Service Canada and SecureKey Concierge

Service Canada now uses the SecureKey Concierge identity broker service.  This new service allows Canadians to access services using their online banking credentials.  This may be the first federated identity implementation in Canada targeted at citizens.  Until now, Fed ID implementations have been limited to higher education and industry federations.

Here is a screen-by-screen walk-through of how Service Canada’s site can be accessed using SecureKey Concierge and a citizen’s bank account.  (Please excuse the image sizes [click to enlarge].)

1. First, from the ‘Access My Service Canada Account’ page, the link to SecureKey Concierge (SKC) is easy to locate near the bottom of the page:

Note that the government has kept their own Access Key as a login option.

2. Clicking on the SKC login brings up the SKC discovery service.  It is here where you select your preferred identity provider from a list of bank services:

3. Select your bank from the list.  The service then redirects to a customized bank login page (Scotiabank in my case).  Note that this page is different than the bank’s regular online login page – the look, content and URL are different.
4. Note that the SKC logo is carried through to this page.  Once I login — and yes, this is the exact same credential as I use with Scotiabank — I was sent to the SKC terms and privacy notice:

5. The terms and conditions can be found here.  When you ‘Accept and Continue’ you are returned to a Service Canada page:

6. This page confirms which credential the user is to use, and offers to convert an Access Key credential to the SKC credential.  Next:

7. Now, Service Canada lets you know what is upcoming, and informs you of various privacy and service terms.  Once you get past this page, you arrive at their enrolment/registration form: 

This is where Service Canada enrols you into their service by asking for selected shared secrets: SIN, DoB, an access code and your province of residence.  Note that your name is not passed in from SKC, and it appears that your name is not needed on this screen to confirm your identity.

(Also note the use of the term ‘authentication’.  I’d prefer they use ‘enrolment’ but I suppose for users of this service it doesn’t really matter all that much…)

8. Finally, upon successfully entering this information you are rewarded with a lengthy privacy notice and terms page:

9. Accepting terms here results in the main Service Canada service page being displayed (with links to your personal information):

In summary:

  • Service Canada provides an SKC login option.
  • SKC allows the user to select their bank login from a discovery service (page with list of partnering banks).
  • The bank login page is a modified version of what the user is familiar with. The user logs in using their regular online banking credential.
  • SKC’s terms are displayed and agreed to by the user.
  • Service Canada then takes over and walks the user through service-specific enrolment pages.
  • The user accesses the service.

Time for me to complete: 5 mins, 18 seconds.

Once enrolled using the above steps, returning to the service is simpler because the link between your bank credential and the service is maintained.  This link is anonymized so that the bank is not aware of what service you accessed, and Service Canada doesn’t know what bank credential you used.

When returning to the service page, select the SKC login option.  Select your bank and login.  You then get access to the service without being prompted for enrolment information.

Aside from the technology and user experience, there is a lot going on here.  Join the discussion at LinkedIn – Canadiam.

  Updated: Click here for the SecureKey interview…

Mike

IAM for the smaller enterprise

My clients find identity solutions to be complex and costly to implement.  For mature and/or large enterprises, these issues are simply a cost of doing business — and compliance or online strategic drivers are usually sufficient to fund and launch an IAM initiative.

For the smaller enterprise there appear to be two paths followed: do nothing or do it poorly.  When done poorly, shoddy IAM implementations  can result in poor credential management, lousy availability and inappropriate access controls.

So how does a smaller company or organization deal with identity properly? How can users be efficiently identified online without building expensive, custom solutions? What service levels and supports are possible for a login service when staff go home at 5pm? How can niche needs like strong authentication be met without excessive server license costs and complex implementations?

Enter the cloud.  Cloud-based IAM service providers are maturing and there are a number of solutions that offer the smaller organization solutions.  For example:

  • Symplified offers a full IAM service that promises plug-and-play integration with surprising depth, including support for mobile devices and apps.
  • PhoneFactor has a slick and secure solution for two-factor authentication that can be licensed on a per-use basis.
  • TransUnion have a robust identity proofing service for the critical process of confirming the identity of an online visitor.

Using one or more of these solutions allows for rapid deployment of IAM for smaller organizations.  The cost savings are considerable and services levels are beyond what most companies could hope to provide on their own.  There still remains integration work — applications need to be ‘plumbed’ to inter-operate with the cloud solutions — but all the heavy-lifting of designing and configuring a solution is eliminated.

