hp 17 s-bbo-1350-brian-reed
TRANSCRIPT
Identity and Access Management (IAM) Linkage to
Innovative Service Delivery
February 17th, 2012 Victoria, B.C.
Brian Reed, IAM Practice Lead,
HP Enterprise Services, Canada
• Session Objectives
• IAM Linkage to Innovative Service Delivery:
– Case Study 1: Belgium - Flemish e-Government
Transformation
• Shifting from “pull” to innovative “push” models is changing
the urgency for IAM
– Case Study 2: EU Self Certification
• Enabling Self Certification for Benefits Eligibility through
Voice Print Biometrics and Mobile Authentication
– DEMO – live voice print demonstration
– Case Study 3: Mobile Voting
• Global IAM Business Challenges
• Implications for IAM Program Design
• Market trends and models
• Technology considerations
• Reference architectures
• Global Initiatives:
• British Business Federation Authority (BBFA) Federated Identity
Management
• Reference Implementations
• Government of Canada Pension Modernization: IAM
Framework of Enterprise Applications
• U.S. Access
• India UID
• Solution Convergence
• Summary
Presentation Outline
Session Objectives
• To share through case studies, the linkages between fiscal climate change
and IAM; and linkages of IAM to innovative service delivery
• To share reference models and innovative strategies for deploying large
scale IAM solutions
• To exchange ideas about the business challenges of the public sector
with respect to identity and access management
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
IAM LINKAGE TO INNOVATIVE
SERVICE DELIVERY
4
HP Restricted
A “Climate Change” in Government Finance, not just a few “Bad Winters”
Sustainability
Tax erosion from globalisation and ageing population
Ageing population
Factors Impacting Long-Term Government Finances
Rising citizen service expectations
20%
40%
25%
35%
1965 2008 1990 1970 1980 2000
Taxes as Percentage of GDP in OECD Countries
(1965 – 2008)
Source: OECD
Source: Office of Management and Budget
US Federal Debt as Percentage of GDP (1900 – 2011)
0%
150%
100%
50%
121%
33%
102%
1940 1950 1960 1970 1980 1990 2000 2010
Operating Expense and IT Expenditure
Source: Gartner, Inc., “IT Key Metrics Data 2010: Key Industry Measures: Government Analysis: Multi Year”
Run 73%
Transform and Grow 27%
Average Breakdown of IT Expenditure
Average Total Operating Expense
93.5%
6.5%
IT strategy to manage the fiscal crisis
Explore Disruptive Solutions
3
Maximize Government Return on IT
2
Minimize IT ‘Run’ Spending
1
Maximizing Government Return on IT
IT SPENDING
PUBLIC VALUE RETURN
Public
Policy Outcomes &
Outputs
Taxpayers
Efficiency
Customers
Quality of Service
Citizens
Public Trust
= Government Return on IT
SERVICE DELIVERY INNOVATION
CASE STUDIES
1) e-Government: Belgium and the Flemish
Government
(2) Human services: EU Self-Certification
using Mobile Telephony
(3) Mobile Voting
Case Study 1: Belgium and Flemish Government, Integrated focus on citizen & business value
“once-only data collection, multiple data (re) use”
i.e. “A government that does not ask for what it already knows, and is truly certain of what it knows”
Key Drivers : • Improved service delivery
• reduce administrative burden for enterprises • pro-active delivery of entitlements to citizens
• Improved internal operations / administration • avoid unnecessary double work (data entry & quality) • simplify and streamline existing administrative processes
11
Origin: « Only Ask it Once »
• Situation
– Political support: Minister in charge had the key message in
his policy letter
– e-government team in place
• Focus on citizen support – resolution in parlement
– Focus e-gov on citizen and business at the regional level
– Implement the ‘Only ask it once’ @ regional level and extend
to national level
– Ensure maximum privacy
• Only Ask it Once MAGDA (“Maximum Data Sharing
