Advanced Federal Use Cases: Identity on the Edge

Naval operations project power around the globe, often requiring assets to “sail over the horizon” and lose contact with onshore command and control. To maintain continuity and security in such an environment, ships and their crews require local access to all identity data originally sourced from onshore and integrated with local assets. This model needs to scale all the way up to an aircraft carrier and down to a SEAL team in a RIB (rigid inflatable boat).

Why Accurate Information at the Edge is so Critical (Better Data=Better Decisions)

America has always done well by empowering our soldiers in the field to make local decisions. We see that from our very beginning as a nation, when the rebel army fought for freedom from England in the American Revolutionary War—in many ways a battle between the old and the new. The British Army fought out in the open, using a traditional line formation with very centralized command over large masses of troops. The intent was to overwhelm the enemy with sheer firepower in a face-to-face battle. The colonialists declined to adopt such a model, relying instead on smaller, more nimble groups of Minutemen who would hide behind trees and rocks. This alternative method of “facing” the enemy was greatly enabled by the willingness of the colonial army to empower these smaller teams to work independently. 

These days, the world is watching the breakdown of battle plans based on the old idea of centralized command and little initiative in the field. Whenever there is a shift in the plan—and as German military strategist Helmuth von Moltke said, “no battle plan survives contact with the enemy”—central command generals must come into the field, assess the situation, and give new orders. This not only delays operations and hobbles the forces, it puts the command staff in much greater danger.

The modern United States military, however, has retained the lessons of the Revolutionary War and continues to highly enable its front-line squad and platoon leaders to make critical real-time decisions in the field. But as they continue to modernize and digitize the weapons and tactics of war, a new challenge has arisen: how to effectively provide all the modern IT capabilities—currently highly-reliant on a centralized infrastructure—all the way to the tactical edge.

Identity Has Become a Critical Component of Every Facet of Operations

Driven by the emergence of Zero Trust Architecture as the gold standard for enhanced security, and the demand for cross-entity collaboration and operations, Identity has charged to the forefront of the Federal Government’s effort to secure and deliver reliable services across the enterprise. A “least privilege” policy-driven access model demands the richest possible identity data to succeed, shining a light on the challenges of creating a complete and accurate view of each identity. The sheer number of historical systems, extended sources of granular data, and the nature of identity sprawl prevents a quick and easy aggregation of all identity data. It is not a failure of any one initiative, but in fact the nature of the world we work in, that identity data is created, managed, stored, and deleted in a variety of platforms that do not share a common structure, schema, format, or protocol. Think of identity sources in an environment as diverse and sprawling as the Department of Defense as all the nations in the UN, with a world of different languages, customs, andagendas.

Scalable, Accurate, Consumable Identity Data is the Foundation of Every Operation

Delivering on the security goals of recent Presidential mandates and ongoing projects across the Federal Government requires the implementation of an abstraction layer, between the sources of identity and all the different systems that need to consume some part of that rich identity profile. This abstraction layer must be platform- and schema-agnostic so it can incorporate identity data from all sources regardless of structure, schema, format, or protocol. In addition, this abstraction layer must be able to model multiple simultaneous views of the data, each in precisely the structure, format, schema, subset of users, attributes, and protocol that each consuming application requires.

These consumers of identity span the Identity and Access Management (IAM), Governance and Administration (IGA), and Privileged Account Management (PAM) applications, as well as Zero Trust Policy Decision/Enforcement Points (PDP/PEP), risk engines, AI and Machine Learning systems, and the network segmentation and micro services platforms. Each consuming system needs to get the same identity data from across all the diverse sources of truth, delivered in the precise format it needs to perform its mission.

Enabling Granular Access to Sources of Truth for Collaboration and Security

The abstraction layer also acts as a security layer between all the sources of identity data and the consuming applications or outside world. Only those attributes required for a specific operation or application are exposed and this filtering can be made at the attribute, application, or view level. Instead of asking to set up a share-all trust between organizations, the abstraction layer allows each source of truth to control their own data, and offers an additional layer of insulation that prevents unauthorized access across entities. This capability is very critical when setting up joint operations with coalition partners and industry contractors who need access to secure data, but must be limited in the scope and breadth of what they can see and do.

Let’s take a moment to discuss what an identity is in today’s modern IT world. Traditionally, we thought of an identity as a person and the attributes assigned to them, usually in their Active Directory user record. But this offers a very limited scope, both for the human user and for all the Non-Person Entities that also need to have their identity managed. So let’s define an Identity as any object (breathing or not, tangible or abstract) that can be defined by a set of attributes and relationships. The attributes part is obvious: a soldier has a rank, a server has an IP address, we can associate values for attributes to objects and use them to define that object.

