Centralized identity management: Okta's Christine Halvorsen and Pam Van Meter

Speaker A: State and local government agencies are continuing to look at ways to modernize and secure their systems, to protect their sensitive data and improve the user experience of the residents they serve. One key technology, uh, that agencies are actively adopting to accelerate those efforts is centrally managed customer identity and access management tools. I'm, um, Wyatt Cash with Scoop News Group. And, um, here. Here to talk about those tools and how they're making a difference and why are Christine Halvorson, public sector chief technology Officer at Okta, and Pam Van Meter, principal solutions engineer, also with Okta. Christine and Pam, uh, thank you so much for joining. And, um, Christine, let me start with you. Um, what are some of the primary challenges that you and your technical experts are seeing at the state and local level as they try to safeguard against cybersecurity threats?

Speaker B: Yeah, and thanks, Wyatt, for having us on today. And I will tell you, state and local governments have a very hard job right now. Um, as the cyber environment continues, the threats continue to come into the cyber environment, and really the challenges that they face are numerous. They're complex and they're multifaceted. Right? And if you break those down and categorize those into kind of three main areas. First, I talked about the current threat environment, right? It's including various threat actors, both foreign and external, and internal threat actors, your insider risks. And then you have the constantly evolving landscape of threats, which is getting even more fast paced, with AI being used, right, by threat actors to facilitate any type of compromise. Um, and so that in itself is very difficult to do on a daily basis. And then you have the operational environment, right? That's the keeping the lights on 24, 7. Right. So besides the threats and everything going on, they still have to support all the operations at the state and local level. 24, 7. And so they're grappling with this shortage of employees with the essential skills to do the jobs. Um, because, listen, if you're implementing AI or trying to do AI, there's a shortage of AI experts, right? And people who can code in AI. And at the end of the day, the big tech companies are grabbing them up because they're paying them more money than a state and local government can pay them. And then you have this need to balance the ongoing operations with these digital transformation initiatives. And when I was with the FBI, I had to do the same thing when I was running our counterterrorism division and going to the cloud and doing cloud transformation projects. You're trying to balance the operations of the day and keeping people safe with trying to do digital transformation, right? And there's trade offs of time and efficiencies that you can gain there. And then ensuring that their strategic goals that they have at the state and local levels, funding align with the administrative priorities. Right. And the administrations in state and local governments change over quite frequently. So their timelines to get projects done are much shorter because the funding is only for certain m period of time with, especially with elections coming up here soon. And then the third bucket is kind of those competing requirements and priorities. They have a diverse set of customers, right? So they, uh, state and local IT teams have to meet diverse customers, both the workforce, their residents and their vendors. Right. And so this creates a wide range of missions they have to meet and services they have to meet. And then you have the compliance requirements necessitating those multilayers of approval for the technology adoption. So they definitely have a challenging role. And you know, we here at Okta are here to support them, um, securely by, you know, we want, we're focused on identity solutions for both residents and workforces. And that's why we're talking today, because we really want to help them, um, solve the complex problems of identity.

Speaker A: So Pam, in light of what Christine just laid out here, why have customer identity and access management solutions become so important, especially at agencies that don't always have the staffing and resources they often need?

Speaker C: Yeah, good question. Thanks, Wyatt. Um, so a lot of the states and local governments are now really working on prioritizing seamless, secure and easy user experiences for their citizens. And there's a push, um, coming from, you know, sort of started in the federal government, but then moving into a lot of the states and counties about providing a citizen experience that's similar to what a lot of users are used to with Amazon, for example, or Netflix. And they say being able to provide an experience that is seamless and secure, um, is going to help build trust in the government services that those citizens are taking advantage of. So being able to offload a lot of that, um, security and then as well as the services themselves to a cloud solution where that vendor can help with um, the security protocols and the standards and make sure that those are all being followed properly and correctly. And then it's going to, as a result, make the citizens happier with the government that is serving them, make them more aware of the services that they can take advantage of and make it easier for them and more secure so that, you know, they're feeling like, okay, yeah, my government is serving me with my tax dollars and they are able to take advantage of, um, of the Services that they have available.

