The Future of Identity Management is Continuous Verification, HHS OIG Says

The Department of Health and Human Services’ Office of the Inspector General considers sustainability and continuous authentication as the keys to a robust identity management strategy, according to CIO Gerald Caron’s comments at an ATARC summit Tuesday.

“There are some great things that can be happening around this area, and the technology is getting even better all the time; however, we’re dealing with legacy applications… and so breaking through that is a task, and it’s no easy feat,” Caron said during ATARC’s Identity and Access Management Virtual Summit Tuesday. “We want to be able to automate as much as possible.”

President Biden’s May 2021 cybersecurity executive order required agencies to transition to zero trust architectures, which led to the expansion of tools such as identity and access management (IAM), governance and automation. Caron believes authentication is critical to this move, especially in the hybrid work environment. He noted that different methods of identity proofing leads to varying levels of risk.

“When I come up with my confidence score, how much I trust that common access card (CAC) or personal identity verification (PIV) card is going to probably have a lower risk than your username, password or some other methods of authentication,” Caron said. “That will depend on what I’m going to allow you to do… once you get to that authoritative identity, you can start to look at automation of the provisioning and deprovisioning.”

As agencies develop new hybrid work models that rely on bring-your-own devices (BYOD), HHS OIG is looking toward derived credentials to secure technologies such as mobile phones. Derived credentials are essentially a client certificate issued to a mobile device after an end user proves their identity by using their existing CAC or PIV card.

But the infrastructure to support derived credentials presents challenges. In order to effectively implement this form of authentication, organizations must modify devices and install adaptions to enable a PIV card to connect to a mobile device.

“True derived credentials is something that has been a little challenging, to say the least,” Caron said. “That’s why some organizations have gone with other forms of authentication, like multifactor through an authenticator and things like that, for the mobile phone.”

HHS OIG is focusing on sustainability as it continues to build out authentication tools and move toward zero trust. Continuous authentication can also account for constant changes in the cyber threat landscape.

“It’s going to reduce my security posture if I’m too complex and can’t sustain the different methods I have when a change happens,” Caron said. “One of the other things that one of the concepts that I have been advocating for, and have yet to really see in practice, is ongoing authentication and ongoing access.”

To improve security and identity management, Caron warned that organizations cannot rely on an IT network as the “enforcer” of security. Zero trust has changed the role of the network to the “transporter,” moving identities from point A to point B, but there should be continuous authentication throughout that process.

“This is an architecture now, it’s not the silos. We have to get away from the siloed things. Everybody and everything have to be integrated,” Caron said. “Take in all these factors and understand all this information, then bring it into this engine to create a confidence score in a dynamic fashion. It’s going to move because things change…We have to bring all this telemetry in, so it’s important to do a lot of integration throughout this journey.”