The maturation of cloud IAM solutions means an increased number of companies can implement secure and compliant solutions without the long lead-times and high cost of traditional product-based offerings.  In this age of rampant data breaches and increased focus on compliance, this is a welcomed development.

Mike

Service Management and identity

Identity & Access Management (IAM) systems need to be reliable, perform well and have adequate end-user support.  When assessing Service Management needs for an IAM environment,  a number of factors need to be considered.

Wikipedia defines IT Service Management as ‘is a discipline for managing information technology (IT) systems, philosophically centered on the customer’s perspective of IT’s contribution to the business.’  Service Management for an IAM system needs to consider both the business area and end-user needs – and these may differ depending on perceptions, actual usage patterns and functions of the IAM system.

To this last point, IAM offers a wide range of functionality: authentication (login), authorization, account creation, provisioning, administration, reporting, etc.  The service management profile for these functions can vary; for example, login and authorization services need to be highly available and well supported, while functions like reporting are less critical.  Assessing service management for IAM, therefore, needs to look at each functional area of the system.

Data centre service management has swung wildly in the past 30 years, from centrally controlled and highly available mainframe environments to more lax client-server setups of the late 80s and early 90s.  Today’s expectation for the quality of enterprise data centre services has returned to a more strict standard.  Business sponsors and users expect the equipment, network and services to be highly available, with scheduled outages and evergreen plans (for future expansion).

Help desk services need to be assessed to ensure IAM services are properly supported.  Help desk support can range from the basic email, ‘best-effort’ model to full 24/7 phone and remote take-over support.  Understanding end-user requirements is critical to striking a balance between help desk costs and a quality support model.

I’ve had a number of clients identify 24/7 support for their infrastructure and help desks – and then balk when the cost of such a service is realized.  The justification for the blanket support is that if the application is promoted as being online, it needs to always be available.  Many clients want to respond to help requests when they occur.  However, in my public sector experience anyway, these systems (and the IAM providing protection) are often used for non-critical purposes.  Registering for a program, accessing document stores, even retrieving information needed for business purposes – these types of transactions are rarely critical in nature and tend not to deserve ’round the clock support.

In the private sector, the decision to provide this type of support is strictly a financial one.  The cost of supporting users versus the revenue gained (and the long-term benefit to the brand) can be calculated to support extended hours for support.

IAM that supports medical systems are perhaps the one type of system that will always require extended support hours, highly available systems and responsive end-to-end architectures.  This is particularly true for systems that support health workers (physicians and nurses) and their access to patient and reference information.  Failing to implement an appropriate high level of service management for the IAM systems used in healthcare can be disastrous.

It will be interesting to see what the new breed of patient-oriented portals choose to provide in the way of redundancy, performance and support services.  These emerging systems are geared to providing patients access to their own health information – data that they can use for education, self-diagnosis or treatment – but it isn’t clear that the portals will need to be highly available.  If they do, the sponsors will need to dig deep to fund their operations.

Service management is key to a sustainable identity management solution and a proper assessment of technology, people and processes is an important part of any IAM review.

Mike

Related: Kuppinger Cole have an article on ITIL vs IT Service Management that is worth a read.

Top 10 identity attributes

There was a really interesting discussion going on at the LinkedIn Identity Management Specialists group a while back about the top 10 identity attributes.

My contribution:

  • First Name
  • Last Name
  • Date of Birth
  • Gender
  • Former Last Name (at Birth)
  • Location of Birth
  • Passport number
  • Drivers licence (or state/province) ID number
  • Professional or trade registration number
  • Bank account number

If you have a LinkedIn account this group is worth following. And for Canadian readers, check out Canadiam – IAM in Canada.

Mike

The case for less ocean boiling

I don’t know who invented the term ‘boiling the ocean’ but it is a great description for projects that are too large, too ambitious and, ultimately, headed for failure.  Identity management projects run the risk of being setup to fail because their sponsors are trying to boil the ocean.

The problem lies in the scope of a typical IAM project.  These projects can often try to do far too much — the sponsor and project manager confuse the bigger, long-term goal with the project objective.

In a IAM strategy report I completed last year, my recommendation to the client was to use a phased delivery approach:

Smaller projects are easier to manage because they have a single focus and set of outputs to produce.  Adjustments to follow-on projects can be made based on lessons learned.  And with shorter projects, management can more frequently see the real results as each project completes – reports/briefings can be written and financial benefits documented.

