Identity, access tools essential to IT security, but states lag on implementation

Stolen and recycled passwords pose critical security risks for state and local government agencies. Those risks are expected to intensify as demand to support more applications grows over the next year, according to a new report.

IT leaders indicated in a report produced by StateScoop and underwritten by Okta that their agencies recognize how identity and access management (IAM) practices can help address security and other IT support issues. However, the study also found that significant gaps remain in implementing IAM tools.

Download the full report.

Only 28 percent of state government IT officials in the survey — and 15 percent at the local level — indicated that IAM solutions are fully or partially operational in their organization.

This gap was found despite strong support for the technology. Three-quarters of state government IT officials agree the ability to automate the management of identity information is essential to their IT security, and two-thirds agreed IAM tools are essential to adopting cloud computing services.

“If IAM solutions are not built for the cloud, and are used with cloud applications, custom integrations are required to make it compatible,” explains Tami Gallegos, director of public sector marketing at Okta. “This is costly to agencies, as each of these platforms do upgrades multiple times a year. Then those integrations stop working, and the customization has to be built again.”

The study, titled The Growing Need for Identity and Access Management Tools in State and Local Government, also shows that inadequate controls and a lack of automation are costly to agencies because it  impedes the delivery of services to citizens and reduces employee productivity.

One-quarter of respondents said their IT organization manages more than 30 applications requiring sign-on privileges for employees. Seven in 10 said they support five or more citizen-facing applications.

“As agencies increase the number of applications a user needs to sign into, it increases its risk of those users falling into poor password practices,” says Gallegos.

One of the most alarming findings showed that authenticating and disabling user access is currently taking much longer than respondents believe it should. One in 6 respondents said it currently takes four hours or more to disable user access privileges, suggesting many state and local agencies face continuing risks of data exfiltration by departing employees. Meanwhile, 1 in 4 respondents reported it takes four hours or more to activate new users, indicating agencies are missing an opportunity to onboard new employees and contractors quickly and improve the user experience.

Respondents ranked enhancing user services and satisfaction as another key motivation for pursuing IAM tools and services, behind the desire to improve security and privacy practices, reduce costs and increase efficiency.

The reasons behind the limited implementation of modern IAM solutions vary.

To dig deeper into the gaps between IAM beliefs and current practices, the survey separated state and local government respondents into three categories, with each respondent identifying their agency as an early, mainstream or late technology adopter.

Mainstream and late technology adopters cite competing IT priorities and a lack of IT staff expertise among the key challenges they face in adopting IAM tools and solutions. Early adopters point more toward the added complexity associated with IAM solutions and data integrity concerns.

Those who identify as early and mainstream adopters tend to have more time, funding and tools to manage IAM than later adopters. They also tend to have the IAM infrastructure to effectively manage access to internal applications compared to late adopters.

The report concludes with a series of recommended steps agencies can take to better secure their IT environments and improve user satisfaction.

This article was produced by StateScoop and underwritten by Okta.