Commentary: Ted Girard, a vice president at identity management firm Okta, encourages state and local election offices to use strong identity management security practices.
As we near the midterms, election security has become an increasingly pressing issue for the organizations responsible for putting on our elections, tallying the votes, and recording the results. With so much at stake, one critical aspect to securing election management systems, election night reporting systems and voter registration databases is ensuring outside actors are unable to gain access to — and potentially change — election results or cause chaos and confusion on election day.
The reality of today’s threat landscape is that our greatest strength is also our greatest weakness: people. Protecting their access, as well as the solutions they connect to via an identity system, is already well known to be a critical part of the modern security stack. But with more than 80 percent of today’s breaches caused by poor or stolen credentials, improving best practices around identity is critical for mitigating access-oriented attacks in our business and elections.
A recent StateScoop report, sponsored by Okta, found that only 28 percent of state government IT officials surveyed — and 15 percent at the local level — indicated that identity and access management solutions were fully or partially operational in their organizations. Yet, while the need is clear, it’s unrealistic to expect any organization to spend 80 percent of its security resources on identity-focused systems. Instead, states should concentrate their identity investments on foundational technologies and policies that provide multiple layers of protection around user access.
First, by setting stringent identity-driven access policies, election organizations can better ensure that only the right people can access and make changes to the registration database, or the results themselves. Poll workers, for example, may need access to view and confirm voters’ registration, but there is no reason for them to have the ability to change records without further review.
Similarly, any external systems that connect to these core databases or election management systems should also have access security. APIs are a powerful way to develop innovative and improved systems both within and among organizations, but agencies must use practices that ensure any users or systems adjacent to sensitive election data truly are who they say they are.
In addition to these core access policies, organizations need to ensure that as election officials change roles or leave the team, their access is consistently controlled. Election IT teams need to easily provision or, if someone leaves the organization, deprovision them from all systems quickly and securely — ensuring they can’t take action as a potential insider threat or become another target for compromise. The more apps teams use to carry out their work, the more likely someone will forget to revoke access for a departed member if identity management is not centralized.
Finally, states should make sure that there are multiple checkpoints for every user to confirm they are who they say they are — thereby preventing a lost or poor password from being the Achilles heel of a system. Multi-factor authentication for election security isn’t a silver bullet, but it’s a critical protective measure that all organizations must implement. Layered with stronger cyber hygiene and user education around common attacks such as phishing, MFA is key to mitigating user-focused attacks that might, in its absence, allow an attacker to gain access to our election systems.
There is a lot that can help protect our elections this November, and for years to come. Today, state election teams can focus their limited resources on addressing a potentially major area of weakness, enabling voters to focus on their task at hand: participating in our democratic process.