DISA Boosts ICAM to Enhance Zero Trust

The Defense Information Systems Agency (DISA) is accelerating zero-trust implementation by focusing on identity, credential and access management (ICAM) solutions. Brian Hermann, director of the cybersecurity and analytics directorate at DISA, said the agency is progressing ICAM implementation through federation and cloud adoption.

“Thus far, we’re going to use the lessons that we learn out of [ICAM implementation in military services] to go ahead and do the federation across all the other ICAM solutions that exist within the department,” said Hermann during a media roundtable last week. “Learning the lessons that we’re learning right now on federation is a good thing, and we expect by the end of this fiscal year to have completed the federation activities with all of the military departments.”

According to Hermann, DOD is actively pursuing a federated ICAM approach, connecting disparate systems across the services to provide a unified view of user access. Hermann said that the launch of a federation hub is enabling interoperability between different ICAM solutions within the DOD. The hub allows for a comprehensive understanding of user access rights and prevents conflicting roles across systems, he added, and that the technical challenges are minimal.

“We would hate for somebody to be authorized for access to something but not be able to reach back to something that would grant them access,” Hermann said. “ICAM is really about that user pillar of zero trust.”

Tactical ICAM and Attribute-Based Access Control

To address connectivity and resiliency challenges in tactical environments, DISA is implementing localized ICAM instances that synchronize with the enterprise system, Hermann said. Operations have a “reach back” that allows deployed forces to retain access even in disconnected scenarios.

“If that tactical location becomes disconnected from the enterprise in its totality, they still have the most recent synchronization of data that they can use to work from so thus far, that has been the way that we solve for the tactical issue is that there’s a local instance of the identity provider function,” said Hermann. “We have a single place where all the identities across the Department of Defense are managed out of and we, DISA, synchronize that data with anybody else that has a separate instance of identity.”

Hermann said that the different needs across DOD require difference tactical solutions for resiliency. The Navy and Marine Corps, for example, have different requirements than the Army or Air Force, he said.

“Each of the military services has a need for potentially a different kind of a tactical situation [like] a float versus a tactical [or] a land-based environment,” Hermann said. “There’s also potentially some different identity requirements associated with combatant commands and even some of the combat support agencies.”

Hermann added that DISA’s ICAM responsibility extends to partners, including the defense industrial base and coalition partners and allies.

“U.S. Transportation Command needs to be able to partner with transportation companies that will never have DOD-provided credentials, so we have the ability to work with those partners with multi-factor authentication,” he said. “We have a process for granting them access.”

Master User Records and Insider Threats

ICAM is helping DISA to combat insider threats. DISA is implementing a master user record with strict privileged access control, providing a central location for user access information. While not currently connected to insider threat analysis, Hermann acknowledged its potential for future use.

“It’s important – if something happens, and somebody was concerned about [an insider threat] having access to something – [DISA system administrators] might want to look at what … damage could have been done,” Hermann said. “You can have a track record of changes and things that have been done, as well.”

Balancing Enterprise and Specific Use Cases

DISA is also conducting pilots to assess whether enterprise ICAM solutions can meet the needs of various components, minimizing the need for separate ICAM instances, Hermann said. This approach aims to maximize efficiency and reduce the complexity of federation.

“One of the things that we’re trying to do is to have the right number of ICAM instances across the department based on the use cases that each of the components needs, but not to have too many,” Hermann said. “We are working with some components across the department to determine whether or not the enterprise solution can meet their needs and avoid having a separate instance of ICAM for them.”

Cybersecurity and ICAM

Hermann added DISA has established a standard architecture for ICAM solutions, requiring privilege management functions for system administrators. DOD OCIO, DISA and the National Security Agency governs the architecture, he added, and DISA works with other DOD components to buttress cybersecurity in the department.

“We have a pretty robust operational control layered on top of the accreditation process and partly my team here at DISA PEO Cyber, we provide the data and analytics environment to a separate organization within the agency that provides defensive cyber operations and cyber security service provider functions as well,” Hermann said. “It’s something that that we take very seriously.”