Quarkside

21/02/2011

Identity Icebergs to sink Universal Credits

Does the Cabinet Office talk to the Cabinet Office – or any other Department for that matter?  Last week’s Local Government Delivery Council also had two related presentations; “Identity Assurance for Public Services” by the Cabinet Office and  “Employee Authentication Services (EAS)” by DfE and DWP.

Put these into the context of “HMG CTO Council – Government Employees Strategy for management of Identities – Version 1.1 – 1 February 2011. ” This noble document has some excellent content as far as it goes – but look at the juicy bits it deems out of scope.

  • “Access control of data within a single system or organisation
  • Entitlements of a validated identity within a single system
  • Authorisation services and other capabilities enabled by identity management
  • Citizen and Individual authentication even for access to government services or visitors to government sites
  • Identity Management of systems, devices and other entities
  • Audit and accounting requirements other than by reference to their need.”

Most, if not all of these are required by real live systems, especially in Local Government.  They are probably the hard bit where most guidance is needed.  Federated identity management protocols do understand how to include these options.  For example the use of Shibboleth 2 in the education sector can easily differentiate between children and teachers in Web based application systems.

EAS has been around for years in DWP.  It has been recently used for the “Tell Us Once” (TUO) project, authenticating for multiple agencies handling common citizen data.  They have discovered the need for, and have implemented, some employee attributes that allow differential access to application systems. This is out of the scope of the strategy above, but they found they had to do it.  Every Local Authority (LA), and there are hundreds of them, needs guidance on this because most do not have the internal skills and knowledge to interoperate with external identity providers (like EAS, but there are lots more). A common standard for federating identity, supported with standard software, is the only sensible way to proceed.

Finally, there was a bomb shell from the Cabinet Office.  As part of the stakeholder engagement process, they presented  “a federated approach through which a person is able to assert a trustworthy identity“.  Here are some of the enlightening aspects of a working federated system:

  • delivered for DWP Universal Credits in April 2012
  • provided ‘by the market’, presumably meaning non-funded
  • dependent on external verification of identity by third parties (such as banks) selected by the citizen
  • LAs will provide an Identity Hub which collects personal data and matches with the external credentials (this is a minefield, not just icebergs)
  • links with biographic, health, wealth and education data by attributes
  • links with DVLA
  • links with an ‘official’ address file
  • not dependent on a centralised identity register
  • Oh, and by the way, it will run on the GCloud. Trebles all round.

The aspirations are wonderful, straight out of the junior management consultant’s handbook, but three simple questions illustrate the risks involved:

  1. Does the Identity Management industry, working with hundreds of LAs, have the capacity to deliver in such a time scale?
  2. Does the Cabinet Office (or anybody else?) have a Technical Architecture that is fit for purpose and compliant with the CTO Council strategy?
  3. Identity management ignorance crippled the development of ContactPoint – why is it so much easier and simpler for Universal Credits?
Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: