Chris Haynes

1
Chris Haynes
Director of EDT (Electronic Delivery
Team),Cabinet Office
2

• Developing Employee Authentication in Government

Connecting the Dots.
3
What are the dots?

• Assets
• A group of recently developed government assets
  which provide stronger and more secure forms of
  access and authentication delivered to and
  industrial scale these include
• Government Gateway
• Government Connect
• Sponsorship and Vision
• Major public sector organisations sponsoring
  Employee Authentication and Registration
  initiatives which provide exemplars developments
  with a vision to connect ALL public sector
  employees these include
• DCSF, CLG, and DWP working on ContactPoint,
  Housing Benefits for LA staff
• MoD and EDT working on strong authentication for
  MoD employees
• DWP working on CIS for LAs

4
What are the dots?

• Responding to a need
• The need to underpin transformational government,
  service transformation, efficiency and G2G
  collaboration with underpinning infrastructure to
  secure, share and strengthen employee working
  xGovernment, including
• Data access and Sharing
• Remote working
• Collaboration Technologies
• Etc.

5
No 1 EAS Scope and Target Benefits

• Scope
• A scalable, sustainable and secure solution for
  local government employees to access sensitive
  information in central government systems
• Ready to roll out from November 2008
• Scalable and flexible to support multiple
  applications across government
• Endorsed and security accredited as a core shared
  government asset
• Set-up funded by DCSF and CLG
• DCSF acting as driving customer
• Target Benefits
• Avoid the need for employees to use multiple
  authentication processes/tokens
• Support greater collaboration/joint working for
  the benefit of citizens, children, learners
• Provide cross government aligned processes and
  systems for secure sharing/ accessing of
  sensitive data
• Improve efficiency through re-use within central
  and local government
• Consistent with pan-government policies and
  architecture (PSIT, xGEA)

6
Project development since March 2007

• Completed high level solution architecture
• Design reviewed with CJIT, GG and ContactPoint
  and endorsed by Cross Gov CIO Council
• Evaluation of assets against requirements
• GG, CJIT, NHS and market sounding
• Response to invitation to participate from GG and
  CJIT
• Local Authorities positively engaged
• 11 early adopter LAs on working groups
  (Registration and operation)
• Sub-group reports defining policy on key areas
• Registration, Operational Impact, Trust and
  Sustainability
• Full business case and evaluation of proposals
  completed end November
• EDT Government Gateway appointed to develop
  components of solution

7
EAS Governance
SRO
DCSF
CLG
DWP
CIO/CTO Council
ContactPoint Brent LA Becta Gov Connect EDT
EIAS Project Board
EAA Working Group
LAs Salford, Newham St Helens,
Herts Derbyshire Hants, LeedsLondon
ConnectsLeGSB DWP, DWP/ EDT, NHSMinistry of
Justice / CJITMoD, CSIA / CESGBecta
CLG/DCSF Community of Interestworking group
CLG DCSFEDT DWP
Operational model implementation guide
Policy on min registration procedures
Achieving shared trust
Sustainability and migration
Salford6
LeGSBHantsNewhamBrent
CSIADCSFCESGGov Connect
8
The Solution
Common Trust Framework (rules standards)
LA
SharedIdentityProviderService(IDP)
AuthenticationBroker
DCSF Applications
Quick and simple integration
LA
DWP Applications
LA
LA
Own IDPService
Othercentral govt apps
NHS
Own IDPService
9
EA Components
Central Hub
Registration Authority (LA or National Partner)
Service Provider
Service Provider
Shared Identity Provider
Administrator
Administrator
Authentication Broker
People andprocesses
Account
Service
Attributes
Web
service
portal
Integration support forcentral government
services
People andprocesses
Service Integration Support
Application integration service
Test environment provision
People andprocesses
Existing Government Gateway platforms
New Government Gateway capability
10
The EAS plan
Government Gateway
Test
Test
Development
Develop
Develop
Test
Full federation
ID Provider
WAYF page
Pilot Roll out
2nd pilot
Early Adopters
DCSF Pilot
Proof of Concept
CP EA
The 2nd pilot will be based on the production
environment
DCSF Pilot will reuse the Proof of Concept
solution
The Proof of Concept will not involve the
production environment
Supporting activities
Communication
eDT moving to DWP
Government Connect moving to DWP
11
xGovernmentTrust Architecture
Communities Of Interest
ServiceProviders
Trust Broker
IDP
Authn/ Authz
Governance and standards
IDP
Authentication
IDP
Trust enforcementservices
Noaccessmgmt
IDP
12
Standards for Trust assertions
xGovernmentTrust Standards
Authentication Assertion
PersonalAttributes
MaturityAttributes
Service 1Attributes
Service 2Attributes
Actor ID
IDP ID
Confidence
Role
Role
M
O
M
Minenrolmentflag
O
13
Registration Policies Subgroup

