1 / 20

PSCIOC / PSSDC Joint Council Meeting Identification, Authentication and Authorization Update

MEDIUM SENSITIVITY. PSCIOC / PSSDC Joint Council Meeting Identification, Authentication and Authorization Update Quebec City February 2005. MEDIUM SENSITIVITY. Purpose of Presentation.

jada-shepard
Télécharger la présentation

PSCIOC / PSSDC Joint Council Meeting Identification, Authentication and Authorization Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MEDIUM SENSITIVITY PSCIOC / PSSDC Joint Council Meeting Identification, Authentication and Authorization Update Quebec City February 2005 PSCIOC / PSSDC February 15, 2005

  2. MEDIUM SENSITIVITY Purpose of Presentation A presentation on the activities of the Cross JurisdictionalIdentification, Authentication & Authorization Working Group as of February 16th, 2005 with the aim of: • Providing a brief update on the work to date • Identifying upcoming issues and potential next steps • Identify possible areas of interest to the PSCIOC/PSSDC • Outline early thoughts on future opportunities PSCIOC / PSSDC February 15, 2005

  3. PSCIOC / PSSDC Update Report Back made by Working Group to joint councils in September Specifically the councils: • approved-in-Principle the initiation of a second inter jurisdictional pilot using multiple tokens (at least two) between multiple levels of government • Raised the point that the business community should begin to work on the non IT aspects of authentication to ensure that the business interests and drivers are identified and addressed. To this end the Working Group was to: • Develop further detail as to the preferred shape and form of a second multi jurisdictional pilot for a transactional service to be brought forward at next PSCIOC – PSSDC meeting in February • manage consultation/promulgation and subsequent change management to current version of definitions and standards • Continue evaluation of the first pilot to feed next steps PSCIOC / PSSDC February 15, 2005

  4. Pilot Evaluation Evaluation of the BC – HRSD WebROE “proof of concept” was to provide the outcomes from the evaluation to feed further discussion. Through the evaluation several issues were identified as critical when working towards a solution or set of solutions to cross jurisdictional IA&A • Privacy • Government of Canada undertaking a PIA using demo as context • Privacy issues paper being shared with PSCIOC privacy subcommittee • Liability • Ontario has developed a Liability issue paper with input from Working Group (has been forwarded to an Ontario e-Gov Legal committee for review) • Governance • Developing options and recommendations for governance were specifically set out in the Working Groups terms of reference. • Have previously tabled work with the joint councils • continuing to refine thinking in the context of the pilot evaluation • will require alignment with any input that may come from the proposed work on authentication business drivers. PSCIOC / PSSDC February 15, 2005

  5. IA&A Framework and Guidelines Manage consultation/promulgation and subsequent change management to current version of definitions and standards • Guideline Consultations • IAA Framework and Guidelines Consultation Draft finalized in December 2004 • Wider consultation begun to solicit comment and raise awareness • Website established and hosted by ICCS URL: http://www.iccs-isac.org/eng/iaa_pub.htm PSCIOC / PSSDC February 15, 2005

  6. Engaging Jurisdictions in Authentication Partnerships Engagement Adoption of common definitions and standards for authentication; Strong Governance; Agreement on Liability, Harmonized privacy; transparent seamless access Active Participation Common Interest IAA Working Group; Business Drivers; broader external engagement PSCIOC / PSSDC meetings; Lac Carling papers; Information Level of Influence Ministry web sites; sharing information as required, one off business applications Jurisdictional Engagement Framework, policies, guidelines, enabling electronic authentication, best practices, etc. Now In the future Adapted from Federal Government’s “Draft Policy Statement and Guideline on Consulting and Engaging Canadians”, 2001-2002. PSCIOC / PSSDC February 15, 2005

  7. The Need for Standards Figure 1: Comparison of Assurance Levels and Authentication Methods The methods for identity verification are even more disparate than the authentication methods PSCIOC / PSSDC February 15, 2005

  8. Vision on Consultation Outcomes • Authentication methods alone are not sufficient for performing a trusted transaction with individuals • Need design of protocols for establishing shared secrets etc. that make up identity verification and how to handshake with other jurisdictions Strategic Goals • Move the yardsticks on Authentication Framework and Guidelines • Develop more “depth” to terms and definitions • Strengthen authentication practice and practice assessment tools • Engage on governance options to manage common standards and ensure privacy, security and legal / liability are addressed PSCIOC / PSSDC February 15, 2005

  9. Consultation Plan • Federal Government’s Public Works and Government Services • Service Ontario (MCBS – Ont.) • Government of British Columbia Authentication Project • Nine Canadian Provinces • Two Major Municipalities (City of Toronto, City of Winnipeg) • Industry Canada • Canada Revenue Agency • Human Resources and Skills Development Canada • Department of Foreign Affairs and International Trade • PSSDC \ PSCIOC Privacy Sub-Committee • National CIO Subcommittee for Information Protection • Smart Systems for Health PMA Enabling a target environment of a “no wrong door” approach to the delivery of government e-services. PSCIOC / PSSDC February 15, 2005

  10. Moving Forward on Authentication • In September the joint councils asked the Working Group to bring forward further detail as to the preferred shape and form of a second multi jurisdictional pilot • Proposing an Ontario public sector pilot assessing interoperability with the Federal Government’s epass • Is imperative that the proposed pilot also link to business objectives and preferably with work that is already underway • Service Ontario (MCBS) has agreed to be the business area champion and will provide an application for the pilot • The government transaction finally selected will be a real tangible business function (eg. Change of Business Information) • It is expected that the resulting work can be leveraged as a model or shared application beyond the pilot. PSCIOC / PSSDC February 15, 2005

