How Identity and Access Management Almost Got Me Shot

Published: July 19, 2021, 8:47am

In 2013, I was deployed to Camp Dwyer in Helmand, Afghanistan as a cryptologic linguist. As a linguist, I reported to the Marine Corps, but I also fell under the purview of the NSA and had a TS-SCI (Top Secret – Sensitive Compartmented Information) clearance. My whole team did. As far as clearances go that’s about as high as you can get, with the “SCI” designating that you’re allowed access to specific information that’s squirreled away from general access–even for TS holders.

When we first landed on Dwyer, we were immediately shuffled into a waiting area while all our documents were checked. We were read a list of do’s and don’ts by an amazingly bored woman–who I’m sure would rather have been petting porcupines than giving us a rote speech at 0245 in the morning–and given a general layout of the base. Somewhere in her droning monotony, we were told to stay away from the wall. No biggie, makes sense, the wall is the edge of camp and you shouldn’t go near it unless you need to.

Anytime we were out and about on base, we had to have our ID with us. Walking to work? ID in your pocket. Going for a run? Better get an armband to slide your ID into. Taking a shower? Drop your ID into your shower kit, you never know. If I left the confines of the base for any reason, even just to work right outside the gate for a shift verifying the identities of local nationals coming in to work for the day, when I turned around and looked at the guard who had been staring at the back of my head all day I had to pull out my ID, give him my unit information, and he’d radio in to make sure I was clear to come back inside. 

Now you’d think, with all our special secret squirrel designations, that my team and I would be pretty untouchable within the confines of the camp. Even then, though, there were areas that required further verification. Of course, there was our secure Sensitive Compartmented Information Facility (SCIF). By any realistic measure, it was just a windowless plywood shack. But our shack had high-speed internet, a palette of Ramen Noodles, and working AC to keep our gear cool, so it was practically the Ritz Carlton by deployment standards. To reach our SCIF, we had to cross a barbed-wire fence through a locked gate and walk 40 feet across a completely barren courtyard under the watchful eyes of several cameras, and that was just to get to another locked door that led inside. But even if I just wanted to get into the chow hall, I had to show my ID to a guard at the front so he could verify I hadn’t already come in for that meal period. As you walked in he’d scan your ID, double-check it was yours, and make you sign a logbook. All for some pancakes that, frankly, made one long for the fine dining experience of a Waffle House.

And then there was the wall. Turns out, the agonizingly bored woman wasn’t just talking about the base perimeter. On the farthest edge of the camp, there was a 20-foot high interior corner. To uninformed residents, that corner just looked like it was part of the outer boundary. But if you came within 100 feet of the base of that wall, a very large, very bearded man would suddenly pop up behind a mounted machine gun you hadn’t noticed was there, and he would very loudly–one could almost say rudely–encourage you to rethink the last few seconds of choices you’d made. You may be wondering: Tristan, why can you describe this experience so well? Because it’s precisely what happened to me in the middle of a run at 1230 AM. As I approached the far end of the road and felt the relief that hitting my turnaround point brought, a spotlight kicked on and the large bearded man on the wall let me know I could go home early. I’m not much of a fan of running, and less so of getting shot, so I dutifully listened and headed back to take a shower (ID in hand, of course).

For my team leader, the fact that there was an area we–with our TS-SCI clearances–couldn’t come within spitting distance of really got stuck in his craw, and one day he decided to solve this mystery. He pulled up a copy of the base directory and called every phone number that didn’t have a name listed next to it, asking “Are you the guys with the big guns behind the wall?” until he got the answer he was looking for. Now, we could have wound up in a whole heap of trouble if the guy on the other end of the line was a stickler, but it’s important to understand that we were immensely bored. Our team leader explained who we were, what we did, and that there was no official business for the call other than a relentless curiosity. After about 15 minutes, he hung up the phone and told us to put everything to sleep for a bit and meet him at the team truck outside. He drove us straight at the wall. As we all came to terms with the fact that we were about to die, the gate opened and we were let inside. Turns out we had been invited to lunch at a private chow hall for [REDACTED]. They had a full grill, made-to-order sandwiches, an Italian buffet, and lobster. In Afghanistan, a land-locked country… They. Had. Lobster. The man who had picked up the phone escorted us, and there were no less than two other people keeping eyes on us at all times. When we were done he brought us back to the gate and left us with the advice to never do that again, which we obliged.