But I would argue that it is even more important to define the relationships that a particular object has to other objects. A soldier has a relationship to their commander, to their squad, to their MOS, to their clearance. A server has a relationship to the service accounts that can access it, to the network segment it inhabits, to the data it holds. So equally important for our abstraction layer is the ability to contain all the wide variety of attributes for each object, while also maintaining the many-to-many relationships between all these objects, so you have a deeper contextual sense of how they inter-relate and interact.

In building an attribute-rich and relationship, or context-aware identity, the key is integrating as many sources as possible, while maintaining near real-time change detection to ensure the most current, accurate data is always available.

Whether we call this a Master User Record (MUR), Entitlement Catalog, Identity Warehouse, or something else, it gives us a “single pane of glass” through which we can see the entire enterprise. This enterprise may be a branch of the DoD, a department in the Executive Branch, or an aggregation of multiple mission partners into a coalition of identities that can interoperate across multiple environments, agencies, departments, industrial contractors, and international partners. Each branch or coalition may have their own version of MUR created for their own purposes and most often stored and deployed in a centralized infrastructure. This centralized and accessible model serves many operations very effectively, but there are several use cases that are not well addressed by a central terrestrial or cloud-based repository of the identity data.

Often local forts, bases, or ports each need the core identity data from the master record source of truth for the objects in their command, but also need to locally augment each identity object with additional data relevant to the location or the organizational element. The abstraction layer needs to operate flexibly, efficiently, and at scale, whether deployed at the central command or as a subset of augmented identities at a lower level in the organization or in a different network security segment.

Back to the Tactical Edge

This brings us to the tactical edge, the tip of the spear, the men and women on the front lines. Just as highly available, comprehensive, and accurate identity data is necessary at central command, and established bases with reliable reciprocal connectivity, it is equally critical at the tactical edge where access to central command in denied/degraded, intermittent, or low bandwidth (D-DIL) environments may hamper or break all access to critical identity data needed for every decision in the field.

The tactical model takes many forms across the Federal Government and the armed forces. It may be something as large as a carrier group sailing over the horizon on a joint operation in the Indian Ocean, or a forward outpost at the front lines of enemy territory, or FEMA resources reacting to a natural disaster that has taken down all reliable communications. If the Identity Credential and Access Management (ICAM) decisions are governed by identity data, those same access controls are in play when a group becomes disconnected. To be sure the right people have the access they need, without compromising security, identity data needs to be able to travel with the team into the field.

For a large deployment, this will include standing up a local abstraction layer that is populated from the Master Records, including only those identities and attributes relevant to the mission. This initial deployment may be then pushed down to smaller entities in the battle group and augmented with existing local identities, resources, and attributes—such as a scenario where a small team is deployed to a Rock in the Ocean, bringing everything they need to operate, including a complete ICAM system populated with full identity sets.

While over the horizon, in the D-DIL environment, or completely cut off on an island, the operations can continue independent of the need for a connection to the shore or homebase. Field operations can assign additional access, update profiles, award field promotions, all in the context of their local copy of the identity datasets. When these forces return to a reliable connection to the homebase master user repository, the data from the field operations can be synchronized back to the master record. Local Governance tools can make decisions on which field updates (like promotions) are retained, and which (like temporary elevated security) are discarded before the master records are updated. The whole mission can be archived or completely wiped so that no residual attack surface remains. When another operation needs to go into the field, the appropriate identities can again be generated and applied for the next mission.

Identity will be at the Center of Operations Going Forward

For more than two centuries, the world and our government operated in a highly analog world of paper, typed orders, face-to-face or radio communications between staff in order to conduct military operations, provide government services, and respond to natural disasters. Just as the commercial world is moving to adopt digital solutions to replace analog paper-based systems, the Federal Government is in the middle of a generational transformation. But its sheer scale, the nature of all its siloed organizations, the layering of critical security and the need to collaborate outside the US creates an exponential level of challenges and complexity for this transformation. Take away one of the core architectural models—the ability to centralize data as sources of truth and disseminate that identity data in a controlled manner—by requiring operations in TAC/D-DIL environments and the hill gets higher.

By adding this powerfully flexible identity abstraction layer of identity, decoupling the sources of truth for identity across all object types, and controlling where and when identity data is provided, it is possible to serve two masters—centralization and tactical autonomy—and remain true to the tenets of security, accuracy, and availability.