Since 2007, I’ve been working as the IAM Program Manager for another client and putting these ideas into practice.  This program has been established with eight releases.  Each release is a project that runs between six and eight months, depending on the current needs of the business and our sponsor.

The key for keeping these projects short is scope management. The scope is determined a month or so before the project starts.  Inevitably, we get a change in scope sometime in the first few months — a new application needs to be integrated, the auditor wants a critical feature added, etc.

As any project manager knows, the triple constraint means that if you increase your scope, you can either extend the project schedule or add resources (and cost) to get the work completed on time.  This triple constraint is often addressed by clients by pushing out the schedule.  This also increases cost of course, even if the team size stays the same.

My philosophy is a bit different.  I look to trade off scope for… scope.  If six weeks of extra work are added, I will look to see if six weeks’ worth of scope can be removed.  Lower priority work can often be removed from scope and planned for the next project.

In other words, I want to keep the project schedule and costs fairly static so that the team can focus on an end date — and, by extension, new work and a new project after that date.  In a longer term program I place a lot of value in delivery.  The sponsor needs to see solutions delivered and projects closed.  We must be able to report to senior management actual business value and a list of real accomplishments, not just the percent complete on a project.

The end results are higher team movtivation over the long haul — in three years, I have had zero team turnover — and better, more measurable business results.

Mike

Federated Identity project

I’ve been scoping a Federated Identity Management project for a few months now.  The implementation will include public users and business partners, and will support tens of thousands of users.

We are looking at a number of use cases with this design, including:

  • a low level of assurance with minimal shared attributes, and
  • a higher level of assurance with sufficient shared attributes to support a split profile.

The challenges are going to be related to privacy (the client is in the public sector) and legal issues.  My focus for the next month will be to try and tackles these issues — or at least get a start on them — before we get too involved with defining the technical solution.

Mike

IAM in 2010?

It has been a busy, busy past few months for Code Technology — new projects, new opportunities and a growing business.  This post provides an update on our project work with, necessarily, client names obscured:

  • Last fall, the  Identity and Access Management program that I’ve been leading for a large public-sector education organization paid some big dividends.  Over the past two years my team has been building an IAM system on top of Microsoft’s Active Directory Federation Services (ADFS).  The main work was actually completed over a year ago, and the first web applications with a few hundred users were launched.  But in October 2009 the wider deployment started and we now have over 35,000 users, with as many as 120,000 users to come online in just over three years.  By the end of 2010, we could have a dozen applications using the service, enabling access to the broader education sector in Alberta in ways that have previously been impossible.
  • We recently completed an IAM strategy and program development project for a very large organization (85,000+ employees) here in Alberta.  This enterprise has some compelling identity challenges and high security needs.  What is interesting is that we have been able to construct a strategic framework, then drive out enough detail to define individual IAM projects for inclusion into their overall information security program.  I strongly believe that defining strategy without a defined delivery program as part of the report is useless — how many strategies and architectures do we see that end up sitting on executive shelves? With this project completed, the client now has a clearly articulated strategy and a practical set of projects defined in a format that is easily understandable by business and technical decision-makers alike.
  • We have also been working to develop the Canadiam blog and online community.  So far we’ve managed to create the blog site, populate it with a few posts, create a Twitter hash tag (#canadiam) and setup a LinkedIn group.  We are always open to new commenters, guest bloggers and other contributions so if you are interested in this niche slice of Canadiana, visit the site and let us know!  At the very least, feel free to slap #canadiam on to any Tweets you have related to IAM in Canada.

There really seems to be an increased rumble in the IAM services space — I’ve been at this niche for over seven years and I don’t recall a time when there have been so many implementations in the works. Whether it be government, other public sector or for-profit enterprises, IAM seems to be on everyone’s mind.

In the past few weeks alone, we have had interest in Code’s IAM services from three different provinces — five different projects in total. And that’s just what a crossed my desk — there are at least three major IAM implementations being planned or being delivered in Alberta at present, renewed federal efforts to develop the Pan-Canadian framework, another major project in Manitoba and (from what I can gather) similar initiatives in the other western provinces.

There is a lot going on in the identity world.  Will 2010 be the year that IAM makes a big splash across the country?

