State Launches Single Identity PilotNational Strategy for Trusted Identities in Cyberspace Update
A pilot project the state of Pennsylvania is launching to develop single identities for residents could help reduce fraud as it piggybacks on existing enterprise directory services, state CISO Erik Avakian says.
The National Institute of Standards and Technology awarded Pennsylvania a $1.1 million grant as part of the National Strategy for Trusted Identities in Cyberspace, or NSTIC, a public-private initiative to seek ways to create a so-called identity ecosystem that lets individuals choose from an array of credentials to transact business online (see States Test New Credentialing Approaches).
"This is really going to enable convenient, secure, privacy-enhancing online transactions for our customers," Avakian says in an interview with Information Security Media Group (transcript below).
"This grant is going to enable a secure ... online transaction which should also reduce fraud," Avakian says.
Pennsylvania is conducting the project at the Department of Public Welfare because it maintains a robust enterprise directory that provides single identities to employees. The pilot will be extended to other agencies as the state validates the new credentialing approach.
In the interview, Avakian discusses how the pilot project:
- Could help reduce fraud;
- Piggybacks on existing enterprise directory services that provide single identities to state employees;
- Employs outside identity verification services.
Avakian became the commonwealth's CISO in June 2010 after serving more than three years as deputy CISO. Before joining state government, Avakian spent more than a year as a security consultant to the state. He holds a number of certifications, including Certified Information Systems Security Professional, Certified Information Systems Auditor and Certified Information Security Manager.
Single Identity Project
ERIC CHABROW: Take a few moments to tell us about this project.
ERIK AVAKIAN: NSTIC, which is the National Strategy for Trusted Identities in Cyberspace program under NIST, put out a grant and we were lucky enough to get one of those grant offerings from them as an award. ... We have a pretty robust identity management program in place in the commonwealth and it enables us to enhance that process where, as far as vetting inside users which we do, we can vet outside users as well.
We've been working with partnering with one of our sister agencies, the Department of Public Welfare. Through working with them and the funding that we have, we can really pretty much provide identity verification for users that are outside the commonwealth, users inside the commonwealth, and it's really to bridge that gap between the public and the private sector. I think that's one of the goals [of the] NSTIC grant.
This is going to really enable convenient, secure, privacy-enhancing online transactions for our customers, and it will also help reduce fraud by enhancing the user experience by allowing them to register once. Once their identity is validated through certain entities, then they won't have to repeat that same process multiple times as they transact business with other entities. It's really to bridge that gap between the private and the public sector by using identity verification services, and it's something that the federal government has been looking to do for a long time. We hope that, through this grant and through this process, we can provide that type of example for other organizations to follow.
CHABROW: In describing the challenges the state faces in developing a single identity, you gave an example of a resident who might be known with one agency as J. Smith, with another agency as John Smith, and with another agency as 123456. How difficult is it to combine those various identities into one? What are the steps you need to take that you will see in this project to get these different identities into one identity?
AVAKIAN: When we look at the different John Smiths that might be in these directories, one of the ways that we're going to help utilize this is by consolidating our directory structure. For instance, the Department of Public Welfare today has a pretty advanced enterprise directory with over 2 million citizens in it. Utilizing that directory as the enterprise directory, we can really avoid all of these other user names and user accounts, because they're all in one directory.
That being said, there's an extra layer of that authentication, which has to do with vetting that person's actual identity. It's actually this John Smith versus another John Smith. That's really where we get into an identity verification type of service, whether that's through one of the identity service providers that are out there. There are multiple different companies that do those types of things. This is very similar to the way that other organizations have had this type of thing set up.
But I think what has been difficult is how do you then bridge that gap between a user that's maybe inside the commonwealth - whether it's a commonwealth user or a customer of the commonwealth for a commonwealth application - and then an application on the outside? It's bridging that gap between those two areas. That has been a challenge for the public sector, and it's something that the federal government wants to do.
CHABROW: Why has it been a challenge?
AVAKIAN: It's been a challenge because of the general strategy around identity. How do we know that this person is who they say they are and what level of access are they looking for? [That's] something that's very basic, where one can provide the most basic element of identity, based off a few security questions that look back to an identity provider to say: Is this person actually this person? Where did you last live ten years ago? These are some of those questions that you might see with some of these identity proofing services that prove that user is who they say they are.
