hp 17 s-bbo-1350-brian-reed

Identity and Access Management (IAM) Linkage to

Innovative Service Delivery

February 17th, 2012 Victoria, B.C.

Brian Reed, IAM Practice Lead,

HP Enterprise Services, Canada

• Session Objectives

• IAM Linkage to Innovative Service Delivery:

– Case Study 1: Belgium - Flemish e-Government

Transformation

• Shifting from “pull” to innovative “push” models is changing

the urgency for IAM

– Case Study 2: EU Self Certification

• Enabling Self Certification for Benefits Eligibility through

Voice Print Biometrics and Mobile Authentication

– DEMO – live voice print demonstration

– Case Study 3: Mobile Voting

• Global IAM Business Challenges

• Implications for IAM Program Design

• Market trends and models

• Technology considerations

• Reference architectures

• Global Initiatives:

• British Business Federation Authority (BBFA) Federated Identity

Management

• Reference Implementations

• Government of Canada Pension Modernization: IAM

Framework of Enterprise Applications

• U.S. Access

• India UID

• Solution Convergence

• Summary

Presentation Outline

Session Objectives

• To share through case studies, the linkages between fiscal climate change

and IAM; and linkages of IAM to innovative service delivery

• To share reference models and innovative strategies for deploying large

scale IAM solutions

• To exchange ideas about the business challenges of the public sector

with respect to identity and access management

©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

IAM LINKAGE TO INNOVATIVE

SERVICE DELIVERY

4

HP Restricted

A “Climate Change” in Government Finance, not just a few “Bad Winters”

Sustainability

Tax erosion from globalisation and ageing population

Ageing population

Factors Impacting Long-Term Government Finances

Rising citizen service expectations

20%

40%

25%

35%

1965 2008 1990 1970 1980 2000

Taxes as Percentage of GDP in OECD Countries

(1965 – 2008)

Source: OECD

Source: Office of Management and Budget

US Federal Debt as Percentage of GDP (1900 – 2011)

0%

150%

100%

50%

121%

33%

102%

1940 1950 1960 1970 1980 1990 2000 2010

Operating Expense and IT Expenditure

Source: Gartner, Inc., “IT Key Metrics Data 2010: Key Industry Measures: Government Analysis: Multi Year”

Run 73%

Transform and Grow 27%

Average Breakdown of IT Expenditure

Average Total Operating Expense

93.5%

6.5%

IT strategy to manage the fiscal crisis

Explore Disruptive Solutions

3

Maximize Government Return on IT

2

Minimize IT ‘Run’ Spending

1

Maximizing Government Return on IT

IT SPENDING

PUBLIC VALUE RETURN

Public

Policy Outcomes &

Outputs

Taxpayers

Efficiency

Customers

Quality of Service

Citizens

Public Trust

= Government Return on IT

SERVICE DELIVERY INNOVATION

CASE STUDIES

1) e-Government: Belgium and the Flemish

Government

(2) Human services: EU Self-Certification

using Mobile Telephony

(3) Mobile Voting

Belgium / Flanders - MAGDA Platform

Case Study 1: Belgium and Flemish Government, Integrated focus on citizen & business value

“once-only data collection, multiple data (re) use”

i.e. “A government that does not ask for what it already knows, and is truly certain of what it knows”

Key Drivers : • Improved service delivery

• reduce administrative burden for enterprises • pro-active delivery of entitlements to citizens

• Improved internal operations / administration • avoid unnecessary double work (data entry & quality) • simplify and streamline existing administrative processes

11

Origin: « Only Ask it Once »

• Situation

– Political support: Minister in charge had the key message in

his policy letter

– e-government team in place

• Focus on citizen support – resolution in parlement

– Focus e-gov on citizen and business at the regional level

– Implement the ‘Only ask it once’ @ regional level and extend

to national level

– Ensure maximum privacy

• Only Ask it Once MAGDA (“Maximum Data Sharing

Between Administrations and Agencies”) Platform

12

Flemish Parliament

Framework components: Key Building Blocks

• Goal : Citizen Value

• Platform : MAGDA

• Part of the coalition agreement and long-term vision (VIA)

