Pan-Canadian Identity Assurance Model

September 17, 2013

In October 2008, I wrote a five part review of identity assurance, based on the framework contained in the Pan-Canadian Strategy for Identity Management and Authentication.  At the time these blog posts were the only Canadian resource available for analyzing and planning identity assurance.

Since then a number of changes have occurred that have prompted me to update these posts.  For example, an Assurance, Identity and Trust Working Group was established by the national Identity Management Steering Committee.  This team prepared a report, the Pan-Canadian Assurance Model, that provides more guidance and detail than the original framework.

Having said this, the goal of the model remains unchanged; it strives to standardize identity assurance to allow for provincial and federal systems to interoperate.  It is foundational to the broader Pan-Canadian framework, and is key to implementing citizen services across the country.

The identity assurance model is primarily concerned with establishing agreed-to levels of assurance and defining the concepts and terms each party need to understand.  It has an emphasis on federation and looks to support risk management activities within partnering organizations.

The Pan-Canadian identity assurance model is represented as follows (click/tap to enlarge):

identity_assurance_standard

While this model is an important input into this blog post series, it needs to be supplemented by real-world experience.  For each topic in the series, I will inject examples from my experience implementing IAM solutions over the past ten years, and provide insight into the opportunities and challenges offered by the model.

First in the series, click here for the post on Information Classification.

Mike


Should government sites use social media login?

August 30, 2013

I’ve been thinking about how the public sector model for identity has changed in recent years from one where the government body controls the credential AND acts as an identity provider, to one where the credential management is delegated to a service provider. Social media login and, at the premium end, SecureKey’s briidge.net are examples of this model.

Social media credentials from Twitter, Facebook and Google are used everyday by millions of Canadians.  Why not leverage these existing accounts to access government services?

The problem I have when talking to clients about these solutions is the assumption that any credential service provider (CSP) will do.  That is, a public organization can (and should) readily accept any common credential, add a layer of identity proofing, create a link back to the credential (for future access) and start counting the costs saved. After all, it is all about citizen choice isn’t it?

This isn’t as simple issue.  There are some fundamental problems with using low-end credentials, such as social media logins, that need to be carefully considered when delegating authentication to a third party:

  • Operational Disruptions — There was a great post from the Basecamp blog a few years ago (since deleted) that described how difficult it was to maintain the link between a credential provider and the site. This post talked specifically to OpenID and how changes to the credential may not be properly shared with relying parties, resulting in support calls and manual fixes. Users would also forget which OpenID account they used, and Basecamp had no automated way to reconnect them.  In the end, disruptions were common for OpenID users, support costs spiked, and Basecamp discontinued its use.
  • Longevity — Which social media credential providers are going to be around for the long run? What consolidations of login services or outright mergers are coming? How might the protocols for social media login change? For a public-sector service wanting to provide stable, long-term services, picking the right credential service providers is extremely difficult.
  • Wrong Message — Social media companies (Google, Facebook, even LinkedIn) often misbehave when it comes to privacy. They routinely run afoul of privacy commissioners and even irritate their user bases when ever-invasive features are introduced.  Given the poor privacy records, should a  public-sector website be encouraging the use of social media login to access government services? What are the downstream risks?
  • Convenience — Social media login can certainly save time when it comes to authentication. I use my Twitter account to access Level 1 (low value) services frequently. I’ll admit it is convenient and I like that blogs, news websites and the like offer this option. But convenience is far less important to me when accessing my personal information on a government website. First of all, security and privacy protection matter a lot more. Further, I don’t access these sites all that often so if I have to login (or request an automated password reset) it isn’t that big of a deal to me. What would be more useful would be a common credential for all of a particular government’s services, so that I can experience single sign-on.

So what are the benefits of leveraging a social media credential for government websites? Well, for those more trusting than me, convenience and the benefit of having fewer passwords to remember is a definite plus. And cost savings can be significant for large websites, although keep in mind that a full IAM stack is still required — the public sector website will still need to provide their own login service as not all citizens will trust an alternate credential.

