INCA Blog
Wednesday, 26 April 2017 07:18
Most governments are rushing to deploy on-line services. The have no choice: it’s too expensive to maintain other channels, and millennials would have it no other way.

This means that there is a need for an authentication service that will provide access to government services and most governments are addressing the issue by developing a central facility that becomes a ‘one-stop-shop’ providing access to services across multiple departments or ministries.

There are basically two frameworks being adopted: a persistent ID system that establishes an identity store and a transitory ID approach in which no government ID store is required. A summary of the benefits of each approach are:

Persistent ID

This approach is by far the most widely deployed. In this instance a government agency establishes a central identity provider service to authenticate all users access government on-line services. Governments have a large amount of information that they necessarily store on their citizens. They issue driver licences so they know where we live, our age, what we look like and our driving history. They track medical expenses so they know how healthy we are and if we have any chronic illness. Tax returns advise on how much we earn and details such as our investments. But while government hold a wealth of information on citizens it’s quite fractured with each department or ministry maintaining their own records. There is typically little ‘sharing’ of information which means that identity data cannot be leveraged to the degree it could be. One issue is privacy legislation which restricts data-sharing without consent.

That means that, to develop an authentication mechanism for citizen access across multiple departments, government typically establishes a purpose-specific repository, to authenticate users before redirecting them to the requested service. The issue then is to associate an authenticated user to their record(s) within the department or ministry they are accessing. If a citizen is renewing their driver licence, either the authentication facility needs to pass through the driver licence number, if it’s available, or the target department will need to employ other attributes to establish the relationship. Another issue is harmonisation of common data. For instance, when a citizen moves house there is a need for a ‘change it once’ approach whereby an address change is propagated to the departments that maintain address detail. Another approach is to federate the identity data across departments, and levels of government, but this requires a level of co-operation within government that typically does not exist.

Transitory ID

The alternative to a persistent ID system is what we call a transitory ID framework in which the government does not create a data store of citizen identity information on their citizens, they rely on third parties who specialise in providing such services. The major benefit of a transitory ID facility is the elimination of the liability associated with maintaining a data repository of PII. In most jurisdictions there are severe penalties for unauthorised release of identity information and this represents a significant risk that is avoided if government relies on third-parties. It also allows citizens to select the service provider of choice for the storage and maintenance of their identity data.

But there are some drawbacks:
  • Since there is a reliance on third parties there is a need to establish rules; and a need for some form of conformance testing to ensure adherence to the rules.
  • There’s a cost component in that third-party identity providers typically want to be compensated, so some form of payment system is required and some subsidisation in the commencement phase is required, until a sustainable level of transactions has been reached,.
  • Since the third party will typically not have identity attributes to allow departments or ministries to establish relationships i.e. vehicle registration numbers, the target agencies need to match a user to their record(s) within the department so that the required service can be provided.
The most successful deployment of a transitory identity provider system is in the UK. There are several reasons for this:
  • They have a large enough population to support multiple third-party suppliers.
  • British citizens are fiercely protective of identity information and don’t want government to have any more of their identity data than they have to.
  •  The UK has a centralised form of government that makes it easier to enforce across government (there’s already been a large ministry that tried to establish their own authentication mechanism but they were encouraged not to).
Citizen identity management is an interesting area to watch. It will only grow in importance because on-line services continue to grow in importance and some innovative use of AI is expected that will make our experience with government more pleasurable. Won’t that be refreshing?
Saturday, 01 April 2017 21:45

For the past 5 years cloud services have grown to be ubiquitous, secure and high-performance. Yet just yesterday I was talking to a friend who was lamenting the decision he had to make at work regarding deploying a Microsoft Project server on AWS or Azure. He needed to provide access to team members from two organisations and his company would not allow external people to access their on-premise project server. The cloud is the only way to go for such an application. But while that's so obvious there are some caveats that need to be observed. 

It's important that my friend select a cloud service provider (CSP) appropriately. He needs to evaluate prospective suppliers from a operational risk viewpoint - can you get your files back when you part ways with the CSP, technical viewpoint - does the CSP provide adequate security and a legal point of view - are the licence terms suitable? 

Then a decision needs to be made on the identity service to authenticate users to the site. Is an access control list going to be maintained on the CSP's site (bad), will there be a synchonisation to AD (not much better) or will the company establish an identity provider service in the Cloud? In this instance a cloud-based federation service to which the other company can interface would be a good idea.

