimize workflows, reduce false positives and control costs.

Through the use of solutions like LexisNexis Risk Solutions Identity Assessment & Assurance, agencies have access to more than 10,000 additional data sources to help in the validation process, a team of cross-trained analysts to handle investigations of potential fraud, as well as government-specific databases that share insight from across agencies.

These solutions are also specifically built for the public sector and designed for the way citizens interact with public sector agencies.

“[Assistance] programs have slashed the poverty rate in America by nearly half since 1967,” the white paper reads. “Recent events have shown how quickly things can change, and how important these programs can be. This is how identity management should begin, because this is the big picture. You are in the business of human well-being.”

To learn more, read LexisNexis Risk Solutions’ white paper: Positive ID: How the right identity strategy does a world of good for public healthcare and social services.

This article was produced by FedScoop and StateScoop for, and sponsored by, LexisNexis Risk Solutions.

The post How developing a strong identity strategy can better serve citizens appeared first on FedScoop.

The group’s Silicon Valley Innovation Program (SVIP) has awarded a contract to the Vienna, Austria-based company Danube Tech GmbH to develop technology that allows for interoperability across blockchains, particularly those that pertain to personal identity. The phase one SVIP contract is worth  $143,478.

Danube Tech works on “decentralized identity” — which the company describes as tools that “place individuals at the center of their online relationships and transactions” instead of forcing users to delegate to this responsibility to intermediary services like Google or Facebook.

The company will work on a “Universal Issuer and Verifier” project to “integrate interoperability support for multiple credential data formats, blockchains and standardized and open application programming interfaces into their existing decentralized identifier (DID) registrar,” the Science and Technology Directorate said. Blockchains are distributed digital ledgers with no centralized authority. Given the difficulty in corrupting the data on them, government and industry have taken a keen interest in using the tech for identity verification.

“Danube Tech is building core interoperability infrastructure for issuers and verifiers,” Anil John, SVIP Technical Director, said in a statement. “Interoperability between blockchains is enabled by using emerging World Wide Web Consortium standards to globally resolve and find information where it exists on a particular blockchain.”

As is the SVIP model, if this phase one contract is successful, Danube will have the opportunity to keep working with DHS over three more phases. In total, SVIP companies are eligible for $800,000 of non-dilutive funding as part of the program.

There are a number of mostly early-stage blockchain projects happening across the federal government. The emerging technology is also somewhat unpopular among civic technologists, however.

Why? Well, for one thing, “it is a technology that is effective for such a small and specific set of activities,” Lane Becker, whose resume includes Code for America and 18F, told FedScoop recently. The primary use so far has been cryptocurrencies. “And for everything else, it’s wildly either unnecessary or inefficient,” Becker said.

The post Blockchain interoperability draws attention of DHS science and technology unit appeared first on FedScoop.