2006 cacr privacy and security conference november 3, 2006 identity: setting the larger context,...
Post on 25-Dec-2015
216 Views
Preview:
TRANSCRIPT
2006 CACR Privacy and Security Conference
November 3, 2006
Identity:Setting the Larger Context, Achieving the Right Outcomes
2
Identity: Outline
Introduction Context Way Forward Outputs Summary
3
Identity: Introduction
4
Identity: Clients & Outcomes
External Clients: Individuals and Businesses Improved delivery of government services Increased safety and securityEnhanced human rights and freedoms
Internal Clients: GC Employees and Contractors Increased productivityDecreased time to on-board, off-board personnel Increased compliance with security, privacy and IM
policies
5
Identity: Objectives
• Bridge the gap between the many service and security communities
• Engage stakeholders and gain consensus• Develop a conceptual framework that can be
used for:– Developing and aligning to a single GC-wide vision– Developing GC-wide identity principles– Establishing a common view of identity and
compatible program and project approaches
6
Identity: Approach
Mandate/Priorities
Risk Analysis
Assurances
BusinessProcesses
Technologies/Solutions
Principles/Policies
Services/Capabilities
What is our scope and how do we align to the relevant principles and policies?
What are our risks with respect to identity?
What assurances do we provide or require?
How do we plan to deliver services or deploy our capabilities
How must we organize ourselves and what process must we use?
What are our options for technologies or solutions
How do we use identity to fulfiillour mandate and address our priorities?
Clients &Stakeholders
Who are our clients and stakeholders; what do they need?
Work ProductsSteps Key Questions
ProjectCharter
Needs &Outcomes
LexiconPrinciples
Risk-Event Model
AssuranceModel
ServiceAgreements
BusinessArchitecture
TechnicalCriteria
Inputs
Policy Guidance
TechnicalGuidance
Standards
Practices
Solutions
Existing IDM Products
RelevantPrinciples
Technologies
IDMPolicy,
Directives,Standards
IDMEnterprise
Architecture
IDMGuidelines,
Tools,Best Practices
Outputs
GC-Specific IDM Products
IDMSolutions
7
Identity: Context
8
Identity: Government Context
Government Context: Working together in the public interest to ensure that we uphold what we believe and value as a society.
Government Context: Working together in the public interest to ensure that we uphold what we believe and value as a society.
Identity is critical to our society, our governments and institutions
9
Identity: Drivers • Privacy & Security Drivers:
– Economic: Identity Theft/Fraud
– Public Safety: Law Enforcement
– National Security: Anti-Terrorism, Border Security
• Citizen-Focused Drivers– Citizen-Centred Service Delivery
– Increasing Client Satisfaction
– Ensuring Rights of Citizens
• Integrity and Accountability Drivers:– Program and Service Integrity
– Transparency
• Organizational Transformation Drivers:– Rethinking of Government as a Single Enterprise
– Shared Services Model
– Inter-Agency and Inter-jurisdictional Collaboration
10
Authenticating Identity Communicating
Identity Establishing
Identity
• Shared jurisdiction:• Federal role:
for those arrivingin Canada
• Provincial / Territorial role: with Vital Statistics - born in Canada
• Based on relativelystandard set of coreattributes including:
• Name• Place of Birth• Date of Birth• Gender• Citizenship
• Numerous organizationsinvolved at all levels ofgovernment, for example:
• Federally issued..• Social Insurance
Number (SIN)• Passport
• Provincially issued..• Birth registration #• Birth certificate• Health card• Driver’s license
• Most organizations require a similar base of information to provide identification
• Some additional needs specific to the organization
• Separate stand-alone processes by department or program for authentication:
• Epass • CRA • Service Canada
Etc.• Many different functions for validation or verification for clients’ identity • Many enabling technologies: PKI, biometrics, tokens
Current Roles…
Ideal Roles…
Identity: Roles of Government
11
Identity Management Today
Government departments/agencies have similar needs with respect to identifying individuals and request similar information
Purpose – primarily Security and/or Service delivery
Same or similar information collected, and then shared in ad hoc and disparate ways:
Clients provide same information – different times, different formats
Complex network of information sharing agreements between federal government and other jurisdictions
Many bilateral agreements with provinces and territories related to the use of personal information
Integrity varies, depending on source and on associated program/service risk
12
Identity: Way Forward
13
Identity: Defining the Opportunity
‘The Government of Canada’s ability to fulfill its mandate can be greatly improved through a common understanding of identity. A whole of government approach to identity is a critical requirement to the integrity of government programs and services.’
As approved by ADM Identity Committee, Mar 3, 2006
‘The Government of Canada’s ability to fulfill its mandate can be greatly improved through a common understanding of identity. A whole of government approach to identity is a critical requirement to the integrity of government programs and services.’
As approved by ADM Identity Committee, Mar 3, 2006
14
Identity: Defining the Issue
‘Making sure you are dealing with the right person’‘Making sure you are dealing with the right person’
15
Identity: Defining the Concepts
Identity Management: the set of principles, practices, policies, processes and procedures used to realize the desired outcomes related to identity.
