The Changing Identity of Identity Management

A key element of the move to zero trust is the use of "strong multi-factor authentication (MFA) throughout their enterprise." While identity management has been indicated by many as the "low hanging fruit" of a zero-trust journey, it is by no means easy. In fact, recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) called it "notoriously difficult."

Key challenges to implementing MFA include:

  • Lack of standards - the CISA/NSA guidance pointed to confusion over MFA terminology and vague policy instructions as primary challenges to implementing more secure access. A joint committee of European Union (EU) and U.S. experts addressed this same issue in the Digital Identity Mapping Exercise Report, which aimed to define specific digital identity technical terminology. For example, the group found some definitions, such as "authoritative source" and "authentication factor," are identical between the U.S. and EU, whereas others, like "identity" and "signature," remain only partially matched.
  • Phishing - bad actors do not always hack the system; they hack the process, gaining entry through social-engineering tactics that grow more sophisticated by the day. The CISA/NSA report called on the vendor community to provide MFA services with additional investments and greater defenses against sophisticated attacks.
  • Rise of Generative AI - The Department of Homeland Security (DHS) is working to ensure technologies can determine if a submitted image is legitimate or a hacker's spoof. This "liveness detection" is needed to ensure that a submitted selfie is really a photo of a person, not a mask, photo of a photo, or other technique to try to get past the check.

Continue reading

Breaking Blockchain Free of Cryptocurrency

Blockchain may be best known for its role in enabling cryptocurrency to be tracked. While the use of cryptocurrency is still in its infancy, blockchain technology is proving to be applicable in a number of non-currency use cases.

Improving Public Transportation

The Federal Transit Administration is looking for ways to use blockchain as a way of "gamifying" decisions around transportation options. A proposed project, "blockchain-enabled transit incentivization," would, via an app, offer tokens to commuters who reserve a parking place or agree to use another mode of transportation. Using real time data about availability of parking, traffic congestion, and more, the app could change the incentives offered - making public transport a more appealing (and lucrative) option for people in transit. Blockchain could support the payment of those who chose incentivized public transit options as well as those who are using parking. The system could also promote equity in access to parking or other resources by factoring in a user's location or personal circumstances. Continue reading

A Short History of Shared Services…and What’s Next.

Shared Services in government is nothing new. The idea began in the 1980s with the consolidation of payroll and some other administrative functions. In the '90s the focus was on creating entities that could provide common business functions across government and, in that effort, become a cost center.

The 2000s saw the rise of the term 'Line of Business' that looked at common business functions across government to identify opportunities to transform, streamline and share. The Obama Administration looked specifically to IT as a shared service, releasing the Federal IT Shared Services Strategy that provided federal agency chief information officers and key stakeholders guidance. This guidance focused on the implementation of shared IT services as a key principle of their efforts to eliminate waste and duplication, with the intention to reinvest in innovative mission systems.

Continue reading

Taming the Superpower of Data – Data Privacy in Our Digital World

Data helps organizations make more informed decisions about how they serve their customers. Data informs policy and procedures and feeds more personalized interaction with people. But with great power comes vast responsibility. The data that organizations hold can be incredibly personal. It's more than just someone's social security number. It is information about where people live, work, shop, keep their money, get their news, and more. Individuals should have control over who knows this information and, if they do have it, how they use it. However, most of us do little to understand our privacy rights beyond blindly clicking a checkbox that allows sites to collect information about our activities.

Data privacy practices ensure that the data shared by customers is only used for its intended purpose. A multitude of laws, including the Health Insurance Portability and Accountability Act (HIPAA), Electronic Communications Privacy Act (ECPA), Children's Online Privacy Protection Act (COPPA), and General Data Protection Regulation (GDPR) have been enacted to provide guidelines to organizations and promises of data privacy to individuals.

Continue reading