At this point, it shouldn’t take much to deduce why I’ve told you all this.

Recently, Identity and Access Management (IAM) has taken a spotlight role in cybersecurity. The explosion of applications and resources that live in the cloud, the ever-growing reliance of third-party providers for management and services, and the diaspora of the workforce have driven IAM right to the front of the line for security concerns, and led to new models for identity and access governance like zero-trust. It can be tough to shift mindsets, re-orient security and implement new models to adapt to these changing needs, especially if IAM has never really been a concern before. But when it comes right down to it, the concepts and practices that build a good IAM foundation and governance program are pretty simple:

1. Determine your perimeters
2. Decide who can cross those boundaries and when
3. Validate the access of personnel
4. Monitor for access breaches

So let’s go back over my time in Camp Dwyer and look at that experience through those four steps.

First, the perimeter of the base was well defined, with every foot of the wall plotted exactingly on a map. It was incredibly easy to know if you were inside or outside, not only because if you were outside you were staring at a 20-foot wall, but also because there were specific, regimented steps you had to take to get inside. Once inside, there were further controls in place to ensure everyone was where they were supposed to be. That’s step one of creating an IAM program for your organization: you have to know exactly what it is you’re trying to protect. Once you establish that perimeter, you also have to identify what the most critical assets are and decide if they need further protection. If you don’t have an exact inventory of the things that sit inside your “wall” vs outside, you can spend all the time you want on steps 2 through 4, but you won’t accomplish much. 

So you’ve got your perimeter. Now what? Well, to get into the base, every person had to be registered and have proper identification that followed them everywhere. That identity was the foundation of where you could go in the base and when. If it wasn’t chow time, you weren’t getting into the chow hall unless your identity said you were a cook. And if you did try to go into an area you weren’t authorized for, you were informed in no uncertain terms that you should turn around and do literally anything else. That’s step two of creating a successful IAM strategy: make an inventory of exactly who should be able to cross your perimeter, where they can go and what they can access inside those bounds, and when they should be able to access those resources.

Once you know what you’re protecting and who can access it, you need to establish a way to validate identities and have a system for approving access in circumstances that warrant it. Think back to the wall. There was never a moment in my career where I didn’t hold a TS-SCI clearance, but that didn’t protect me from the big man on the wall when I was out for a run. If I had simply said “Oh no, it’s fine! I have a TS-SCI!” and kept running on my merry way, you very likely wouldn’t be reading this blog today. But when our team leader called ahead and explained who we were, we were given unique access no one else on base had. They had a system in place to verify we were who we said we were and they justified letting us in, once, because establishing that relationship could be beneficial for them. 

But remember, once we were inside that magical boundary and eating food we’d practically forgotten the existence of, we were still monitored closely for any deviance from the approved activities. When we left, I’m sure every single step we took past that gate was dutifully logged and tagged with our identities, so that if they ever needed to they could pinpoint exactly where we’d gone, what we’d touched, and likely what we’d observed. It’s not enough to simply enforce who can access what information in your organization, you have to be able to audit that access and trace what happened while they were inside that perimeter.

Setting up an IAM and governance program can be daunting because there are so many things to think about and so many small choices to make, but if you step back and think about these four pillars you can get a solid start on building your IAM program. And if it still seems like too much, or you just want some help on the way, GuidePoint’s IAM service offerings can give you a boost, or our team can help you with every step along the way. Of course, we can’t provide bearded men with automatic weapons to monitor your organization, but we’ll get you the closest thing we can.