Success Story / Cross-Entity Collaboration
Department of Homeland Security enables cross-agency collaboration
RadiantOne tightened security while accelerating information flow across agencies.
Simplifying identity infrastructure for faster adaptability
The Department of Homeland Security (DHS) consists of many of the nation’s most essential programs and agencies, including FEMA, TSA, US Borders and Protection Agencies. In a national security crisis or natural disaster, it’s imperative that these agencies and their staff can collaborate, immediately.
However, they were bogged down by an antiqued and complex IT infrastructure. The IT team struggled to keep up with access requests from federal employees to the DHS network for email, facility control, training, and time and attendance systems. They were saddled with a time-consuming, manual process for granting access—identity sprawl left them without a modern method for sharing data. DHS needed a way to simplify its identity infrastructure and enable interoperability between systems. Thanks to the sensitive nature of the data, they also needed to be highly selective about what data was going where to ensure compliance with internal security and privacy rules. To address these complex challenges, DHS developed a solution called the Trusted Identity Exchange to create the one unified identity platform they needed to quickly and securely enable multi-agency collaboration.
The DHS was responsible for securing access to systems across numerous agencies despite significant identity sprawl. This led to a convoluted process around sharing data across agencies—an ongoing roadblock for key initiatives. Keeping a high degree of access control over this wide array of systems and points of entry presented a constant challenge to the DHS’s IT personnel.
To accelerate their access and governance processes and respond faster to agency access requirements, DHS set up the Trusted Identity Exchange, or TIE. TIE manages the digital flow of identity, credential, and access-management data for DHS employees and contractors. It establishes a ‘one-stop shop’ of trusted information about the people that access DHS applications and data.
The DHS gained a massive increase in operational efficiency—with a central interface and streamlined process for requesting and obtaining identity data, there is decreased effort required for granularly extending access to the myriad agencies and applications. The team radically accelerated cross-agency collaboration, while adding security and improving privacy compliance.
“Being able to provide one magical source of a bunch of data to your downstream systems is huge. Now whether the organization or company uses SailPoint or whether it’s Okta, whether it’s Savyint or whatever it is, just a single source of identity data is huge, for an identity system or provisioning system, any workflow system.”
Department of Homeland Security
Struggling to Meet Modern Agency Requirements with an Unwieldy, Antiquated IAM System
The DHS’s identity infrastructure was fragmented and presented significant challenges for managing ever-increasing requests for access. Their dispersed system required a lot of manual effort to navigate even basic access requests for internal users. The existing process to add new employees required multiple paper forms (!!!) to be generated and sent via email or faxed to a number of individuals, who then had to hand-enter Personally Identifiable Information (PII) from paper forms. The outdated IAM system led to unsustainable business practices bound to introduce errors.
In addition, every “consuming” application required a unique collection (and formatting) of the user’s digital identity and credential data to manage access to protected resources, such as federally managed facilities, information systems, and data. These applications could range from a physical building door reader to a computer connected to the DHS network, or to any application on the DHS technical environment.
Even for the more “automated” element of system-to-system communication, each system had to make multiple connections to different identity sources. And there were many consuming applications that needed access to the data of these authoritative systems. So it was a burden on the IT team to either create a new API, expose a new interface, manage a new set of ACL’s for applications, create files and a job to send them or put them on a server–it was a system overdue for modernization.
It was hugely cumbersome to manage, and there was a major loss of visibility into where data was going—who has access, who needs access, where has it been shared? Security and privacy teams were concerned—there was no way of managing or tracking all of this data.
Transforming IAM to Enable Cross-Agency Collaboration with RadiantOne
The team at DHS knew they needed to modernize their IAM system to incorporate change faster, automatically, and with more transparency to meet compliance requirements. The new system needed to leave in place what was working—the authoritative data systems and independently operating agencies—while also unifying them into an interoperable, organization-wide identity data platform that would enable collaboration quickly and securely. They called this effort the “Trusted Identity Exchange” (TIE), with the intention that this service would drive a number of initiatives to deliver quicker time to value, enhance productivity for employees, reduce the burden on IT teams, and strengthen security posture through secure cross-agency collaboration.
The DHS chose the RadiantOne Intelligent Identity Data Platform to build their TIE/as the core infrastructure powering the TIE. RadiantOne establishes secure connections to authoritative data sources, providing a secure interface for DHS applications, enabling timely and secure sharing of data that gives DHS technical agility to extend and retract access appropriately.
RadiantOne provides the integration layer for TIE that aggregates and rationalizes the data to create a central identity hub containing all the identity data for each user. It can then produce the specific composite views required by each consuming application.
In the TIE framework, RadiantOne supports many consuming applications, such as SailPoint and TSA Pre-Check for DHS employees, making it a key enabler to DHS initiatives that hinge on the successful implementation of those solutions. These initiatives include the DHS Data Framework, Personal Identity Verification (PIV) Smart Card usage, Single Sign-On (SSO), and fine-grained authorization (also known as Attribute-Based Access Control).