Ultimately, social media login for services won’t meet government privacy and security requirements for access to sensitive information. Existing in-house systems and credential solutions (like SecureKey) that specifically address the trust issue will likely prevail.

Mike


Managing Access — an Enterprise Issue

June 4, 2013

I got my start with identity management 20 years ago.  For much of the 90’s I installed and supported networks, and provided system administration services.  In this role I helped enterprises with creating user accounts and granting access to network resources (mostly files, folders and printers).

I’ve recently completed a couple of projects that remind me of those simpler days.  Last year I worked on an enterprise Access Governance project.  This project, for a financial institution, was a challenging to me and important to the client.  The primary driver for the project was to answer the auditor’s question ‘who has access to what’.  This organization, like so many large enterprises, needed to have an efficient method of determining which users were accessing which applications, databases and files.

Reporting on this is harder than it seems. The wide range of financial, human resource, marketing and client self-service systems means that access is granted in many different ways.  User accounts are common for enterprise systems (like network login and email) but often unique for ERP, custom or business area-specific applications.  Even if the same network account is used across enterprise applications, reporting on access (security groups, permissions, rights, etc.) is very difficult to automate. As a result, reporting on who has access to what is pretty much a manual exercise that is impossible to carry out without a significant effort.

There are a growing number of tools that are effective in supporting the type and style of access reporting required by enterprises.  But before the tools can be considered, a philosophy of strong access governance needs to be established.  According to Aveksa, a leader in access governance solutions:

… with business-driven identity and access management solutions, companies can empower the business owners to take ownership of identity and access control, provide consistent, full business context across Identity and Access Management systems, connect to the full set of data and application resources, and significantly lower the total cost of ownership

What makes Access Governance difficult is that it is a new concept that is (I think) widely misunderstood.  Executive management are uninvolved unless a breach has occurred that forces them to take interest.  Senior IT management (CIO, Directors) are feeling the heat from auditors, but have no experience with the new Access Governance tools and methods.  Managers are swamped with ‘real work’, and analysts generally consider the whole exercise to be either ridiculously time consuming or impossible.

The trick, I believe, is to get support for Access Governance as high up in the organization as is possible.  That might be the CIO level, or possibly higher if poor compliance reports or breach incidents are a priority for executives.  Only with senior support can a program be established that will deliver on Access Governance and, ultimately, start to lay the groundwork for an appropriate program.

Mike


Recent IAM reading…

January 3, 2013

I didn’t blog or even tweet much over the holidays, but I did manage to catch up on a few good posts and articles while lazing around…

  • The Quest to Replace Passwords — Extensive report on challenges with replacing password (HT@aniltj).  The table on page 11 is worth a good study for anyone interested how various password-less authentication options stack up.
  • Identity Management on a Shoestring — An excellent report on how to implement IAM in an enterprise without spending years/millions.  Uncanny resemblance to work I’ve been involved with in the past several years, i.e. customized implementations that are not constricted by the cost and complexity of COTS solutions.
  • Economic Tussles in Federated Identity Management — Another excellent paper, this time on the economic issues related to Fed ID.  Points out how successful implementations occur when IdPs, SPs and users all receive benefits.
  • OASIS Identity in the Cloud Use Cases — A list of 29 use cases that are a solid reference for future IAM projects that involve cloud services.  (HT to @RBsTweets.)
  • Gov’t of Canada SecureKey page — A summary of SecureKey and the Canadian federal organization and legislation that supports its implementation.  Would be nice to see a link to the PIA…

These should get your new year off to a good start – happy 2013 everyone!

Mike


December 28, 2012

codetechnology:

Some thoughts from south of the border…

Originally posted on dataTrending:

For over a decade, the Federal Government has had numerous efforts and initiatives on identity and access management (IAM). These efforts morphed into identity, credential, and access management (with of course its own acronym, ICAM), underscoring a fundamental principle of having some credential or token (physical or digital) in order to prove and authenticate the identity that an individual is claiming. Many of you will recall the famous cartoon “On the Internet, no one knows you’re a dog”.