Speaker B: Yeah. And if I can just add on to that, I think, you know, when we look at the digital world, right. To Pam's point, everything's been redefined on that resident engagement. Right. Again, they want that secure, seamless and personalized experience. And states really are focusing and think they can transform how they're delivering resident services to their residents. Even residents who, you know, that don't maybe even have an Internet connection right now. Right. Who have to call in. Because if you can deliver resident services better online to those who have, who have access to it online, and it's more seamless and integrated and personalized, and less phone calls will be coming into the help desk lines where the service, the citizens who actually need to use the phone can get through a lot quicker and get the services they need a lot quicker. And so there's this transformation period coming, right. With the delivery of these services. And so there are roadblocks in the way, um, for some of that. And that is kind of what Pam talked about. Right. Getting off of older technologies and doing those digital transformation projects to deliver those services. And I think also the other big benefit of this with identity is allowing the residents to own their own identity data. Right. To allow them the privacy of their own data and their own ways that they're kind of doing multi factor authentication or authenticating into services. They can own that themselves and not have to worry about the state or local or federal governments owning that. And I think there's. Again, we're, we're about to turn this corner here. The more we deliver these services here at Okta to really transform how governments deliver those services. And I also think it'll definitely save them time and money, which they can then put into more services they can provide to their residents versus spending it on antiquated technologies and the cybersecurity risks they have right now today.

Speaker A: So it sounds like a great economic argument as well as a customer service argument. Pam, can you maybe spell out some more specific ways that customer identity and access management solutions actually reduce cyber risks and maybe actually also improve the user experience for state and local agencies?

Speaker C: Yeah, great question. So when I talk to states and local agencies, I hear some common themes from all of them where they have stovepiped services and a lot of legacy technical debt. Um, so what comes along with the legacy technical debt is high maintenance costs, higher security risk. So because they're not always patched or updated or maintained to a level that, um, you know, would be consistent with what we would expect in today's standards, um, and then also that you know it provide those solutions that they currently have are also a disjointed user experience. So if I need to log into one agency it's one experience, one login and password versus another agency versus another. And I've talked to states that uh, their users say I have seven different logins to talk to, do all of the things that I need to do. So providing SSO centralizing it one login across all the applications themselves, putting in security best practices along with that. So passwordless login, supporting passkeys, passwordless biometrics, ah, in lieu of passwords, if you do provide password authentication then also add in mfa, step up MFA for risky logins, risk scores on those login attempts, um, things like bot detection, breach password protection, um, and as I mentioned the SSO across all the applications streamlines everything, centralizes it, moves it to a cloud service that can then handle and maintain all of those back end functions that we're serving um, from the risk engine. And then um, you know as well as all the MFA pieces which can be um, a heavy lift for organizations to try to implement on their own. So offloading all that, getting rid of the tech debt right there, there's a huge win for not just the citizens but also the employees that have uh, to manage all of those systems. Like Christine said, they're so strapped and they have such a tough job, there's so many demands on them. So take a huge amount of that burden off, it's more secure and it's going to be better for the citizens themselves as well as the employees that maintain those systems.

