Beyond Passwords: Identity Management in Government

20 May 2021, Michael Smith

Cyber Security, Executive, Government

As a digital society, we are amid a pivotal transformation of the Digital Identity Paradigm. Regulations like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have mandated now more than ever, a greater focus on securing individual and organisational identities against risk.

To guard against this risk, Identity and Access Management (IAM) is a cornerstone of key element in Cybersecurity and digital delivery for any organisation. Understanding who a user is, and whether they have the access rights to only the required resources is a central requirement of cyber systems. While it sounds simple enough, this is a complex task. Government bodies like the NSW Government have realised this, having recently created a Digital Advisory Council that would approach thought leaders for advice in managing IAM across their agencies and departments. At a national level, the Federal Government’s Cyber Security Strategy focuses on the need for better identity and access management to prepare agencies for a technologically enabled future. But there are still numerous, efficient moves these organisations and agencies can make today to get on the front foot.

What can Government Agencies do today?

The Australian Government’s Cyber Security Strategy lists actions that should be taken by all businesses to manage security. Unsurprisingly, identity management is a key focus. Here, we at MOQdigital suggest some focus areas to help guide identity investments for Australian organisations.

  1. Improve and uplift baseline security - Have standing agenda items at board level to track key identity metrics, mapped to appropriate risks. Agencies and Departments need to truly understand their identity management maturity and be able to provide assurance, especially to the public, around how the lifecycles of identities are managed by the organisation. Agencies would be well served to verify identity maturity independently and periodically by an appropriately qualified, independent organisation and map deficiencies to a properly maintained risk register with appropriate ownership and treatment plans. Every organisation also needs to effectively use privileged access management solutions to help protect the agency’s digital identities
  2. Uplift Department Knowledge and Capabilities - Governments should ensure their various departments have constant access to best practice identity management software, training, and resources. Identity teams need to understand what the skills gaps are and understand where the key focus areas will need to be in the future to address them and ensure the right people within the organisation are involved with relevant identity working groups and forums. Managers should also provide regular support and training to all staff to foster a culture of cyber awareness.
  3. Create a more secure Internet of Things (IoT) - Ensure there is a current, accurate view of all IoT devices within your organisation and apply industry leading identity management principles to properly understand the identity and security requirements of your IoT devices. Identity management systems and processes should be used to properly identify and secure your IoT devices and securely manage IoT devices from deployment through to decommission.
  4. Block threats automatically - Use emerging access control standards and technologies to keep out unwanted attackers and use identity management as part of a zero-trust toolset to reduce reliance on perimeter defences and help prevent a data breach. A trusted, centralised record should be maintained of who did what, where, when, and why at every point within your organisation.
  5. Centralised Identity Schemes - We recommend the Government continues to support the Trusted Digital Identity Framework (TDIF) as a mechanism for providing trusted digital identities for citizens as a mechanism for minimising cybercrime and fraud in reliant services. In November 2017, the introduction of the Consumer Data Right (CDR) was announced by the Federal Government. The intent of the CDR is to provide people with greater control over their personal data, including how it is used. Initiatives such as this should continue to be regularly monitored by OAIC and enforced. We also recommend the government and private sector to collaborate via working groups to implement and improve trusted identity sharing frameworks.

Identity 3.0 – The Future

The landscape of Digital Identity Management continues to change. Previously, individuals managed multiple separate identities for each login credential required (Identity 1.0). The current landscape of “Identity 2.0” Sees platforms the Australian Government’s “MyGov”, which allows users with a centrally managed Digital Identity that allows a single identity, verified by a trusted 3rd party like Facebook, Google, or MyGov. Even in this current state, we are fast moving into, and already glimpsing the future, Identity 3.0, where individuals own their own data, and choose to whom they are releasing this data to. The core of Identity 3.0 revolves around Privacy. With individuals within a 3.0 system now owning their own digital identity, they can choose when and where to release their data when their identity needs to be verified.

The Future of Identity and Access Management is here. If you would like to learn more about how you can better prepare yourself and your organisation for these exciting new developments, please contact us here.

contact us