Between Administrations and Agencies”) Platform
12
Flemish Parliament
Framework components: Key Building Blocks
• Goal : Citizen Value
• Platform : MAGDA
• Part of the coalition agreement and long-term vision (VIA)
• Authentic Data : the information, the value
• Change agent : driver
• Legal & privacy regulation
• E-ID : the key to get access
(Video)
13
Citizen
Value
VIA
2020
strategy
MAGDA
Commit-
ment
E-ID :
key
Authentic
Sources
Legal
Change
agent
Privacy
• Desired Policy Outcomes:
– Improve service delivery against
“Customer Charter and Action Plan”
– Increase certification frequency, to
help reduce fraud and overpayments
– Examine new communication
channels, including Self Certification
using mobile telephony
– Ensure on-going controls are in place
• Challenges:
– Increased demand for
unemployment benefits
– Intense manual processes
– On-going certification requires regular
visits to the Department for Social
Protection Local Offices
– Long lines, staff overloaded
– Reduce welfare fraud and
overpayments
Case Study 2: Human services: Self-Certification using Mobile Telephony: EU Example
14
BUSINESS INITIATIVES
OPERATING KPI ------------------------------------------- PROCESS/FUNCTION
EXECUTIVE KPI
CORE
FINANCIAL
KPI
PUBLIC VALUE FRAMEWORK – SOCIAL PROTECTION
Application Services, Data Integration Services, Converged Infrastructure
Mobile Certification PS Initiatives
PUBLIC VALUE
IT Initiatives
Improve Authentication and Access --------------
Reporting and Intake
Improve Registration --------------
Intake / Eligibility Determination
Improve Accuracy and Timeliness
-------------- Payment Process
Implement New Access Channels
Control Benefit Expenditures / Reduce Fraud
Improve Registration and Authentication
Admin Exp. As a Percentage of Benefits Expenditures
(On-Budget) Planned vs. Actual
QUALITY OF SERVICE EFFICIENCY PUBLIC TRUST POLICY OUTCOMES
Easy Access,
Prompt and
Accurate Service
Identity and Secure
Access to Service
Increase
Participation
Maximize FFP
and Incentives ;
Minimize Penalties;
Minimize Fraud
16
Enrolment Best-Practices and Benefits Enrolment Best Practices • Explain Enrolment process, obtain consent • Gather voice sample, verify capture • Verify enrolment with a test certification • Enrolment complete • Opt-in Service Benefits • Supports in-country mobility • Leverages voice print biometrics • Reduces need to visit local offices • Reduces program administration costs
Quick Demo
• Developed countries
– Decline in voter participation
– Drop in turnout among young people
– Only 37.4 per cent of voters aged 18 to 24-years-old voted
in the 2008 Canadian federal election, similar in US & UK;
49% of all eligible voters in 2011 Ontario election
• Developing countries
– Challenge to communicate information on polling centre
locations and hours of operation
“Haiti elections: cell phones and internet to facilitate voter
turnout” United Nations Development Programme, Newsroom, March 18,
2011
Case Study 3: Mobile Voting; Electoral Participation; Rising Expectations
17
Home Authentication Select candidate Cast Vote Confirmation
Servicios
Candidates
Authentication
Exit
First display shows browser menu and option to change language before proceeding.
Authorize access to voting service through secure authentication
Confirmation that the vote has been recorded, including a proof for the voter
Help
Help
443456789x
Identification
Authentication
Language PIN :
Back
Servicios
Next
Select your candidate from
the next list and press ok:
Select Candidates
Back
Send
Servicios
End
Your vote have been sent
and cast.
Receipt: fdsfksdopfiwpreoiwepoi98098509809
809gghfghfghgfhgfh
Have a nice day!
Confirmation
Candidate 1
Candidate 2
Candidate 3
Servicios
Help
You have selected next
candidate:
Cast vote
Confirm and
Cast vote?
