Identity is more than a credential in today’s dynamic cyber environment — it’s the new security perimeter. For the Department of Defense (DoD), where secure, real-time access to systems and data is critical to mission readiness, identity has become central to how it defends against threats.
“Identity has always been a very important security construct,” said Sean Frazier, federal chief security officer at Okta, a leading identity and access management company. “You really can’t start securing something until somebody tries to log in to get access to data.”
Frazier, who oversees Okta’s FedRAMP Moderate, FedRAMP High and DoD Impact Level 4 (IL4) environments, explained that as attackers increasingly attempt to exploit identity as a primary attack surface, agencies have had to quickly adapt.
“The DoD realized this earlier than most, and I think that we were still a little bit unprepared when they first started doing that,” he said. “It started with MFA, then it became strong phishing-resistant MFA. Now we’re incorporating things like passkeys and trying to get rid of passwords altogether.”
But adversaries are rising to meet evolving capabilities. Well-funded nation states are deploying deepfakes, social engineering and advanced AI-powered techniques to exploit sensitive and confidential data. Without proactive measures, agencies are locked in a cycle of reaction.
“You’ll have an incident that might point to something that’s problematic in your infrastructure, and you’ll fix that,” Frazier said. “But then the attacker will just move laterally or up or down, or wherever they need to go and attack another part of your infrastructure.”
To outpace threat actors, identity must be embedded from the start.
“You should be thinking about: What are the security constructs and the foundation of security I need to build, and how does that impact my user experience?” Frazier said. “Those are the two things you always have to have in your brain when you field anything.”
A strong identity culture is just as critical as technology
Even the best tools need a well-prepared workforce to be truly effective. DoD agencies must instill an identity-first mindset across their organizations, from vendors to everyday mission users.
“Everyone thinks they can solve all the problems with technology,” Frazier said. “But you need a strong foundation of security, both from a cultural perspective and your security practitioners.”
That begins during application development, with systems built to enforce security at every layer and should encompass training for internal teams to recognize suspicious or abnormal activity.
“They have to be situationally aware of things they log into,” said Frazier. “If things look different, they have to be able to tell somebody.”
At the same time, however, security controls can’t be overly burdensome. Agencies must strike a careful balance between protection and productivity because if secure access becomes too complex, users often find workarounds in the form of shadow IT.
“A user will say, ‘My organization doesn’t give me what I need, so I’m going to download an app and do it myself outside the security protections that the enterprise provides for me,’” said Frazier. The stakes are especially high for defense missions, where every second counts and sensitive information must remain protected.
“You want the users to get access to the data as quickly as they want to get access,” said Frazier. “But you still have to provide a secure mechanism to do that.”
Scaling smart access with automation and AI
When identity is treated as the foundation of cybersecurity, it unlocks new capabilities: passwordless authentication, real-time risk detection and adaptive access for users, systems and even non-human entities.
That’s where Okta’s identity platform comes in. Its services — spanning access management, identity governance, posture control, privileged access and identity threat protection — integrate across cloud and on-prem environments to give agencies centralized visibility and control. These capabilities are designed to work across domains, making them especially relevant for DoD environments that require secure interoperability between classified and unclassified systems.
“This is what we do for a living, we think about this every single day,” said Frazier. “We’re constantly using ourselves as patient zero for our own employees to figure out what the right balance is for security versus usability.”
To manage the tens of thousands of DoD users and constant permission changes, Okta’s approach leverages automation.
“When I need to have access to a system, I need to be able to provision an entitlement to that system very quickly,” he said. “If something bad happens from a security perspective, I have to be able to tear that down very quickly, and I can’t have a human being in the middle of that.”
Okta’s AI engine helps deliver on that need by analyzing signals from its platform and across a trusted partner ecosystem, including vendors like CrowdStrike and Zscaler. These signals inform policy decisions based on device posture, behavior context and risk ensuring that access decisions evolve with the user.
“Trust degrades over time,” Frazier said. “The whole concept of ongoing validation and evaluation is important and you have to do that at wire speed with as little friction as possible. The only way to achieve this is with AI.”
Looking ahead, Frazier noted that agencies must prepare for the exponential challenge of agentic AI — autonomous agents acting on behalf of users to carry out tasks. Each one will require credentials, policies and oversight just like their human counterparts.
“It’s not just about protecting one person’s login anymore, it’s about managing the credentials of 50+ agents working for that one person,” he said. “When you get to agentic AI for the DoD, you’re talking about millions and hundreds of millions. Doing that at scale is going to be really hard, but we have to start planning for that now.”
No matter what’s on the horizon, identity remains the constant. Okta helps agencies establish a secure foundation and implement intelligent, adaptive solutions that allow defense leaders to enforce trust before, during and after access across every user, every domain and every mission.
Learn more about how Okta can help your agency deploy secure mission systems.
Read the full article here