Mike

 

Oracle IAM strategy

Here is the strategy as described in the Oracle Software Strategy presentation yesterday:

Identity Management
Product Strategy
• Oracle Identity Management Suite continues as strategic family of products
– Oracle will support both Oracle Internet Directory and Sun Directory Server with common LDAP administration
– Sun Role Manager becomes Oracle’s Strategic Identity Analytics offering
– Oracle Identity Manager remains Oracle’s strategic Identity Provisioning and Identity Lifecycle Management product
– Oracle Access Manager remains Oracle’s strategic Access Management and Fine-Grained Access Control product
– Oracle’s Virtual Directory, Enterprise SSO, Entitlements Management, Identity Federation continue as strategic
• Oracle continues to invest in and share technology between Sun and Oracle products
– Sun Identity Manager will see continued investments and integration with OIM (SPML Adapter Framework)
– Sun Open SSO will see continued investments and integration with OAM (Secure Token Service)
– Oracle continues to maintain Open DS
• No change in support timelines or distribution model for Sun products
It is not really a surprise that the Oracle suite makes up the majority of the strategic direction.  I recall a conversation I had with an Oracle rep from the fall — the investment Oracle has made in middleware in the past few years has been huge and it would seem unlikely they’d ditch that code.  Sun Role Manager (formerly Vaau) wins and some of the other pieces (Directory Server and parts of Identity Manager) will be blended in over time.
Based on this announcement, Sun customers will appreciate no change in support and end-of-life product timelines.  If they are running current versions, it would seem that there is ample time to plan for migration to the strategic platform.
Mike

Why invest in IAM?

I find myself being asked this question, indirectly or directly, by clients and prospective clients alike.  With all the demands on IT infrastructure spending and business application development (and integration), and with all the information security risks out there waiting for solutions to be implemented, why should an investment in IAM be a priority?

From the well-respected Kuppinger Cole blog comes this view:

Part of IAM’s job is protecting data, either directly or by protecting the systems that use and store data. That is also the backdrop against which compliance regulation, both internal and external, must be viewed. That also means that it is much easier to talk with business people about “access” rather than about “identity”. The big question is how do we control and monitor access to information and systems? To do that, we need to know who is allowed to do what – and who isn’t. The only way to achieve that goal is through true digital Identity Management. Anyone who thinks he can do it by granting rights and approvals based on IP addresses or MAC numbers is seriously kidding himself.

It strikes me as odd that there are still IT and information security professionals that believe IP and MAC access controls are sufficient, but it appears that this myth persists in enterprises.

Worse, I believe, is the view that the home-spun access control that has been built into legacy applications is ‘good enough’.  Why replumb our existing enterprise and customer-facing systems with a new-fangled IAM solution when we have the problem solved already?

This is a powerful myth that can be hard to overcome. But compared to application-specific controls, IAM has some significant advantages:

  • Compliance — Organizations today must comply with legislation and their own policies.  The access control sub-systems built-in to many legacy applications are simply not compliant, and it may require significant rework and duplicated processes to remedy.  Conversely, an enterprise IAM solution can be implemented to be compliant from the start, and a single set of processes can be created to maintain identity and access information.
    • Example: Privacy Impact Assessments (required in Canada for all projects that deal with personal information) can be done once and shared across all applications.
  • Audit Support — ‘Siloed’ access control systems are very difficult to report on at audit time.  With IAM, consolidating information is much easier and correlating a user’s access through multiple systems can be achieved.
    • Example:  A single reporting tool or sub-system can meet most (if not all) auditor reporting needs.
  • Help Desk Efficiency — With IAM, a single console for Help Desk agents can be implemented for end-user support purposes.  Naturally, a single system will offer improved efficiency and better service to end-users than multiple, application-based systems.
    • Example: Help Desk lookup tools can be standardized and easily learned by new staff. Password policies become consistent. Access to multiple systems can be suspended or revoked from a central point. Service to end-users improves.
  • Leverage and Speed — New applications, especially e-business and e-government systems that have to deal with privacy and security issues, can be readily designed around a common IAM solution.  Deployments can be rapid due to standardized interfaces and re-use of common templates.  Processes can be leveraged, not rewritten from scratch, making the transition to a production environment more seamless.
    • Example: Strategic applications that need to be implemented ‘right now’ can be rolled-out quickly with high security, advanced features and appropriate user privacy protection. Decisions can be made with confidence that the common IAM solution will meet both enterprise and line-of-business requirements.

Real IAM solutions offer real value, making business case development easier and more compelling.  However, widely-held myths about the effectiveness of network and application-specific controls need to be dealt with if broader IAM implementations are to be approved, funded and supported.

Mike