Speaker B: So just to follow up to what Pam was talking about, you know, and as she mentioned, 71% of what we're going to call customers and that includes residents right when um, we're looking at the stats on this, they will not log in if there's too much friction on an application. And developers spend on average 17.3 hours a week debugging and maintaining legacy bad code which contains security threats in it and then building custom solutions on top of those. Legacy identity adds between 6 to 12 months to project roadmaps again with the state and locals having a very short time to deliver based on administration, funding and changeover that causes a lot of problems for them. And then having an identity solution that is redundant, reliable and scalable um, on prem is three times more expensive and 93% of application vulnerabilities are really a result of that custom code we talked about. So identity is incredibly uh, code Intensive. Which is why here at Okta, we just focus on identity. Right. That is our expertise. And all these factors really impact the entire agency, uh, to include the state and local representative's office, because if they're not delivering great services to their citizens, the citizens are going to be calling in and complaining. And so with Okta, there's that frictionless experience and security for today with that centralized management that Pam talked about. And the speed to deployment is really all increasing that resident outreach and usage. Right. While improving their. Not only the security of the state and local systems, but the security of their residents personally. Right. When you're able to not have 25 logins to 25 applications, you're trying to get to, trying to remember 25 passwords, right. That are out there in the ether, instead of just having that single sign on that you sign on with, it actually protects you as a resident. And so I think that that's a really important point to bring up when we're talking about these resident services. And I one other point I want to make on this, and we haven't talked about it because we're really talking about, you know, our citizen is a SIAM solution. But when you're talking about state and local governments, there's got to be a layered approach because a resident that's a resident of a local municipality is also a resident of the state. Right. And Okta, out of the box, does a hub and spoke model that the states can deploy at the local and state level where they can really protect that one identity of that resident. And also the threats that are coming to them on the citizen side of identity will be the same threats they will see on the workforce side. And with our identity platform, you'll be able to see all those threats coming into one central management system. Um, and you're able to kind of get ahead of the threat that way as well.

Speaker A: Those are some great points. Christina, love to ask this next question of you as well. Uh, and particularly given your expertise, you know, the federal government has stringent security requirements such as those outlined in the Criminal Justice Information Services or CJIS security policy. And, you know, there's also an effort to build zero trust security environments. Can you talk about how does OKTA meet some of those standards and how can that help state and local agencies enhance theirs and the nation's zero trust security efforts?

Speaker B: Yeah. So thank you, Wyatt. It's such an important question, especially with the 10.1C just deadline coming up, the October 1st deadline coming up for the new CJIS requirements, which a Lot of them are built around Identity. But I'm gonna take a step back and talk about zero Trust first, because really the new CJIS security requirements, uh, especially around Identity, really focus on that first pillar of Zero Trust of Identity. That's what they're really built on. And so when we talk about the Zero Trust framework, it's really built on three principles, right? Least privilege, no implicit trust, and continuous monitoring. And really, okta's core out of the box capabilities support the implementation of these three principles while also supporting the other the five pillars. The full five pillars, right? Um, and meeting the automation, orchestration and visibility analytics that span the pillars. But at the end of the day, Identity is that control plane that not only is the policy evaluation engine in the Zero Trust architecture, but more often than not is also the policy enforcement point. And that really requires identity object that is trying to access, you know, data to be authenticated. And in fact, if you look at anything, right, whether it's citizen services or workforce services, that authentication is the start of that transaction that kickstarts the entire flow of an object acting on data, right? And again, the goal is to protect the confidentiality, integrity and availability of that data. And so when with zero trust in that identity, uh, pillar that we're talking about, that is where we're really trying to get right, as close to kind of that action as we possibly can get. And Okta does that out of the box. And Okta, again, was built on the Zero Trust principles. So now let's fast forward to CEJIS compliance. The deadlines of 10 one that are coming up. There are a lot of requirements around Identity, right? And when we're talking about CGIS compliance right now, what, when I'm talking to customers or other governments, right, agencies, uh, about this, I just keep hearing mfa, mfa, mfa, right. That's what they're talking about. But if you. There are two requirements, right, for mfa, two call out requirements for mfa. But it is much bigger than that. It is much bigger than just MFA on the CGIS requirements. What the CGIS requirements are doing is they're starting to look at the zero trust and best practices and identity, and they're forcing that to happen in the new ceejis. Requirements for state and local governments to have access to that CEJIS data. And so when you, when you're looking at it that way, it's more than just mfa. And so if you're, if you have to be CEJIS compliant, if you're touching CJIS data, there are really two Questions to ask yourself when working with vendors. The first is, does the vendor itself meet the required CJIS requirements? Right. In the case of Okta, we do. We meet all the CJIs, including the new requirements. Because by the way, we, as we say we, you know, make and eat our own dog food. Right? We use Okta internally ourselves. Um, and then the second question you need to ask is, how can the SAS provider help you become CGIS compliance? And this is where Okta stands apart from the other identity platforms as The CGIS requirements 2.2 speak about the architecture independence that uh, CGIS is requiring and which Okta's identity cloud is an independent and neutral platform that securely connects right to over 7,600 applications out of the box. And it also meets 90% of the CJS identity requirements to include besides MFA and sso, lifecycle management, workflow notifications, incident response, audit logging. Right. There's a lot that we already meet straight out of the box. And then the other 10% that we don't meet are really those identity proofing requirements that they've come up with and we already integrate with identity proofing companies. Um, again we love identity here at Okta, um, and to meet the remaining 10% of those requirements. So what I can say here is if you have the 101 deadline quickly approaching, Okta is here to help you. We even have an Okta CGIS support program that we created just for our local and state governments so that they can come to us and talk about this and how we can meet those requirements. And if anybody wants more information on that, please reach out.