Modify
Send
Candidate 1
Browse through candidates list (one after one), displaying: Candidate name and Party logo
Confirm candidate selection, cipher the vote and cast the ballot
Internet mobile phone voting Example of mobile voting process
Mail receipt
18
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
GLOBAL IDENTITY
MANAGEMENT BUSINESS
CHALLENGES
Implications for IAM Program Design:
•Market Trends and Models
•Reference Architectures
•Global Initiatives
•Reference Implementations
19
HP Restricted
Global Identity Management Business Challenges • Citizens and businesses are demanding simpler access to government services
across multiple delivery channels
• Privacy must be considered from both a trust and compliance perspective
• Current state: proliferation of identity stores and access management systems
frustrate a citizen-centric transformation
• Citizens not only have multiple ‘personas’ and contexts in terms of their
interaction with government but they have multiple ‘identities’
• Understanding these personas and mapping them to appropriate information
access is a significant business challenge
• Technologies are more mature but integration with legacy systems is still complex
Implications for IAM Program Design
• Business strategy and analysis of information management requirements need to
lead introduction of technology
• Need to understand the risk profile of information assets and transactions and
map to required levels of identity assurance
• Need to assess trade-offs: convenience versus control; individual control versus
institutional control; cost versus residual risk
• Identify business partners and establish governance over IAM including trust
agreements and levels of assurance on identity management process
Identity, Access and Governance
• Establishing trusted digital identities-identity proofing
• Authentication and risk
• Managing policy - authorization, personas, context
• Governance - authoritative sources, trust relationships, liability
What can IAM Enable?
• Streamlined service delivery from a government and citizen/business perspective - cost to serve, multi-channel
• A trust fabric for e-government…essential for adoption
• A ‘customized’ client experience
• BYOD
• Enhanced program integrity
• Reduced fraud and error
• Increased privacy protection
• Capability to push programs/services as well as provide targeted access to information
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
MARKET TRENDS AND
MODELS
24 HP Restricted
Gartner IAM Hype Cycle
Key Points: 1.Value drives adoption
2.Hard to predict technology curves
3.Industries drive specific solutions e.g. healthcare
Less than 2 years
transformational
high
moderate
low
2 to 5 years 5 to 10 years More than 10 years
IAM Technology Considerations
• Granularity
• Context awareness
• Adaptive
• Delegation
• Extensibility
• Federation
• Standardization
• Legacy apps support-adapters e.g.
provisioning
• Support for multiple authentication
schemes
• Completeness of applications-
components or suites?
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
REFERENCE ARCHITECTURES
27 HP Restricted
Oklahoma State Healthcare Information System
Identity Management
Policy & Access Management
Federation & Access Control
Digital Identity (X.509)
SAML Token Service (STS)
Auditing & Reporting
User Registration
Reliability/Data Integrity
Interoperability - HIE, NwHIN Connect
Data Management
Firewall/DMZ
Provisioning & De-provisioning
Authorization (RBAC)
Identity Registry
Escalation - SOA Suite
Governance - NIST Framework
Perimeter Level Security
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
GLOBAL INITIATIVES
British Business Federation
Authority (BBFA) Federated
Identity Management
30 HP Restricted
Building a Consistent Approach to Customer-Centric Digital Identity Assurance across all Public Services
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
REFERENCE
IMPLEMENTATIONS