• Sources
• Baseline Personnel Standard
• Minimum Requirements for the Identification of
  Individuals
• ContactPoint Security Policy
• Approach
• Identity a set of scenarios where Registration
  policies will be required.
• Identify a set of Actors to represent types of
  Employee
• Generate Use Cases from each of the scenarios
  and for each EmployeeType.
• For each step in the Use Cases, construct the
  Policy implications drawn from existing Law, and
  Good Practice.

14
Operation Model Subgroup

• Deliverables
• The subgroup will build upon the existing work
  and take this analysis to the next level of
  detail to produce an implementation guide for
  Local Authorities who wish to participate in the
  scheme. This guide will include the following
• readiness assessment
• training information
• guidelines on activities that are required and
  when they should take place
• what technology is required
• roles and responsibilities
• document management advice

15
SustainabilityGroup

• Outcome
• Understand requirements for wider adoption by LAs
  and schools and maximise the use as a shared
  asset.
• Complete sustainability model/route map for
  deployment across LA domain ( up to 2m users.
• Membership includes DCSF, CLG and DWP, LAs and
  EDT (Government Gateway)
• Key Deliverables
• Sustainability Business model
• Deployment Strategy
• Marketing Strategy
• Support Strategy

16
Ministry of Defence leading on strong
authentication..
17
EA Requires Identity Assurance

• Single process for Identity assurance for a
  Government Identity.
• Single set of credentials for the
  customer/employees to access multiple government
  services data
• Strong authentication to enable access to secure
  data services
• Trust between Government

Local Govt
Central Govt
Health
Citizens Business
18
Government Gateway EA Functionality
Single Set of Credentials - User ID and Password,
Security Phrase, Digital Certificate Single
Sign On Portal - Provide a central authentication
page to allow credentials to change without
forcing departments to change. White labelled
user Interface - Departments can simply re-brand
the Gateway functionality Intermediaries -
Support for the delegation of permissions from a
citizen or a business to an agent Users and
Assistants - For businesses allow the employee to
create multiple users and define service
permissions.
19

• Stronger Forms of Authentication

20
Chip and PIN Authentication
MOD Service
Government Gateway
Pan Government Shared Service
MOD Identifier
User requires a smart card and a personal card
reader
Chip Authentication Service
21
Registration and Card Issuance
MOD Employee
MOD Registration Authority
1
22
Chip and PIN Authentication
MOD Portal
1
23
Chip and PIN Authentication Government Gateway
SSOP
Enter Unique Number
123ABC
24
Chip and PIN AuthenticationCard Reader
Interaction
Challenge
12345678
ENTER PIN
Challenge?
Challenge? 12345678
Response 87654321
Response
87654321
25
Chip and PIN Authentication
User
4
5
Government Gateway SSOP
26
Chip and PIN Authentication
User
MOD Portal
6
Welcome to the MOD Secure Home Page
27
Delegated Rights Management
Organisation
Organisation
Current Model Each employee that needs to access
government services needs a Government Gateway
user ID and Password
Delegated Model Each employee can authenticate
using their organisation credentials to access
Government services.
28
Registration Services for Government Employees
Government Gateway Employee Identity Services
Identity verification to level 2
Identity Checking Service
Workflow process and enrolment
Registration Service
Credential Issuing and Management Service
Tokens will be Smart Cards or one time password
tokens.
Storage of the service permissions for employees
Employee Attribute Store
Authentication Service
Addition of the one time password token
authentication
SAML 2.0 Browser Post Profile for Single Sign On
SAML 2.0
29
Authentication Broker
Common Trust Framework (rules standards)
LA
Government GatewayIdentity ProviderService(ID
P)
ContactPoint
LA
Central Gov Services
Own IDPService
LA
AuthenticationBroker
NHS
Own IDPService
Local Gov
Private Sector
Own IDPService
30
EU ID Interoperability Pilot

• In the UK, the authentication broker maps very
  closely to the anticipated Pan European Proxy
  Service Functionality.

Identity Providers
PEPS
Service Providers
Identity Interoperability Common Trust
Framework (rules standards)
Identity Providers
Identity Providers
PEPS
PEPS
Service Providers
Service Providers
31
Information Assurance Underpinning the Moves on
Employee Authentication

• Chris Haynes
• Director eDelivery Team