Speaker A: Thank you so much for spelling that out. Uh, and then lastly Pam, let's wrap up here a little, um, but I'd love to hear if you could provide some specific examples of how Okta's identity and access management tools have really helped state or local government agencies deploy systems faster or actually examples of how it improved user satisfaction more effectively.

Speaker C: Yeah, um, so we're working with quite a few state and local agencies right now, um, to modernize, you know, work with their modernization, digital modernization strategy. Um, and a lot of that is involves upgrading, as I mentioned previously, legacy applications. So moving applications into the cloud, um, upgrading them from older on prem, um, and you know, services that they had in the past is one thing that we're working on agencies with. Um, another thing that Christine mentioned is the identity proofing piece. So every single state, um, was hit really hard during COVID especially with unemployment claims, um, and there was a lot of lost money over fraud and unemployment claims. So there is a big push every state to. That I talk to and almost every agency um is very focused on identity proofing. And as Christine mentioned we integrate with identity proofing vendors that can provide the um, IL1 or IL2 or even three requirements. Um, and our part in that is to um, provide the underlying flows that will redirect users, track which applications require IL1, 2 or 3, you know, and that access and then we provide the authorization around accessing those services and the identity proofing that goes behind it. Um, other types of things that we're working on states with is an emerging field is mobile driver's license and verifiable credentials which is becoming quite a big area. Um of um talk around a lot of the agencies and states that I talk to. Um, you know, for um, you know, regardless of whether it's. And then how they're going to integrate with the other agencies that are potentially issuing or verifying those credentials as well is something that we're working on them with. Um, other things. Tax filing systems is one that we run into a lot. Health care, you know, agencies. So those state health care agencies that manage um, health care m, you know, claims or that they work with providing benefits to the citizens and then have to partner with um, insurance agencies for example. So there's a lot of use cases that come around health care with uh, things like power of attorney, access to user data, representing healthcare agencies, sharing data with a doctor or healthcare agency and things. There are complex ah requirements around those types of use cases. Um, other things would be um, you know, like police and death certificates. Those agencies we work with as well. Um, a lot of the states are also the, the end goal really is to centralize everything as much as possible. Um and every state sort of does it differently because they're, they're separate. So um, you know some states have formed a committee and already have the agencies on board as they are selecting a CIAM solution and moving towards a CIAM solution. Other ones are selecting a CIAM solution and then trying to get the individual agencies on board to that solution. So it's an interesting um, dynamic as far as between the centralized government of the state and then how do we get those agencies to buy into these solutions that truly actually will make it better for everyone in the end. Um, being able to offload a lot of that IT debt as we talked about. The more that we can um, offload legacy and potentially vulnerable infrastructure, the better. And the other thing is that um, because we're okta. We work A lot with the private sector and we learn a lot. Um, because the private sector tends to move a little bit faster. So we work a lot with banking and private healthcare agencies as well. So, so we learn a lot. And then we can take everything we learn around the securing and the migration of those different agencies and use that what we learned from at the state level. And so everyone will benefit from a better experience in the end.

