Quarkside

18/01/2012

Electronic Identities: We need to trust them

Filed under: Governance,Standards — lenand @ 5:34 pm
Tags: , , , ,

The demise of the Id Card Project in 2010 has not removed the growing need for trusted e-Identities (e-Ids) to give access to public sector services. The State benefits from lower administration costs and reduced fraud; Citizens benefit from much simpler and faster application for services. Far fewer errors will be propagated. The Cabinet Office solution is to encourage a market for Identity Provider (IdP) services from any number of accredited suppliers, many of whom should be from the private sector. Public Service Providers (PSPs) will trust the e-Ids from any such IdP. Their architecture diagram below has been largely unchanged for more than a year.

Hub Architecture

Between the IdP and the PSP is the managed “Hub”.  This posting raises a fundamental question about why it is necessary.  There are already well established standards that control the governance requirements for federations of IdPs and PSPs.  One is the OIX model.  

 

OIX Architecture 

This standard does not have a central hub.  It has rules for level of assurance and protection.  It is supported by many international IdPs such as Google, Facebook and Microsoft.  Public service organisations could act as both IdPs and relying parties.

The UK education sector uses a similar model for simplified sign on to multiple services.  Commonly known as Shibboleth, it is governed by the rules of the UK Federation.  It has an architecture that is scalable to millions of users without the need for a hub, see http://www.ukfederation.org.uk/.  It is a governance issue, you either trust other members of a Federation, or you don’t.  What are the problems of using such a federation architecture?  

  

  

Advertisements

21/02/2011

Identity Icebergs to sink Universal Credits

Does the Cabinet Office talk to the Cabinet Office – or any other Department for that matter?  Last week’s Local Government Delivery Council also had two related presentations; “Identity Assurance for Public Services” by the Cabinet Office and  “Employee Authentication Services (EAS)” by DfE and DWP.

Put these into the context of “HMG CTO Council – Government Employees Strategy for management of Identities – Version 1.1 – 1 February 2011. ” This noble document has some excellent content as far as it goes – but look at the juicy bits it deems out of scope.

  • “Access control of data within a single system or organisation
  • Entitlements of a validated identity within a single system
  • Authorisation services and other capabilities enabled by identity management
  • Citizen and Individual authentication even for access to government services or visitors to government sites
  • Identity Management of systems, devices and other entities
  • Audit and accounting requirements other than by reference to their need.”

Most, if not all of these are required by real live systems, especially in Local Government.  They are probably the hard bit where most guidance is needed.  Federated identity management protocols do understand how to include these options.  For example the use of Shibboleth 2 in the education sector can easily differentiate between children and teachers in Web based application systems.

EAS has been around for years in DWP.  It has been recently used for the “Tell Us Once” (TUO) project, authenticating for multiple agencies handling common citizen data.  They have discovered the need for, and have implemented, some employee attributes that allow differential access to application systems. This is out of the scope of the strategy above, but they found they had to do it.  Every Local Authority (LA), and there are hundreds of them, needs guidance on this because most do not have the internal skills and knowledge to interoperate with external identity providers (like EAS, but there are lots more). A common standard for federating identity, supported with standard software, is the only sensible way to proceed.

Finally, there was a bomb shell from the Cabinet Office.  As part of the stakeholder engagement process, they presented  “a federated approach through which a person is able to assert a trustworthy identity“.  Here are some of the enlightening aspects of a working federated system:

  • delivered for DWP Universal Credits in April 2012
  • provided ‘by the market’, presumably meaning non-funded
  • dependent on external verification of identity by third parties (such as banks) selected by the citizen
  • LAs will provide an Identity Hub which collects personal data and matches with the external credentials (this is a minefield, not just icebergs)
  • links with biographic, health, wealth and education data by attributes
  • links with DVLA
  • links with an ‘official’ address file
  • not dependent on a centralised identity register
  • Oh, and by the way, it will run on the GCloud. Trebles all round.

The aspirations are wonderful, straight out of the junior management consultant’s handbook, but three simple questions illustrate the risks involved:

  1. Does the Identity Management industry, working with hundreds of LAs, have the capacity to deliver in such a time scale?
  2. Does the Cabinet Office (or anybody else?) have a Technical Architecture that is fit for purpose and compliant with the CTO Council strategy?
  3. Identity management ignorance crippled the development of ContactPoint – why is it so much easier and simpler for Universal Credits?

Blog at WordPress.com.