• Authentic Data : the information, the value

• Change agent : driver

• Legal & privacy regulation

• E-ID : the key to get access

(Video)

13

Citizen

Value

VIA

2020

strategy

MAGDA

Commit-

ment

E-ID :

key

Authentic

Sources

Legal

Change

agent

Privacy

• Desired Policy Outcomes:

– Improve service delivery against

“Customer Charter and Action Plan”

– Increase certification frequency, to

help reduce fraud and overpayments

– Examine new communication

channels, including Self Certification

using mobile telephony

– Ensure on-going controls are in place

• Challenges:

– Increased demand for

unemployment benefits

– Intense manual processes

– On-going certification requires regular

visits to the Department for Social

Protection Local Offices

– Long lines, staff overloaded

– Reduce welfare fraud and

overpayments

Case Study 2: Human services: Self-Certification using Mobile Telephony: EU Example

14

BUSINESS INITIATIVES

OPERATING KPI ------------------------------------------- PROCESS/FUNCTION

EXECUTIVE KPI

CORE

FINANCIAL

KPI

PUBLIC VALUE FRAMEWORK – SOCIAL PROTECTION

Application Services, Data Integration Services, Converged Infrastructure

Mobile Certification PS Initiatives

PUBLIC VALUE

IT Initiatives

Improve Authentication and Access --------------

Reporting and Intake

Improve Registration --------------

Intake / Eligibility Determination

Improve Accuracy and Timeliness

-------------- Payment Process

Implement New Access Channels

Control Benefit Expenditures / Reduce Fraud

Improve Registration and Authentication

Admin Exp. As a Percentage of Benefits Expenditures

(On-Budget) Planned vs. Actual

QUALITY OF SERVICE EFFICIENCY PUBLIC TRUST POLICY OUTCOMES

Easy Access,

Prompt and

Accurate Service

Identity and Secure

Access to Service

Increase

Participation

Maximize FFP

and Incentives ;

Minimize Penalties;

Minimize Fraud

16

Enrolment Best-Practices and Benefits Enrolment Best Practices • Explain Enrolment process, obtain consent • Gather voice sample, verify capture • Verify enrolment with a test certification • Enrolment complete • Opt-in Service Benefits • Supports in-country mobility • Leverages voice print biometrics • Reduces need to visit local offices • Reduces program administration costs

Quick Demo

• Developed countries

– Decline in voter participation

– Drop in turnout among young people

– Only 37.4 per cent of voters aged 18 to 24-years-old voted

in the 2008 Canadian federal election, similar in US & UK;

49% of all eligible voters in 2011 Ontario election

• Developing countries

– Challenge to communicate information on polling centre

locations and hours of operation

“Haiti elections: cell phones and internet to facilitate voter

turnout” United Nations Development Programme, Newsroom, March 18,

2011

Case Study 3: Mobile Voting; Electoral Participation; Rising Expectations

17

Home Authentication Select candidate Cast Vote Confirmation

Servicios

Candidates

Authentication

Exit

First display shows browser menu and option to change language before proceeding.

Authorize access to voting service through secure authentication

Confirmation that the vote has been recorded, including a proof for the voter

Help

Help

443456789x

Identification

Authentication

Language PIN :

Back

Servicios

Next

Select your candidate from

the next list and press ok:

Select Candidates

Back

Send

Servicios

End

Your vote have been sent

and cast.

Receipt: fdsfksdopfiwpreoiwepoi98098509809

809gghfghfghgfhgfh

Have a nice day!

Confirmation

Candidate 1

Candidate 2

Candidate 3

Servicios

Help

You have selected next

candidate:

Cast vote

Confirm and

Cast vote?