Speaker B: Yeah. So on the government, on the CIAM piece, I think one of the big areas that we've been talking to agencies and governments about is the government to government solutioning. Um, and that for us falls under the SIAM solutioning. And what we're starting to see is, and being in the government, right, when running systems where one government agency owned all the data and I had to get access to that data in their application, usually the other government, I would have to make a request for them to set up a user ID for me and own that user ID of my users in my agency right now. Right. We're able to offset that risk a little bit of the other agencies owning my identities. And now I can own my own identity myself and they can authenticate to me in these government to government applications using our SIAM solution. So that again, we're not having multiple accounts all over. Right. That you're using just for multiple applications. And again, when I was in federal government, when I had to log in in the morning to get access to the main systems, I had to log into 12 applications in the morning. Right. To get access to my data. And so that, and that was on one, I had, uh, A3 systems. I had an unclass, secret and top secret. Right. That was just on one system. So being able to eliminate the ability and the risk of multiple identities being held by different governments of one person at the end of the day makes you more cybersecure. And I think that is again, for us, that's the SIAM solution as well. And then having that central, you know, centrally managed platform to be able to do workforce and SIAM and government to government solutioning to see what's going on across your threat vectors is critically important.

Speaker A: Okay, finally, um, Christine and Pam, any last thoughts?

Speaker B: Yeah, so I'll go first, Pam, and you can wrap us up for the day if you want. So just. I started off talking about the threat environment and the continuous threat that continues to, number one, get more, more threats are coming at us at a quicker pace and or more sophisticated. And that is where OKTA is trying to keep up when we're trying to make it, you get you left of bang is what you know, as we talk about it here at Okta. And so really our platform, having that centralized managed platform to look at the threats that are coming in and we have workflows, right, that'll kick off things to your soc that allow you to take actions on things. And then we have our identity threat protection new release for us this year where we're integrated with applications at your endpoints and other places within your environments where we're getting all those alerts coming into Okta. And depending on what the alerts are and the alert levels, we can do a universal logout right away so that a user doesn't have to horizontally go through your systems. We can log them out right away and you stop that horizontal movement of a threat actor coming. Or the other option is right. You could actually make them have to re authenticate. There's other things that we can do with universal, with the identity threat protection when we see someone that doesn't look like who they should be on your systems and they may pose a risk and you know, kind of have an increased risk score. So that is when I was in the government, I wish I had this um, all day long so that I felt more secure and I could sleep better at night. And so it is really a unique capability that's part of our overall platform as we go forward here at Ogden, continuing to allow us to be proactive against the threat. And I think the threat again that ah, this most goes to being proactive against are those cyber supply chain attacks. Because if you're, if you're looking at your platform and your supply chain vendors and how much has to go into that and 95% of the attacks right now are through supply chain attacks. This allows you to identify those very quickly, do the universal logout while you investigate it and determine if that identity is supposed to be on your platform or not while allowing you to safeguard your assets.

Speaker C: Just to add to that, Christine, great points, but one more thing I wanted to add was um, uh, something else that Okta is an innovative company and what we, something that we recently released is fine grain authorization, um, which is another tool to really help state and local governments, um, reduce access at a very granular level to specific resources that specific users are able to access. Um, and this, you know, the more that we can narrow down and make sure that we have, are following these least privilege um, access policies that also will significantly reduce that threat landscape as well.

Speaker B: Yeah, like that CEJIS data, write for that CJS data to track that CJIS data through your system, so you know who should have access to it at what time? Right there. So wrap back up with CGIS 101 deadline.

Speaker A: Some great points there. Well, Christine Halvorsen and Pam Van Meter, thank you so much for taking a few minutes. Share your respective, uh, insights and perspectives on, um, you know, how these tools can really help state and local agencies, uh, better manage, um, their customer experience and their security. So thank you both for being with us.

Speaker C: Thank you.