Those are the things that we hope to implement with this. It's to provide the end-user access to what it is that they need. If they need a very simple level of access, they might not need such an extreme form of authentication and authorization. But as they get to require more and more types of services, or if they're looking to do a much more secure transaction, then that identity becomes even more important and it's very important to identify.
That has been a challenge for organizations. We're in a good spot in the commonwealth because we do have some great solutions. Like I said, we have that enterprise directory structure in place that we can utilize not just for our citizens, but for our business partners. We also have an identity management solution in place in the commonwealth. We're a pretty mature organization. We standardize on a lot of enterprise standards. We have a consolidated environment of 80,000 users all under one e-mail system. Those types of things can be leveraged from a positive standpoint when you're trying to do such a project like this.
Utilizing Existing Solutions
CHABROW: You say you have an existing identity management solution?
AVAKIAN: We have a solution today for on-boarding that works with our employees and, because we have that consolidated environment of 80,000 users, we can employ this as an enterprise system. That's something that we've been able to put into the commonwealth.
CHABROW: Those same tools you use to verify employees you can now use for constituents?
AVAKIAN: In some regard. We're still going to have to look for those identity-proofing outside vendors or third-party services when it comes to the actual citizens.
Project's Ultimate Goal
CHABROW: Ideally, if this works, a citizen who may be taking advantage of services in different agencies would be able to just have one identity that can be used for all these various agencies and services, correct?
AVAKIAN: That's the ultimate goal in doing this very targeted pilot. But I think by doing this pilot, we can then potentially expand upon that with other agencies, other applications and other external entities. That concept of starting small or starting with a certain set and then trying to expand upon that after the successful implementation, that's what we're looking at doing. ... We have a very tight timeframe, so we've already started meetings and started working on this. We'll be moving forward and hope to have some good results.CHABROW: What's that timeframe?
AVAKIAN: I'm pretty sure that they're looking for some goals or some end results before the new fiscal year, which is June 2014.
Managing Single Identity System
CHABROW: How do you envision this system of single identity to be managed? Would that be something through your office or would that be someone else overseeing this?
AVAKIAN: From a governance standpoint, we're working through my office with the project management aspects of this, but we're working closely with our folks at the Department of Public Welfare. It's a joint effort with additionally the Department of Health. It's this governance structure of multiple agencies working together, but ultimate project management will happen out of our office.
CHABROW: Why did you pick the Department of Public Welfare?
AVAKIAN: They're well-positioned to do this. They've got a great business case and they've got that directory service that we can leverage. They're also an agency that has been looking to do this for quite a while. I just think it makes sense; the synergy is there. The same goes for the Department of Health. The Department of Health is very interested as far as how this can be leveraged to help their business. It all maps back to their business. These agencies are in a position where, if we do this, it will help their business because they do a lot of business with the citizens, not just internally with the end users in the commonwealth but also the citizens. It really maps back to their business.
CHABROW: When you discuss having a specific identity for each constituent and resident that uses various state services, how does this work with things such as passwords? Would they still need to have separate passwords for different agencies?
AVAKIAN: A lot of these things are still being worked out. It's a little premature for me to go into all the different methodologies of how this is going to work. I'm going to leave that up to the technical team to work through those things. We hope to have that project plan soon.
CHABROW: But the benefit for the state would be that they would have just one identity for whoever is using whatever services, if this is eventually rolled out to everyone?
AVAKIAN: That would be a benefit to get to that end goal. It really comes back to: Who is this person, what level of access do they need and how do we know it's really that person? That comes down to the ultimate goal that we're trying to achieve and we'll see what we can do. We're in a good place not just from a strategic standpoint, but where we are with our solutions that we currently have in place to make this happen.
CHABROW: When something like this is implemented, do you envision cost savings for the state?
AVAKIAN: Ultimately, it's always beneficial to have any kind of return on investment. That's what we're really looking to show with this, not just does this work from a technical standpoint, but from a return-on-investment standpoint. The ease of business and the ease of enhancing the business experience will save time and money. Those are all different metrics that we look to achieve from the program.
CHABROW: Would it also be something that would help reduce fraud?
AVAKIAN: Absolutely, if we can show those metrics. One of the things that this grant is going to enable is that secure, privacy-enhancing online transaction which should also reduce fraud; it's not just enhancing the experience of the user, but reducing that fraud. If we have some good metrics to show behind that, it will gain some good traction for future funding; not just having a pilot, but then moving beyond the pilot into a massive role.