How Identity and Access Management Enabled County Remote Working
Ramsey County, Minnesota, is willing to take the risk of over-securing user access, said Dean Morstad, its head of identity and access management.
Before the COVID-19 pandemic, county offices provided in-person services and employees made little use of multi-factor authentication, but that changed last year, when everyone switched to working remotely, Morstad said. on November 30 during the conference “5e Annual Government Identity Security Summit. In less than 30 days, he and his team had extended VPN and dial-up capabilities, and they overhauled security, making MFA mandatory.
âWe worked diligently to look at any outstanding gaps we had – to protect our perimeter from a security perspective – making sure we had the right tools in place, making sure we were protecting all of our assets. as well as all of our data, and then also moving and improving our identity and access management, âsaid Morstad.
The county still has a perimeter – “a clearly defined separation that we need to protect” – but he acknowledges that this is fading as the county embraces cloud platforms to support the new work environment. âWe also had to extend our access management to that, move to federation and use SAML authenticationâ¦ as well as understand all these cloud endpoints that we have access to,â Morstad said, adding that the goal is as much. as possible and take the risk that we are over-secure.
Data protection is especially important to the county, which must comply with several government regulations ranging from criminal justice information services to the Medicare Portability and Liability Act.
“It’s a challenge to make sure that as a county we do our due diligence to protect all of the people we have, and through this process we are also making sure that we don’t interfere with the ability to serve.” our customers, âsaid Morstad.
To avoid this pitfall, the county is performing gap analyzes to ensure existing data and regulations are covered while staying on top of new rules and cyber threats.
Morstad said he was exploring ways to help the county manage the maintenance of any IT changes, especially in light of staff shortages. One approach is to offload the work to providers as managed services. Another is to automate systems so the county can get the most out of its investment by letting automation handle routine activities while human workers focus on more critical areas.
Unlike Ramsey County, Carnegie Mellon University was well positioned to handle remote work and access management during the pandemic, said Mary Ann Blair, the university’s chief information security officer. That’s because students, faculty, and administrators have been bringing their own devices to college campuses for years and expecting to go online.
âWe have international campuses, so people have always been away and brought their own devices,â Blair said. âWhen the pandemic hit, we were right in the middle of spring break and we made the transition. We extended Spring Break by a few days and transferred all of our learning to online formats through the use of video platforms and practically continued without wasting a moment.
She shared some good access practices, starting with putting in place the right tools to facilitate aggregation of access and attesting to it, and putting in place governance to develop roles that the university can support. and map these roles to what users are allowed to access.
âWhen you look at systems like email, for example, where the content of this generalized system can come from your participation in various roles over time, this is an area of ââgreat challenge for us. When you change jobs, but still have the last job email content in your inbox somewhere, what do we do with it? Blair said. âThere are new areas that we are exploring at the university: to make sure that we have continuity of service for our affiliates, but that we are securing historical data as much as we are securing data that you should have access to now. “
She also recommends doing a retrospective after any cyberattack, even if your agency was not the victim. âSecurity is a specific time,â Blair said, so it’s important to have and validate a pattern of trust, and to expect and plan for a time when security will fail.
Stephanie Kanowitz is a freelance writer based in Northern Virginia.