NASA's challenges are hardly limited to launching rockets and getting men to Mars. The space agency is racing to overhaul its identity and access management infrastructure, determined to seal off security gaps and protect vital IT assets from floating into dangerous corners of cyberspace.
The situation at one NASA outpost, the Ames Research Center in Mountain View, Calif., shows how difficult a task it is. William Likens, chief of the center's applications development and technology branch, said NASA's IT environment is decentralized and fragmented, without much interfacing or centralization of systems from one division to the next. To make matters worse, there hasn't been a groundswell of support among managers to foster change.
In this environment, Likens said closing the accounts of people who have left is a big challenge.
"We know when someone employed by NASA has left, but when you are dealing with contractors, it's much harder to know when they are gone," he said. It's a considerable security risk, Likens said, because people often retain access to systems, sometimes privileged access, after their work at NASA ends. It means orphaned accounts could be exploited not only to gain network access, but also to leverage sensitive network resources.
In an agency with 19,000 federal employees and about 80,000 contractors and academic affiliates, there's plenty of room for error. Likens noted that 70% of those working at his facility are contractors. Much of the center's research and IT services support 3,000 people on site and some of those services support 100,000 people in the larger NASA community.
Yet NASA is moving toward a more centralized and automated system that will rely on smart cards with PKI credentials. Though some managers may not want to deal with security changes, they are being motivated to do so by the regulatory demands of Homeland Security Presidential Directive (HSPD) 12 and the Federal Information Security Management Act of 2002 (FISMA). Under HSPD 12, government organizations must have Personal Identity Verification (PIV) card systems in place by Oct. 27.
NASA isn't the only organization in which regulatory pressure has forced a move toward stronger identity and access management, if an April SearchSecurity.com survey of 358 IT professionals is any indication.
Nearly half of those surveyed said their top ID/access management priority in 2006 is to strengthen authentication, and 71% said regulatory demands are either an important or very important motivator when it comes to investments that get approved by the top brass.
Fear of the headlines
ESL Federal Credit Union, a financial institution with 17 branches and numerous ATM locations in the Rochester, N.Y.-area, is one company that has been sobered by the many recent high-profile data breaches. The organization hasn't suffered a breach, but managers were spooked after a tape with sensitive data went missing from Citibank last year, said Jessica Lynne Verzi, ESL's information security manager.
It's no secret that banks are transmitting quite a bit of information in an insecure manner via email and other means, she said, and that's why her company is intent on implementing strong email encryption.
"There's not a great handle on email security in the industry right now," she said. "Most of what we do is confidential and all that information must be secured."
One reason she said email security is so important is because it's the likely tool an insider might use to lift financial data from the bank. She's also mindful that data thieves are always on the lookout for flawed applications.
While the credit union doesn't want to become another shameful headline, that's not necessarily the prime motivator behind its revamped ID and access management strategy. Like most survey respondents, Verzi said the spur in the company's side is regulatory compliance. In fact, her department was created as a result of regulatory demands.
Some of those demands come from the National Credit Union Administration (NCUA), which provides ESL's insurance and audits the organization regularly. The NCUA standards demand that credit unions practice strong application security and tightly control who has access to what. Every six months, department heads must check and sign off on the list of users in their group to ensure the lists are up to date and people have only the network access their jobs require.
More automation needed
Seventy one percent of survey respondents said their organizations still use a manual process for provisioning accounts and determining access rights, but that they are striving for more automation.
Likens said NASA still uses manual procedures, but that the organization is "definitely moving toward automation" as part of the work now being done to satisfy HSPD 12 and FISMA.
Verzi said her organization still uses manual procedures to some degree, most notably to handle account provisioning. Regulations have encouraged the organization to automate more procedures, but the main driver has been efficiency.
Jeff Bardin, an IT professional working for a New England-based Fortune 1,000 financial services firm, said his 5,000-employee company uses a manual process for account provisioning. He said that regulations like the Sarbanes-Oxley Act, Gramm-Leach-Bliley and California's Security Breach Information Act (SB-1386) are pushing the institution toward more automation. But improving the user experience is another goal.
As a result, one of the company's main goals this year is to complete deployment of an automated identity management system for its customers. "Automating this process simplifies the collection of secure data," Bardin said, "and provides the customer with an easy-to-use interface that provides them with near-immediate secure access to information." The firm is also increasing its automation so user accounts for new employees can be created more quickly.
Changing the culture
While top brass have been motivated to take identity and access management seriously, respondents said lower-level managers and human resources staff have been slower to identify its importance. More than half of respondents said upper-level management strongly supports such improvements, but more than half also said business unit managers and human resources personnel don't see themselves as key stakeholders in identity and access management projects.
This is a problem, Verzi said, because employees outside of IT need a certain level of security expertise for a company to have 100% identity and access management.
"We have such a [hard] time getting managers to fill out an online form to request certain user privileges for new or transferred employees," she said. "People like using paper because it's comfortable. Getting them to do it electronically is like pulling teeth. If they had more IT security awareness, they'd do it electronically."
Verzi said another implementation barrier is that different departments want to control their own basic information, and so they're reluctant to share it as part of a central repository, where it could be better secured.
Bardin said it's a constant battle to change the culture in favor of improved ID and access management, but that it is happening in his company. He added, "Periodic communications from the security team and from the CIO reinforce the need to execute the program."