Modify

Send

Candidate 1

Browse through candidates list (one after one), displaying: Candidate name and Party logo

Confirm candidate selection, cipher the vote and cast the ballot

Internet mobile phone voting Example of mobile voting process

Mail receipt

18


GLOBAL IDENTITY

MANAGEMENT BUSINESS

CHALLENGES

Implications for IAM Program Design:

•Market Trends and Models

•Reference Architectures

•Global Initiatives

•Reference Implementations

19

HP Restricted

Global Identity Management Business Challenges • Citizens and businesses are demanding simpler access to government services

across multiple delivery channels

• Privacy must be considered from both a trust and compliance perspective

• Current state: proliferation of identity stores and access management systems

frustrate a citizen-centric transformation

• Citizens not only have multiple ‘personas’ and contexts in terms of their

interaction with government but they have multiple ‘identities’

• Understanding these personas and mapping them to appropriate information

access is a significant business challenge

• Technologies are more mature but integration with legacy systems is still complex

Implications for IAM Program Design

• Business strategy and analysis of information management requirements need to

lead introduction of technology

• Need to understand the risk profile of information assets and transactions and

map to required levels of identity assurance

• Need to assess trade-offs: convenience versus control; individual control versus

institutional control; cost versus residual risk

• Identify business partners and establish governance over IAM including trust

agreements and levels of assurance on identity management process

Identity, Access and Governance

• Establishing trusted digital identities-identity proofing

• Authentication and risk

• Managing policy - authorization, personas, context

• Governance - authoritative sources, trust relationships, liability

What can IAM Enable?

• Streamlined service delivery from a government and citizen/business perspective - cost to serve, multi-channel

• A trust fabric for e-government…essential for adoption

• A ‘customized’ client experience

• BYOD

• Enhanced program integrity

• Reduced fraud and error

• Increased privacy protection

• Capability to push programs/services as well as provide targeted access to information


MARKET TRENDS AND

MODELS

24 HP Restricted

Gartner IAM Hype Cycle

Key Points: 1.Value drives adoption

2.Hard to predict technology curves

3.Industries drive specific solutions e.g. healthcare

Less than 2 years

transformational

high

moderate

low

2 to 5 years 5 to 10 years More than 10 years

IAM Technology Considerations

• Granularity

• Context awareness

• Adaptive

• Delegation

• Extensibility

• Federation

• Standardization

• Legacy apps support-adapters e.g.

provisioning

• Support for multiple authentication

schemes

• Completeness of applications-

components or suites?


REFERENCE ARCHITECTURES

27 HP Restricted

Citizenship and Immigration Canada -TRBP

Oklahoma State Healthcare Information System

Identity Management

Policy & Access Management

Federation & Access Control

Digital Identity (X.509)

SAML Token Service (STS)

Auditing & Reporting

User Registration

Reliability/Data Integrity

Interoperability - HIE, NwHIN Connect

Data Management

Firewall/DMZ

Provisioning & De-provisioning

Authorization (RBAC)

Identity Registry

Escalation - SOA Suite

Governance - NIST Framework

Perimeter Level Security


GLOBAL INITIATIVES

British Business Federation

Authority (BBFA) Federated

Identity Management

30 HP Restricted

Building a Consistent Approach to Customer-Centric Digital Identity Assurance across all Public Services

UK Citizen Access to Government Services

Context of Identity


REFERENCE

IMPLEMENTATIONS

34 HP Restricted

Government Canada Application Modernization and IAM (Pension Modernization)

Authentication

Requests

Authorization Lookups

User Profile Operations

Au

tho

riza

tio

n E

ve

nts

/Sin

gle

Sig

n-O

n/

Se

ssio

n M

an

ag

em

en

t

OAM Audit

Records

Directory / Data Services

Access Management Applications Identity Management

Oracle Virtual

Directory

IDM

OID

Au

the

ntica

tio

n E

ve

nts

Genesys

Workforce

Management

Siebel

Call CentreAM

We

bG

ate

Hyperion

Reports

Synchronization of

user information

via G+ adapter

Identity Manager

Database

OAM Configuration

Manager DatabaseAccess Manager

Audit Database

Portal

OID

Authentication Requests

Provisioning & reconciliation

of user information

Provisioning &

reconciliation of

user information

Trusted

reconciliation

of employer

representative

information

Access

Manager

Administration

Web Server

AM

We

bG

ate

Policy Manager

WebPass

Oracle Application

Server / OC4J

Oracle Access

Manager

Configuration

Manager

Oracle

Access

Manager

Access

Manager

Access

Server

Access

Manager

Identity

Server

IDM

Oracle

Single Sign

On

(OSSO)

