MeriTalk recently connected with Ted Girard, Vice President Public Sector, Okta, on how agencies can get the most out of the Continuous Diagnostics and Mitigation (CDM) program to navigate on-premise, cloud, and mobile security.
MeriTalk: How does CDM align with the transition from legacy systems to the cloud?
Ted Girard: While the initial CDM phases focused on protecting on-prem IT infrastructure, there is a growing focus on cloud and mobile. One significant opportunity is repositioning identity and access management to support modern cloud services. Beyond CDM, we saw a new draft OMB Identity Policy released for public comment in 2018, designed to address the need to protect cloud and mobile infrastructure. We have a lot to do, but we are taking positive steps.
MeriTalk: There are currently agencies in various stages of phases one through three. Where have the agencies leading the way found success?
Ted Girard: The agencies leading the way are taking advantage of the program – putting in the time, deploying the tools. That said, as leaders shift to modern cloud platforms, they are recognizing tools are just part of the solution. Modern identity services, purpose built for cloud, that integrate with existing CDM toolsets are playing a key role helping the leaders accelerate secure digital transformation.
MeriTalk: On the other end of the spectrum, what are the challenges agencies are facing and how can they push forward?
Ted Girard: GAO’s December report shows that agencies continue to struggle. Funding, culture, complexity, leadership vision, contracting/acquisition strategy, personnel, and maturity can all be significant hurdles to CDM success. But the biggest barrier is technical debt – eighty percent of IT dollars are still dedicated to supporting legacy systems.
This said, we see positive progress. The newest FITARA scorecard category is cybersecurity – acknowledging the high priority of these efforts and the need for greater transparency. We can take advantage of the lessons learned in the CDM process and apply them across agencies for more consistent cyber programs without reinventing the wheel. It’s an exciting time – big challenges, but even bigger rewards.
MeriTalk: The Department of Homeland Security (DHS) is renaming the phases. For example, Phase 2 is “Who is on the network?” and will become the “Identity and Access Management” capability. What does this change signify?
Ted Girard: We see this as an important and fundamental change to CDM. Agencies need to secure the assets within and beyond the data center in a highly distributed and dispersed IT enterprise architecture – applications, data, devices, and people. We achieve this level of security by focusing on identity as the nexus point of all these disparate systems.
MeriTalk: What is Okta’s role in each of the CDM phases? Are there any specific agencies Okta currently works with?
Ted Girard: Okta delivers value in all CDM phases, strengthening security while accelerating time to value for new solutions as agencies build modern multi-cloud environments. Okta provides real-time software access, usage, and denial data through our secure identity management platform with single sign-on access control of applications, policy based adaptive multi-factor authentication, and automated identity lifecycle management. With these capabilities, Okta provides a single source of the truth for the application environment, generating insights into the users, devices, and software on the network, whether in the cloud, on-premises, or on mobile devices.
Often deployed in days, Okta can generate built-in, custom reports in addition to providing access through Event Application Programming Interfaces (APIs). These APIs supply data to external reporting and Security Information and Event Management (SIEM) platforms, including Splunk, ServiceNow, RSA Archer, QRadar, and more.
We help secure agencies including the Department of Justice, Department of Transportation, Department of State, Centers for Medicaid and Medicare services, and DHS’s Transportation Security Administration. We are not only protecting existing systems, but also providing a secure platform, enabling agencies to rapidly adopt to future modern systems.
MeriTalk: The fourth phase – now capability – of CDM is still quite new (DHS was seeking vendor submissions this summer), how is Okta positioned to meet customer demand moving forward?
Ted Girard: The Data Protection Management Capability will give CIOs and senior agency leaders improved visibility through summary dashboards and the ability for automated actionable response – improving cyber transparency, accountability, and mitigation.
Creating the ecosystem for more automated and systematic responses to threats requires security solutions that are proven to play well with others. Okta’s successful and proven Integration Network includes leading security partners, such as Sailpoint, CyberArk, RadiantLogic, ForeScout, Palo Alto Networks, and ServiceNow, among many others. The Integration Network provides the means to not only identify potential threats based on shared access policies, but also to remediate threats in an automated and near real-time manner.
As well as data protection management, protecting the APIs that modern applications use to access the data is key. Okta’s approach provides data authorization as a service and maps this securely to identities to ensure data management access is securely accessed at all times.
MeriTalk: Historically, identity and access management (IAM) focused on managing user accounts. How is your approach different?
Ted Girard: Yes, historically, identity and access management was a component of the application stack in the data center and focused on managing user accounts versus identities. In a Cloud First, highly mobile environment, legacy stacks don’t work without a significant amount of costly and time-consuming integration – sometimes months per app. In addition to the multiple types of identities and technologies, IAM must also enable the creation of policies and procedures aligned with each agency’s unique mission. Identity needs to be handled as its own independent and neutral platform allowing agencies to choose the best technologies for their specific use cases.
Key to the modern approach and success of digital transformation of agencies is the ability to separate the user management functions from the application itself and direct to the IT and cybersecurity agency organization(s) equipped to manage the policies for user access. This is beneficial for both the application owners and cybersecurity teams alike. The application owners are able to focus on the roles needed by the application and the IT and cybersecurity support teams of the agencies are able to focus on enabling secure user access across the entire agency enterprise. Okta enables such approaches by providing central secure user access management that is both easy to manage and easily aligns to user access policy requirements.
MeriTalk: What should agencies look for from vendors during the acquisition process?
Ted Girard: Agencies should remember to evaluate the implementation process (as well as the solution itself). In addition, agencies should ask:
- What impact will the solution have on other adjacent projects?
- How integrated is the solution with other CDM tools?
- Does the solution meet the minimum security standards of FedRAMP, NIST, CDM, etc.?
- What do industry analysts say about the proposed solution?
- What other Federal agencies use the product and what do they have to say about its value?