The technolgy is here folks - let's just use it.

Thx.

Graham

 

Sunday, 04 December 2016 00:00

There is little doubt that identity management is undertaking its biggest transition since its inception 35 years ago.  The main drivers of this phenomenon are: cloud technology and the proliferation of smartphones.


The old regime was characterised by a "prohibition" focus with access control based on restricting access unless it was specifically permitted.  The guiding policy was the "principle of least privileges" whereby newly hired staff were given accounts the that were basically useless, with access to the the mail system and little else.


Many spent their first few days at work getting access to the applications required for them to perform their jobs; a great waste of time and money.


The new order is characterised by developing trust relationships, and it is supported by compelling arguments.  Most organisations have gone as far as they can with their existing the identity validation facilities.  As access requirements extend to contractors, business partners and customers, a new paradigm is required: trust placed in external identity provider services for the authentication of users accessing protected resources.


Already most of us have Google Ids or LinkedIn profiles that serve to identify us sufficiently for most online requirements.  It makes no sense for a business wanting to sell me something, or a government wanting to provide a service, not to trust my GoogleId for this purpose.  They don't need to go to the expense of deploying a website to collect my details, vetting them for accuracy, and managing my details in accordance with legislation.  This is expensive and not necessary.


While the Gov-online initiative in the US has struck a rough patch with funding restrictions the UK Verify program in the UK is overcoming its detractors an is a good example of how trust in IDPs is becoming mainstream.  Australia has softly announced GovPass as the vehicle for government access management at the Federal level and CIDN in Queensland, Service NSW  and ServiceVictoria are gaining traction.  

Watch this space.

Graham

Monday, 17 October 2016 00:00

One of the fastest growing applications these days is SharePoint. There are several reasons for this:

-          It provides an easy-to-use document repository

-          It provides a collaboration tool for teams to use

-          It provides a central communications portal that reflects the a company’s organisation structure

So what’s the problem?

Monday, 04 April 2016 10:00

Organisations are somewhere along the continuum from fully manual identity management to fully leveraged identity and access management.

The manual organisations have no interface between their HR systems and downstream applications. System administrative staff must enter user details into each system to which an employee requires access and there’s no reporting or governance capabilities. These companies are not only wasting time with data entry, creating errors that cause time wastage across the organisation they are also encouraging security problems with de-provisioning, removing entries when staff members leave, generally not occurring or not occurring in a timely fashion. Single Sign-on is only a dream.

In organisations at the other end of the spectrum an employee’s details are entered once, usually into the HR system or, better still, the recruitment systems, and then propagated to the SSO facility or account registration processes for relying applications. Staff have access to the application they need on the first day at the job and are automatically removed on the last day. Managers get regular reports on the access granted to their subordinates and management get governance report on provisioning activity, authorisation activity and any denied authorisation events. It is to these organisations that this blog is addressed.

Arguably the next big thing is Dynamic Authorisation Management (DAM). If you’ve got a good identity and access management environment you should leverage this infrastructure for fine-grained access control on a real-time basis. With a well-designed DAM environment a user accessing an application will have the request re-directed to a decision engine that will interrogate a policy store to determine if the user should get access and the level at which that access should be granted. The configuration looks like:XACML

When the user attempts to access the protect resource the enforcement point, typically Java code or a .NET library sends a request to the Decision Point which retrieves attributes from the Information Point, typically directory, and runs through the policies that have been entered into the system to determine the user’s rights to access the resource in question.

The beauty of this is it happens in real-time so if a person has been removed from an access group they will immediately be refused access to the resource in question. The other big benefit is the application of a consistent set of policies, typically managed by the business units rather than system administrators.

Although there are many variants there are basically two configuration models that can be used to provide this fine-grained control. The discrete authorisation device is a stand-alone, policy-driven decision engine that services any controlled application or device on the network. The other model is the gateway device whereby an API gateway controlling communication between systems, applies the access control policies. Both configurations use a policy store and a repository of identity attributes. Some products require the policy attributes for users to be stored locally, some will access the organisation’s identity store in real-time. Some products are designed for business unit management of policies, others require a system administrator to manage policies.

Regardless of the solution selected, there is little doubt that dynamic authorisation management holds significant benefit for the advanced organisations that can leverage their identity management infrastructure to significantly tighten their access controls and data loss prevention environment.

Stay Safe - Graham