ServerOracle

Application

Server / OC4J

Oracle Application

Server / OC4J

Sie

be

l

Co

nn

ecto

r

OID

Co

nn

ecto

r

OID

Co

nn

ecto

r

Pe

nfa

x

Co

nn

ecto

r

DC

T

Co

nn

ecto

r

Ora

cle

Id

en

tity

Ma

na

ge

r

PenfaxAM

We

bG

ate

osso

Provisioning of user info and

reconciliation of groups & users

OS

SO

Se

ssio

n C

rea

tio

n

Universal

Customer

Master

Provisioning of user info and


Data Capture

ToolAM

We

bG

ate

Matane Imaging

Web ApplicationAM

We

bG

ate

Integration

BrokerBPEL

Worklist

Hyperion periodically

connects to the IDM OID and

updates it’s security repository

with the list of valid users.

AM

We

bG

ate

Oracle Business

Intelligence

Dashboard

Answers

AM

We

bG

ate

Oracle Portal

Crown Corporation

Portal

Active Member

Pension Application

WebPass

AM WebGate

Userid &

Password

Authentication

Web Server

Ora

cle

Id

en

tity

Ma

na

ge

r A

PI

PKI Based

Authentication

Web Server

AM WebGate

TruePass

SVM

TruePass

Application

Server

Oracle WebLogic

Application Server

Active

Member

Enrolment

Application

Oracle WebLogic

Application Server

Active

Member

Enrolement

Web Server

AM WebGate

TruePass

SVM

PayAM

We

bG

ate

InsuranceAM

We

bG

ate

PenWebAM

We

bG

ate

WebLogic

Application

Server Plugin

Web Content

Management

Au

the

ntica

tio

n E

ve

nts

PenWeb

Database

Active

Me

mb

er

Au

tho

rita

tive

So

urc

e

DB

Ta

ble

s C

on

ne

cto

r

Validation of shared secrets

& reconciliation of

user information

Pe

nW

eb

Co

nn

ecto

rProvisioning of user info and


Identity

Manager

Web Server

AM WebGate

OC4J

Connector

USAccess and FEDERATED IDENTITY- CONCEPTUAL ARCHITECTURE

Source: FICAM Roadmap and Implementation Guidance

India-Unique ID Programme Architecture

SUMMARY

39

Prevention Participation Collaboration

Service Innovation

Technology Innovation IAM:

Whole-of- Government

Enablers

Mobility Cloud

Computing Analytics

Convergence of "Service Innovation" and "Technology Innovation" will Deliver Greatest Public Value

Summary

• A ‘climate change’ in public finances is helping drive demand for IAM innovation – IAM is not just a technology – but a critical foundation block for e-Government / m-Government

– IAM must help improve policy outcomes, increase service quality, efficiencies and help build citizen trust

• Need to continue collaboration to develop and leverage IDM policy frameworks (e.g. Kantara and PanCanadian IDMA model)

• Need for a consistent framework for “Whole of Government Enablers”, to support both internal and external social media, collaborative tools, mobility, and access to public sector service delivery through multiple channels-anytime, anywhere

• The movement to cloud based services and mobile access is driving federated identity solutions. Incremental steps, pilots, and proof of concepts are delivering on the early promises of federation.

Presenter Contact Data

41

Brian Reed, IAM Practice Lead, HP Canada Enterprise Services

[email protected]

mailto:[email protected]