DogonInternetOn the one hand, this cartoon underscores the privacy and anonymity that the Internet provides. The flip side is that for many type of transactions and ecommerce applications, it is absolutely critical for security and privacy purposes to have assurance and trust in the identity that is being provided – by an individual or by a machine. Banking, electronic commerce, and health care are but a few examples where it is…

View original 453 more words


e-Voting and Identity

October 23, 2012

In my own city, Edmonton, they have been talking up e-voting for a while now.  There was an announcement yesterday that a pilot project is being conducted to validate the process of running an online election.  (More information can be found here and here.)

First of all, I think that this is exactly the type of pilot project that governments must run to be progressive and forward-thinking.  These types of initiatives are high value, not just to validate a solution for this defined need, but for the organization’s other online initiatives.  And the proposed e-voting identification process is an interesting one…

To be frank, I don’t have e-voting very high on my personal list of municipal problems to be solved, BUT I do have a keen interest in how people are identified online.

The City’s new project has an identity proofing process for this pilot project.  It includes a unique method of collecting identity proofing documents that I haven’t seen before: citizens scan (or take a picture of) their real-world identification, then upload it to the City’s website.  Allowed documents include drivers license, passport, Canadian military cards, etc. (see sidebar).

The image of the identification document is then reviewed manually by employees in the elections department and presumably compared to lists of eligible voters. Only when the document matches up with a previously registered voter will a credential be issued to the citizen for voting purposes.

This approach is convenient to citizens, or at least those that are savvy enough to scan a document and upload it to a website (which is probably a pretty high percentage of those that will consider online voting).

But whenever I see ‘convenience’ cited as a reason to do something online, I can’t help but look for the security and privacy compromises required to make that thing convenient.  On first review (I haven’t done a deep dive s feel free to correct me!) here are a few things that might be compromised by such a process:

  • How does the process ensure that the citizen is in control of the document at the time e-voting registration takes place?  For example, the passports for a household might be stored in a filing cabinet.  Let’s say one member of the household is politically active and the rest don’t vote at all.  How difficult would it be for the one family member to round up the passports and create multiple e-voting credentials?
  • There may be a privacy issue here.  Scanned identification documents contain a payload of sensitive information.  My passport has my legal name and birthdate — two attributes that are useful for the voter vetting process.  But it also contains my passport number, my place of birth and my citizenship.  None of these attributes are needed by this process, and should not be collected and stored as part of the process. (Update: The City’s 311 service has informed me that the data will be stored in Canada and destroyed no later than December 31, 2012. Also, only authorized personnel can view the data and they are subject to confidentiality agreements.)
  • Finally, how can one be sure that the scanned identity document has not been digitally tampered with? Paper and plastic documents have physical safeguards to increase reliability.  For example, the Alberta drivers license has a hologram on it and ‘declined width text wave’ feature (and these are just two of a dozen security features).  How do these features translate to the scanned image? Assuming many of these features do not translate well, how well does the scan of the document actually prove the citizen’s identity? As a comparison, would such a scan, subsequently printed, be acceptable as ID at the polling station?

It will be interesting to see how these and other challenges of e-voting will be overcome in the coming months.

Mike


Italian Football

October 11, 2012

codetechnology:

From the codetechnology.ca vault: identity and Italian football…

Originally posted on Code Technology - IAM Consultants and Advisors:

I spent two weeks in Italy last month and, in case you haven’t heard, it is one of the most beautiful places on earth.  So it was appropriate that I attend a match of the ‘beautiful game’, aka calcio, football, soccer.

The game was Fiorentina (Florence) vs. Sampdoria (Genoa), and it had some importance so a large crowd was expected.  I set out on the number 51 bus from Florence’s historic centre, bound for a suburban stadium near the Tuscan hills north of town.  45 minutes before game time the bus was full of purple-shirted — and well-behaved — Fiorentina fans. 

Once near the stadium I realized that I had no idea of where to buy a ticket, so in my pitiful Italian I asked assorted gate personnel, coffee shop clerks and fans where the ticket office was.

I found one in a cafe across the street.  Inside there were big signs…

View original 720 more words


Follow

Get every new post delivered to your Inbox.

Join 229 other followers