Identity Management: the set of principles, practices, policies, processes and procedures used to realize the desired outcomes related to identity.
Identity: a reference or designation used to distinguish a unique and particular individual (organization or device).
Identity: a reference or designation used to distinguish a unique and particular individual (organization or device).
16
Identity: Strategy Statement
Develop a common approach consisting of:
1. A common understanding of key identity concepts and principles;
2. A single view that promotes a consistent application while enabling transparency and accountability; and
3. A comprehensive action plan appropriate to the many systems, programs and government organizations that depend upon identity.
17
Identity: Outputs
18
Identity: Draft Principles
1. Justify the Use of Identity.
2. Identify with Specific Reason.
3. Use Appropriate Methods.
4. Enhance Public Trust.
5. Use a Risk-Based Approach.
6. Be Collectively Responsible.
7. Uphold the Rights and Values of Canadians.
8. Ensure Equity.
9. Enable Consistency, Availability, and Interoperability.
10. Maintain Accuracy and Integrity.
11. Preserve Proportionality. Draft as approved by TBS CIO
19
Evidence of Integrity (EOI)Assurance as a whole, pertaining to a system, process, token (physical or electronic), etc.
Evidence of Integrity (EOI)Assurance as a whole, pertaining to a system, process, token (physical or electronic), etc.
Evidence of Identity (EOI)Evidence that the individual is really who they claim to be - their ‘true’ identity as required by law.
Evidence of Identity (EOI)Evidence that the individual is really who they claim to be - their ‘true’ identity as required by law.
Evidence of Control (EOC)Evidence that the individual has control over what has been entrusted to them.
Evidence of Control (EOC)Evidence that the individual has control over what has been entrusted to them.
Assured by: Assured by:Assured by:
Assurance of Identity •Level 1: Little or no confidence in validity of claimant’s identity• Level 2: Some confidence in validity of claimant’s identity• Level 3: High confidence in validity of claimant’s identity• Level 4: Very high confidence in claimant’s identity
Assurance of Identity •Level 1: Little or no confidence in validity of claimant’s identity• Level 2: Some confidence in validity of claimant’s identity• Level 3: High confidence in validity of claimant’s identity• Level 4: Very high confidence in claimant’s identity
Assurance of Control• Level 1: Little or no confidence that claimant has control over what has been issued to them (e.g. token/identifier)• Level 2: Some confidence that claimant has control over what has been issued to them • Level 3: High confidence that claimant has control over what has been issued to them • Level 4: Very high confidence that claimant has control over what has been issued to them
Assurance of Control• Level 1: Little or no confidence that claimant has control over what has been issued to them (e.g. token/identifier)• Level 2: Some confidence that claimant has control over what has been issued to them • Level 3: High confidence that claimant has control over what has been issued to them • Level 4: Very high confidence that claimant has control over what has been issued to them
Assurance of IntegrityTBD
Assurance of IntegrityTBD
+ +
Identity: Evidence & Assurance
20
Evidence-Assurance FunctionsCOMMON IDENTITY EVIDENCE-ASSURANCE FUNCTIONS
INPUT (Evidence) FUNCTIONS (Evidence-Assurance) OUTPUT (Assurance) LEVEL
Evidence of Identity Assurance of Identity [1-4]
Evidence of Integrity Assurance of Integrity [1-4]
Evidence of Control Assurance of Control [1-4]
PROGRAM or MANDATE-SPECIFIC EVIDENCE-ASSURANCE FUNCTIONS
INPUT (Evidence) FUNCTIONS (Evidence-Assurance) OUTPUT (Assurance) LEVEL
Evidence of Eligibility Assurance of Eligibility
Evidence of Status Assurance of Status
Evidence of Trust/Reliability Assurance of Trust/Reliability
Evidence of Entitlement Assurance of Entitlement
Evidence of Privilege Assurance of Privilege
Evidence of Authority Assurance of Authority
Evidence of Custody Assurance of Custody
Evidence of Event Assurance of Event
Evidence of Residency Assurance of Residency
Evidence of […] Assurance of […]
1. Evidence Gathering 2. Validation, Verification, Vetting3. Adjudication
Evidence-Assurance functions are specific to the program or mandate.
21
Authorization
Evidence
Service Delivery
Grant of Status/Authority
Technology Enablers
Identity: Draft Framework
Identity Principles
EstablishingIdentity
CommunicatingIdentity
AuthenticatingIdentity
Assurance of Identity
Assurance of Integrity
Assurance of Control
Assurance of Identity
Assurance of Integrity
Assurance of Control
Assurance of Identity
Assurance of Integrity
Assurance of Control
Security
Access
Enforcement
Audit/Compliance
Assurances
Processes
Functions
Justified UseLegislative and Policy Context
Assurance
EvidenceAssurance
EvidenceAssurance
EvidenceAssurance
Lexicon
Currently being developed by the TBS CIOB Identity Team
22
Identity: Summary
23
Identity: Summary
A single GC-wide approach that: Recognizes common requirements
throughout government Leverages current investments and
accomplishments: Independent of technology or solution
This is a journey in progress….
24
top related