Zero Trust Security Takes Center Stage with NIH’s Identity-as-a-Service Solution

In today’s digital age, remote work has become the norm, even in research-based roles. With this shift, The National Institutes of Health (NIH) is seeking a modern, cloud-based solution to manage identity and access, which will support researchers as they work outside of NIH facilities. This move is also a response to the unique IT challenges highlighted by the COVID-19 pandemic.

On Feb 21, 2023, NIH issued a request for information, searching for vendors who can provide Identity, Credential, and Access Management (ICAM) solutions. The goal is to find a vendor to transition the agency’s on-premise identity capabilities to a more efficient and secure software-as-a-service (SaaS) model. By adopting a zero-trust security architecture, NIH aims to safeguard against potential threats and mitigate risks by implementing advanced web authentication, directory services, and secure access service edge (SASE) services in the cloud.

Strengthening Cybersecurity Measures: NIH’s Zero Trust Roadmap

Like so many organizations, NIH is shifting to zero trust, a security model praised for significant security improvements and reduced costs and complexity. And crucially, NIH believes the envisioned identity-as-a-service solution will provide key pillars of their zero trust roadmap.

Zero trust is a security model that requires strict authentication and authorization for every access request, regardless of whether the access request originates from inside or outside the network perimeter. Essentially, all users, devices, and applications are treated as potential threats. Each access request is verified and authorized based on contextual information such as device health, user identity, location, and other factors. This context-aware logical access boundary is something NIH is especially interested in.

Critically, zero trust helps to address the security risks associated with remote access to sensitive data and systems. With a zero trust approach, remote users must authenticate and be authorized for every access request, even if they use a trusted device or network. This ensures that only authorized users with a legitimate need can access sensitive data and systems.

Zero trust also enables granular access controls, which allow organizations to limit access to specific resources and data based on the user’s role, responsibilities, and business needs. This helps to reduce the risk of unauthorized access or data breaches, especially in scenarios where remote workers may be accessing sensitive data from personal or unmanaged devices. In short, Zero trust enables organizations to better protect their data and systems while allowing remote access for their workforce.

What Does the Request for Information Say? And What Is the NIH Looking To Achieve?

According to the RFI, the target state for NIH’s managed resources access involves using enterprise-level Secure Access Service Edge (SASE) and Identity as a Service (IDaaS) platforms.

SASE is a cloud-based security model that aims to simplify network security by consolidating a range of security services into a single platform. It integrates multiple security services, like secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), and zero trust network access (ZTNA), into a single platform. It also uses advanced technologies like artificial intelligence and machine learning to monitor and analyze network traffic in real-time, detecting and mitigating threats before they can cause damage.

Now on to IDaaS. IDaaS enables organizations to manage user identities, access privileges, and authentication centrally through the cloud. It provides a secure and scalable approach to identity management by leveraging cloud infrastructure and modern authentication protocols such as OAuth and OpenID Connect.

The hope is that these SASE and IDaaS platforms will offer a wide range of security and networking capabilities that grant access to NIH’s cloud and on-premises applications and infrastructure. Specifically, the RFI is asking for SaaS products offering:

1. Web Authentication: Allows users to verify their identity and access NIH –managed web resources
2. Directory Services: Allows NIH to store and maintain information about NIH users and resources
3. Secure Access Service Edge (SASE): Allows NIH to facilitate secure access to cloud and on-premises NIH resources by bundling network and security-as-a-service functions.

The SASE and IDaaS solutions will also provide features such as limited access, allow/block access, multi-factor authentication, blocking legacy authentication, and enforcing password resets. Furthermore, NIH plans to use Continuous Monitoring and Diagnostics tools to ensure the effectiveness and security of future solutions the selected vendors offer.

Final Thoughts

NIH’s request for information for Identity, Credential, and Access Management (ICAM) solutions reflects a shift toward a modern, cloud-based approach to identity and access management. It also highlights the organization’s commitment to its zero-trust roadmap. Adopting a zero trust security model is critical to strengthen cybersecurity measures in today’s increasingly hostile cyber threat climate.