How the RadiantOne-Driven TIE Drives Initiatives Across DHS
Understanding the DHS Data Framework
TIE was developed to meet the DHS Data Framework access control requirements. The DHS Data Framework is a scalable information technology platform with built-in advanced data security and access controls. As the technology behind TIE, RadiantOne brokers connectivity to the variety of authoritative identity data sources and integrates the information in a way that facilitates the authorization required by the Framework.
Automating Access and Provisioning for PIV Smart Cards
Federal employees and contractors are issued PIV smart cards, which are secure credentials, and are required for use to access federally managed facilities and information systems. For these smart cards to be used as required by policy, TIE is required to broker connectivity between PIV authoritative sources and consuming applications to create an association between a person’s PIV card and the related user account on any given system.
Prior to the implementation of TIE, the data attributes and PII required to provision and deprovision access accounts and entitlements had been moved via emails, spreadsheets, comma-separated value (CSV) files, and sometimes via fax. When a person uses his or her PIV card to log-on to the DHS network (Windows), data about the PIV card must be provisioned to Active Directory (AD). Previously, this was accomplished through a variety of manual processes, including several stop-gap solutions through which the provisioning took place well after a person’s AD account was created—leading to lags in employees getting the access required to do their jobs. In some instances, more information than was necessary may have been transmitted between consumer and source systems to provision or de-provision access. These manual processes not only elevated the risk of exposing sensitive PII to unauthorized personnel, but also prohibit or hinder the efficient transfer of data required to securely grant access to users within the DHS infrastructure.
Adding Granularity and Efficiency to the Governance System
As the core of TIE, RadiantOne serves as the identity information broker required to support automation of PIV and all other access entitlement provisioning and de-provisioning, thus eliminating costly, inefficient business processes. This facet of TIE also mitigates privacy risk by reducing the risk of exposure when PII is passed via less secure email or even paper-based processes.
With the unified identity source RadiantOne provides, the TIE achieved a higher level of granularity, efficiency, and speed for granting and governing access–now triggers for onboarding and offboarding users are automated, and can be determined using a number of factors pulled from a variety of sources. For example, a user’s onboarding journey may have begun before their background check was completed—that will be recognized automatically and taken into account for provisioning his access, and his status will change upon completion of the background check. Other rules may require checking a procurement system to see if a contractor’s contract is active—if the contract is expired, that can trigger offboarding the user or deactivating their access to specific resources. Maybe the HR system shows that a user is on leave—in that case, the user’s accounts will be disabled. This enhanced governance is a key enabler of enhanced security posture for the organization, eliminating gaps and lags that could lead to inappropriate or leftover access.
Enhancing Productivity, Security and User Experience with Single Sign-On (SSO)
SSO enhances a user’s PIV log-on experience by enabling seamless, “one-click” access to applications, following use of the PIV card to log-on to the DHS network. SSO reduces DHS’s dependence on passwords for access to sensitive systems, while achieving PIV compliance. SSO enables an end-user experience that combines previously mentioned initiatives, such as PIV smart card usage, provisioning automation, and fine-grained authorization, and is a strategic initiative for DHS. TIE (RadiantOne) must be in place to support PIV, provisioning, and fine-grained authorization use cases to achieve the SSO user experience for all targeted applications.
Delivering Automated, Fine-Grained Access
Fine-grained authorization (which sometimes materializes as ABAC) describes an IT system’s ability to make a final access determination based on near real-time information from authoritative identity sources. Because DHS has numerous authoritative identity sources used by many consuming applications, TIE is necessary to provide the single interface (by acting as a broker to multiple underlying systems) for consuming applications to request the information required to make such a dynamic decision.
Now DHS has the ability to combine information from multiple underlying systems to determine access—this capability was key for enabling the TSA Pre-Check benefit automatically for qualifying employees.
Radiant Radically Simplified the “Enterprise” Identity Architecture to Streamline Processes Across Agencies and Initiatives
Thanks to RadiantOne and the TIE initiative, DHS simplified its identity infrastructure, enabling more efficient and secure operations and easier, more streamlined experience for its users, no matter which DHS-affiliated program or agency employs them.
“Privacy loved us, like absolutely loved us.” -ICAM Architect, DHS
This enhanced identity platform pays dividends in productivity, operational efficiency for the organization and the IT team, and maybe most importantly, in decreased risk. While ramping up the speed of collaboration was key to the TIE project, a key benefit was securing sensitive data by gaining visibility into and control over what data was going where, centrally managing that flow, and delivering insight into the validity of those flows for compliance. Now, agencies are empowered to act autonomously while benefiting from shared resources, and employees are able to work together effectively—all while reducing the burden on the IT team.
Discover how other organizations leverage RadiantOne
Explore common challenges across all industries and see how our Intelligent Identity Data Platform changes the sunk cost one-off “solution” game.
Like how we helped other organizations? We can help you too.
We got your back. Get in touch with us and we can help find a path forward to solve your complex identity infrastructure challenges.