Identity, credential and access management, a foundational pillar of zero trust, centers on three key elements: widespread use of phishing-resistant multifactor authentication, elimination of unnecessary administrative privileges and continuous monitoring and authorization. 

Tony Goulding, cyber evangelist at Delinea, said one area where agencies are seeing the most success is deploying phishing-resistant MFA.

The Office of Management and Budget’s M-22-09 memo and the Cybersecurity and Infrastructure Security Agency’s accompanying guidance expect agencies to use phishing-resistant multifactor authentication whenever possible. 

While CISA’s guidance is somewhat flexible, emphasizing that “any form of MFA is better than no MFA,” it still reinforces that phishing-resistant methods should be the end goal for ICAM and zero trust.

“In a perfect world, and really aligning with the spirit and the direction of OMB as well as CISA, it means that you’ve really got to try hard to get this MFA in place,” Goulding said during Federal News Network’s Industry Exchange Cloud 2025.

Making progress on multifactor authentication

But some applications and use cases simply cannot support phishing-resistant MFA, particularly older systems that were never designed to accommodate hardware tokens, he pointed out. Temporary contractors also pose hurdles since agencies often cannot easily issue full Personal Identity Verification or Common Access Card credentials.

And in other cases — including legacy environments or remote devices — the technical limitations make deploying modern authentication methods challenging.

“Those are scenarios where organizations are employing, pretty much across the board, a migration plan to replace or migrate their applications and their systems to more modern systems that can accommodate fishing-resistant MFA. Of course, there’s an element of cost and logistics in doing that because you’re going to have to spend money to do it. You’re going to have to update processes. But it is a path that the majority of the organizations that we deal with are actually taking,” Goulding said. 

Doing away with excessive access privileges

The second key element of ICAM — eliminating standing administrative privileges — is forcing agencies to reevaluate the thousands of high-privileged accounts scattered across their networks. Privileged identities, often created out of convenience, represent one of the most exploited attack vectors, Goulding said.

Many organizations, particularly those running Linux and Unix environments where the administrators create local privileged accounts, typically have full privileges and are rarely monitored, making them a prime target for attackers, he said.

“The first step is eliminating those that are unnecessary and then allowing the administrator to use their existing identity. They may have an ID account, for example, that becomes the only account that they will use, and it needs to have minimum rights,” Goulding said. “The third thing is that you then give them the ability to elevate their privileges when they need to elevate their privileges for a legitimate administrative purpose.”

He added, “Those are three of the key things that we’re seeing agencies make tremendous strides in deploying.”

Embracing real-time continuous monitoring

The final must do, Goulding pointed out, is continuous monitoring and authorization. Admittedly, this remains a persistent challenge across the agencies, he said.

“No more point-in-time checks — you want to move more toward evidence-driven, ongoing verification,” Goulding said.

“We’ve actually been very successful in enabling our customers, both agencies and commercial, because our solution generates a stream of identity and access and privileged access signals. Things like elevation request: Elevation is important because if you’re doing least privilege, then you’ve got to give legitimate administrators the ability to elevate privilege just in time — when it’s necessary to do that.”

Session recording — long considered valuable but rarely used due to lack of staff to review recordings — is another area where monitoring is evolving. Goulding said artificial intelligence now allows agencies to automatically scan session recordings on Linux and Windows systems, flagging unusual behavior such as if shadow accounts are created or attempts are made to add additional privileges to a low-privileged, compromised account.

“These session recordings are gold, but they’re never actually reviewed. So automation can really help in making sure that that happens,” he said.

Looking ahead, Goulding warned agencies about “not falling into the trap of trying to cherry pick best-of-breed parts of a solution.” Instead, he recommended that agency teams embrace modern cloud-native software as a service platforms that can scale, update and integrate easily.

Discover more articles and videos now on our Industry Exchange Cloud 2025 event page.

The post Industry Exchange Cloud 2025: Delinea’s Tony Goulding on how to achieve 3 pillars of ICAM first appeared on Federal News Network.