Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
11 Ways ICAM Architects Can Support the Cybersecurity EO

- LIST -

11 Ways ICAM Architects Can Support the Cybersecurity EO

Following a number of high-profile cybersecurity incidents, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity on May 12, 2021.

 

The executive order (EO) outlines extensive new requirements for Federal agencies and creates an urgency to respond. For example, within 60 days, each agency must develop a plan to prioritize cloud technology and implement Zero Trust architecture. The EO also makes it clear that agencies will need to adapt quickly to meet aggressive timelines around the development, adoption and purchase of threat detection and cyber incident response processes and products.

 

If you’re an ICAM architect for a federal agency, here are 11 actions you can take now to begin meeting the new EO requirements:

 
number 1

Deploy products that support the threat detection and response process

“...the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” Section 1

 

Among the many processes and technologies to monitor, APIs are often a nebulous, overlooked component. However, because they deliver extensive amounts of sensitive data, they warrant greater attention. When you deploy products that provide visibility across your entire API landscape, you can detect, monitor and quickly act on unexpected behaviors.
number 2

Centralize disparate identity and access management (IAM) systems

“...service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident...” Section 2(f)(i)

 

To mitigate the potential impact of incidents, you need the ability to bring together data from multiple sources for examination. Centralizing disparate IAM systems across sources provides the visibility you need and enables data sharing for greater interoperability.
number 3

Establish a hybrid authentication authority that integrates on-premises and cloud identities

“...update existing agency plans to prioritize resources for the adoption and use of cloud technology...” Section 3(b)(i)

 

As you shift to cloud computing, you’ll experience firsthand the limitations of legacy IAM tools. But creating another set of cloud identities is not the answer. You can employ modern identity tools to break down identity silos and establish secure, interoperable, federated access to all mission-critical assets.
number 4

Incorporate flexible core components to support Zero Trust

“...develop a plan to implement Zero Trust Architecture...'' Section 3(b)(ii)

 

NIST Special Publication 800-207 notes that core Zero Trust elements, like identity management, need to be “flexible enough to operate in a ZTA and perimeter-based hybrid security architecture.” When you prioritize technologies built on open standards, you can easily integrate and augment capabilities.
number 5

Leverage data governance to enforce access permissions

“...prioritize identification of the unclassified data considered by the agency to be the most sensitive and under the greatest threat, and appropriate processing and storage solutions for those data.” Section 3(c)(iv)


As data is classified by sensitivity, you’ll establish access permissions appropriate for that level of sensitivity. But data classifications are only good if risk-based, conditional access can be consistently enforced. To ensure this consistency, you can employ dynamic authorization and attribute-based access controls (ABAC).
number 6

Enable every asset, agency-wide to invoke multi-factor authentication (MFA)

“...agencies shall adopt multi-factor authentication...” Section 3(d)

 

As you look to quickly enforce MFA everywhere, you should consider implementing an authentication authority. An authentication authority centralizes authentication services to all assets (even legacy or custom ones), enables easy integration with multiple, existing PKI and MFA point solutions, and extends those capabilities to secure all resources.
number 7

Plan your migration from legacy solutions that don’t encrypt data at rest and in transit

Adopt “encryption for data at rest and in transit...” Section 3(d)

 

You’ll need to migrate off of legacy tools to meet new encryption requirements. Deploying a modern identity data store lets you establish a master user record by migrating attributes and profile data from legacy tools using bi-directional synchronization. You can then incrementally migrate applications to route to your new encrypted identity data store.
number 8

Evaluate your supply chain’s security

“....evaluate the security practices of the [software] developers and suppliers...” Section 4(b)

 

If your agency’s supply chain isn’t secure, your agency isn’t secure either. By thoroughly reviewing legacy software in your environment, you can identify where security practices are sufficient and where they’re falling short. As you evaluate potential new vendors, prioritize working with suppliers that practice secure software development and build security directly into their products.
number 9

Enable visibility into your identity data

“...deploy an Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents...” Section 7(b)

 

The success of your agency’s EDR initiative will be determined by how much visibility you have into your environment. You’ll want to prioritize solutions that can centralize disparate identity and access management components while smoothly integrating with detection tools to provide that visibility.
number 10

Prioritize vendors on the CDM Approved Products List

“...establish or update Memoranda of Agreement (MOA) with CISA for the Continuous Diagnostics and Mitigation Program...” Section 7(f)

 

The Biden administration has made it clear that the Continuous Diagnostics and Mitigation (CDM) Program will play a critical role moving forward. By choosing vendor solutions that are approved for CDM, you’ll ensure the technologies in your environment align with the program’s objectives. Learn about Ping’s CDM-approved products here.
number 11

Gather logs from your environment’s components

Follow “requirements for logging events and retaining other relevant data within an agency’s systems and networks.” Section 8(b)

 

Since managing logs can be complicated, you’ll want to prioritize tools that make it easy to capture, access and summarize log data. The ability to easily share that data with other security tools, like SIEM platforms, further enhances threat detection capabilities.

Learn how to modernize your agency’s workforce identity and access management.
learn more

Start Today

See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.

Request a free demo