  11. What is ISI? Pilot will use Ontario’s Integrated Security Interface (ISI) • ISI is a model which encapsulates the Ontario IAA authentication approach to citizens and program areas • A centrally managed privacy and security compliant service for authentication with decentralized authorization in the program areas: • Meets multiple medium authentication needs • Includes single sign-on for Ontario citizens and businesses to government online services • Accepts multi-token for no wrong door Citizen-friendly access, seamless service • No traceability back to program areas avoiding the consolidation of data or a central citizen profile, protecting citizen’s privacy rights • Visa 3D PSCIOC / PSSDC February 15, 2005

  12. Project To-date and Planned • Non Disclosure Agreement in process of sign-off • Proof-of-concept technical connectivity test, 1st Quarter 2005 • Continued meetings with business areas to develop business drivers/scenarios • Multi-token Proof-of-concept pilots begin, 3rd Quarter 2005 PSCIOC / PSSDC February 15, 2005

  13. Business Alignment • Initial set of notes on business drivers for authentication was developed. Comments have been provided. • Service Ontario has been working on a business scenario with several partners • Jointly creating a Proposal for a Business Driven Pilot • Actively seeking participants PSCIOC / PSSDC February 15, 2005

  14. Proposal for a Business Driven Pilot • Most likely inter-jurisdictional business function for Change of Business Information • Identifying Business and IT partners to get agreement and commitment • Joint stakeholder consultation has begun • Establishing participants and CLEAR DELIVERABLES • SIGNED CHARTER with roles and responsibilities is being developed • Update at Lac Carling IX PSCIOC / PSSDC February 15, 2005

  15. For Comments or Questions Contact: • Jeff Evans • Chair, IA&A Working Group • Office of the Corporate Chief Strategist • Management Board Secretariat • Government of Ontario • 416-327-4107 • Jeff.evans@mbs.gov.on.ca • Debbie Farr • Director, Service Design & Implementation • Service Ontario • Ministry of Consumer and Business Services • Government of Ontario416-326-5459 • Debbie.Farr@cbs.gov.on.ca PSCIOC / PSSDC February 15, 2005

  16. Background on IA&A • Historically client identification, authentication, and authorization has always been done at counters… • Now we need to look at how do we do this in a world of integrated, cross-jurisdictional service delivery through multiple channels that is customer-focused, seamless and convenient • this means electronically • Creating and issuing a persistent verified electronic identity (based on assessment of evidence that has been presented to support the claimed identity) • Establish at the start of each online session the validity of that identity, as appropriate, based on assurance level • Grant or deny access to online information or services based on the transaction or program specific business rules of the online service • At the same time we must ensure privacy, security and legal / liability are addressed PSCIOC / PSSDC February 15, 2005

  17. IA&A Cross Jurisdictional Working Group • IA&A Working Group is a national initiative being led by Ontario under the joint direction of the Public Sector CIO and Public Sector Service Delivery Councils (PSCIOC, PSSDC). • The Working Group continues the work on Identification, Authentication and Authorization issues identified as being critical to Electronic Service Delivery at Lac Carling 2003. • the goal is development of a standard that all jurisdictions can use to simplify the work to build cross-jurisdictional IA&A systems and to provide a consistent, coherent client experience • Covers full scope of transactional relationships ie: G2C, G2B, G2G • PSCIOC/PSSDC gave final approval to the Terms of Reference and the Draft Work plan on September 30th , 2003. PSCIOC / PSSDC February 15, 2005

  18. IA&A Working Group Results To Date • Version 1.0 IAA Framework and Guidelines • For inter-jurisdiction application, including trust levels, have been completed and ready for wider consultation. The framework includes: • a common set of definitions and vocabulary • Practice Assessment Framework & Guidelines for IA&A • Pilot • Developed proof of concept shown at Lac Carling;Evaluation is ongoing • Proposing initiation of a second pilot • Privacy • Government of Canada undertaking a PIA using demo as context • Privacy issues paper being shared with PSCIOC privacy subcommittee • Liability • Ontario has developed a Liability issue paper with input from Working Group (Has been forwarded to an e-Gov Legal committee for review) • Governance • Strong standards and governance being proposed to ensure privacy, security and legal / liability are addressed PSCIOC / PSSDC February 15, 2005

  19. Thinking for the Long Term • Legal /Liability key issue to all stakeholders (clients, service providers, government) • Legislated privacy requirements and privacy principles must be respected • Alignment of legislation to support authentication • Common Security practices • Risk Assessment based Information Classification • Strength of Assurance • What should a governance body for IA&A standards look like and what should they govern? • Compatibility with multiple jurisdictions’ policy frameworks • Complexity & Cost escalates as sensitivity of information and business risk increases. • Transparency to enhance client trust. PSCIOC / PSSDC February 15, 2005

  20. Managed Risk & Liability Convenient Ease of Access Putting the Picture Together onIA&A Existing Municipal / Federal / Provincial Application #1 Existing Municipal / Federal / Provincial Application #2 Cost-effective Customer-focussed Leveraged Registration Shared Information Privacy Existing Municipal / Federal / Provincial Authentication #1 Transparent Cross-jurisdictional Existing Municipal / Federal / Provincial Authentication #2 Credentials Inter-operability Security Shared Credentials Agreed Level of Assurance Chain of Trust Common Framework, Governance, Practices & Definitions

More Related