Agencies Shift Toward Automated Identity Management to Bolster Zero Trust

Identity management is emerging as the backbone of federal cybersecurity, as agencies accelerate zero trust adoption to secure users, devices and data across increasingly disconnected environments, officials said Thursday at GovCIO Media & Research’s CyberScape: The Federal Cybersecurity Summit in Arlington, Virginia.

“Zero trust has been a hard initiative to adapt, but it’s an important one [at Indian Health Service (IHS)],” IHS CISO Benjamin Koshy said Thursday during GovCIO Media & Research’s CyberScape Summit on Thursday. “Being in the health care field, it’s really critical for us to develop that identity mechanism for our patients.”

IHS faces unique challenges implementing zero trust in disconnected environments, including the Supai Health Station at the bottom of the Grand Canyon and the Samuel Simmonds Memorial Hospital in Utqiaġvik, Alaska.

“Creating that zero trust environment has been really critical in making sure we develop it in a way it works in a large landscape of connectivity issues,” Koshy said. “We have adopted new technologies like Starlink and other satellite connectivity.”

To address the “last mile” problem, IHS has deployed software capable of local data caching, ensuring a clinician’s identity remains verified and access remains intact even when the primary network connection fails.

“The system is designed to work in an offline manner cache,” Koshy said. “[Doctors] can keep seeing patients, and then as soon connectivity [is restored], it’ll resync it back to the cloud. It’s almost transparent to the to the clinician.”

Outside of the U.S. federal government, the World Bank Group oversees operations across 189 member countries, necessitating a shift to identity security over boundary security. World Bank Group Head of Information Security Remy Faures noted that the organization’s massive mobile footprint rendered location-based security obsolete years ago.

“Identity became really the cornerstone of our security paradigm at a time where zero trust was really being coined and was really redefined in that paradigm,” Faures said. “We’re looking for ways to really deliver security, secure our workforce, our data assets, in a way that is independent from locations, from network boundaries.”

Managing Non-Human Identities, OT and Behavioral Shifts

Agencies need to understand the culture of identity management and the move to zero-architectures, Tommy Gardner, CTO of HP Federal, said. Many agencies treat operational technology and hardware as a “given” rather than a variable that must be secured, he noted, and added that it must be a holistic endeavor.

“[Zero trust] is a philosophy, not a checklist,” Gardner said.

Gardner noted that while identity management is often the most mature pillar in federal agencies, it cannot succeed without hardware integrity.

“That’s how you have to think about zero trust: What is the philosophy we’re going to use – from identity to software to hardware – to make our systems better?” Gardner said.

Officials also pointed to the growing challenge of managing non-human identities, including internet of things devices and AI agents. While organizations have matured in managing human identities, Faures said they must now apply the same rigor to an expanding ecosystem of automated and connected systems.

“Non-human identity tend to be very task focused,” Faures said. “We know exactly what they’re supposed to do. It makes the monitoring a little bit easier.”

Managing these digital personas requires a fundamental shift toward automation and “least privilege” principles. Faures said that manual onboarding is too error-prone for the current scale of these devices, necessitating automated lifecycles that include the “fast rotation of credentials” and short-lived certificates. By framing what an identity can do — limiting its scope to specific telemetry or tasks — organizations can contain the “volume of power” available to an attacker even if a specific credential is compromised.

Koshy said that at IHS, even medical equipment like gurneys and infusion pumps must be monitored for deviations from their “acceptable baseline.”

“It’s really important that you’re looking at your device identities and their behavior at all times, and ensuring that you’re documenting the minimum acceptable behavior,” Koshy said. “If there’s any deviations, you can immediately investigate that.”