Boston’s municipal employees can now access digital services more quickly as the city Monday introduced a web portal enabling single sign-on access and increased security measures intended to be a “one-stop-shop” for government resources. The portal is the first phase of a new citywide identity access management project.
City employees logging into the new site with a single username and password will be greeted with icons of every city application and digital tool they’re authorized to access. Clicking an application icon will open that application under that user’s profile, a process that will both save time and mitigate security risks, said Gregory McCarthy, the city’s recently appointed chief information security officer.
The two-year, $2.4 million project is the top priority for McCarthy, who assumed the CISO role on March 1 after almost nine years working on the city’s cybersecurity team. McCarthy told StateScoop that the release of the portal is the city’s way of centralizing access to the tools that employees use daily.
“It gives us a whole lot of extra ability we never had before, or at least not in a centralized manner,” he said. “It [previously] was a lot more labor-intensive and laborious.”
Users can also make data requests from within the new portal, which McCarthy said will tie into the city’s new data warehouse platform. Those requests can be tracked and approved, and McCarthy’s team can also certify access to data and applications remotely.
“Long-term, we could work with our analytics team and really fill that workflow in to empower our end users to request that access,” he said.
City employees no longer need multiple usernames and passwords to access various tools, and if they forget their portal login information, they can easily reset the password themselves, he said. While an automated password reset seems basic, it was actually a tricky update, McCarthy said. He added that the addition of multi-factor authentication to log in to more applications — currently, city employees only use it on Google services — should alleviate other password problems.
“As we know, passwords are not a great singular use of protecting data, information and technology resources, so by adding that extra layer we really helped to increase our security posture and lower our risk,” he said.
To train employees in proper cybersecurity hygiene, the city has run an online training program across departments for three years. McCarthy’s team will gradually role out its multi-factor authentication so as not to overwhelm the help desks on day one, he said, but he’s seen the security posture of the city improve even as his team has been rolling out tools behind the scenes over the last few years.
“When other agencies or other departments actively reach out to us and are like, ‘I’m thinking about this, how do we go about protecting x, y and z, or how do we go about ensuring privacy is there when we’re thinking about collecting this kind of data?’ It’s really encouraging,” he said.