34 HP Restricted
Government Canada Application Modernization and IAM (Pension Modernization)
Authentication
Requests
Authorization Lookups
User Profile Operations
Au
tho
riza
tio
n E
ve
nts
/Sin
gle
Sig
n-O
n/
Se
ssio
n M
an
ag
em
en
t
OAM Audit
Records
Directory / Data Services
Access Management Applications Identity Management
Oracle Virtual
Directory
IDM
OID
Au
the
ntica
tio
n E
ve
nts
Genesys
Workforce
Management
Siebel
Call CentreAM
We
bG
ate
Hyperion
Reports
Synchronization of
user information
via G+ adapter
Identity Manager
Database
OAM Configuration
Manager DatabaseAccess Manager
Audit Database
Portal
OID
Authentication Requests
Provisioning & reconciliation
of user information
Provisioning &
reconciliation of
user information
Trusted
reconciliation
of employer
representative
information
Access
Manager
Administration
Web Server
AM
We
bG
ate
Policy Manager
WebPass
Oracle Application
Server / OC4J
Oracle Access
Manager
Configuration
Manager
Oracle
Access
Manager
Access
Manager
Access
Server
Access
Manager
Identity
Server
IDM
Oracle
Single Sign
On
(OSSO)
ServerOracle
Application
Server / OC4J
Oracle Application
Server / OC4J
Sie
be
l
Co
nn
ecto
r
OID
Co
nn
ecto
r
OID
Co
nn
ecto
r
Pe
nfa
x
Co
nn
ecto
r
DC
T
Co
nn
ecto
r
Ora
cle
Id
en
tity
Ma
na
ge
r
PenfaxAM
We
bG
ate
osso
Provisioning of user info and
reconciliation of groups & users
OS
SO
Se
ssio
n C
rea
tio
n
Universal
Customer
Master
Provisioning of user info and
reconciliation of groups & users
Data Capture
ToolAM
We
bG
ate
Matane Imaging
Web ApplicationAM
We
bG
ate
Integration
BrokerBPEL
Worklist
Hyperion periodically
connects to the IDM OID and
updates it’s security repository
with the list of valid users.
AM
We
bG
ate
Oracle Business
Intelligence
Dashboard
Answers
AM
We
bG
ate
Oracle Portal
Crown Corporation
Portal
Active Member
Pension Application
WebPass
AM WebGate
Userid &
Password
Authentication
Web Server
Ora
cle
Id
en
tity
Ma
na
ge
r A
PI
PKI Based
Authentication
Web Server
AM WebGate
TruePass
SVM
TruePass
Application
Server
Oracle WebLogic
Application Server
Active
Member
Enrolment
Application
Oracle WebLogic
Application Server
Active
Member
Enrolement
Web Server
AM WebGate
TruePass
SVM
PayAM
We
bG
ate
InsuranceAM
We
bG
ate
PenWebAM
We
bG
ate
WebLogic
Application
Server Plugin
Web Content
Management
Au
the
ntica
tio
n E
ve
nts
PenWeb
Database
Active
Me
mb
er
Au
tho
rita
tive
So
urc
e
DB
Ta
ble
s C
on
ne
cto
r
Validation of shared secrets
& reconciliation of
user information
Pe
nW
eb
Co
nn
ecto
rProvisioning of user info and
reconciliation of groups & users
Identity
Manager
Web Server
AM WebGate
OC4J
Connector
USAccess and FEDERATED IDENTITY- CONCEPTUAL ARCHITECTURE
Source: FICAM Roadmap and Implementation Guidance
39
Prevention Participation Collaboration
Service Innovation
Technology Innovation IAM:
Whole-of- Government
Enablers
Mobility Cloud
Computing Analytics
Convergence of "Service Innovation" and "Technology Innovation" will Deliver Greatest Public Value
Summary
• A ‘climate change’ in public finances is helping drive demand for IAM innovation – IAM is not just a technology – but a critical foundation block for e-Government / m-Government
– IAM must help improve policy outcomes, increase service quality, efficiencies and help build citizen trust
• Need to continue collaboration to develop and leverage IDM policy frameworks (e.g. Kantara and PanCanadian IDMA model)
• Need for a consistent framework for “Whole of Government Enablers”, to support both internal and external social media, collaborative tools, mobility, and access to public sector service delivery through multiple channels-anytime, anywhere
• The movement to cloud based services and mobile access is driving federated identity solutions. Incremental steps, pilots, and proof of concepts are delivering on the early promises of federation.
Presenter Contact Data
41
Brian Reed, IAM Practice Lead, HP Canada Enterprise Services