Second-Chance Points

North Carolina Deputy CIO Bill Willis talks about tackling statewide ID management ... again.

by / December 26, 2006 0
The January 2003 issue of Government Technology reported on North Carolina's efforts to deploy a statewide ID management application. At the time, the North Carolina Identity Service (NCID) seemed promising. The story covered the proposal to roll out individual user IDs for both state employees and residents. The plan is that these IDs would eventually grant access to every state service available online.

When the story first ran, the outlook for NCID was bright. Unfortunately there were clouds on the horizon. North Carolina's Chief Information Security Officer Ann Garrett told a Government Technology reporter that with the state's 26 agencies and 80 boards and commissions, one challenge would be "getting everyone floating their boat in the same direction."

Interagency cooperation was but one of a number of factors that eventually derailed the project. Current Deputy CIO Bill Willis talks about what happened to the project, as well as how -- and why -- the state got NCID back on track.

The ID management initiative originally kicked off in 2001 with unsuccessful results. In 2005 you tried again. What was different this time?
Commitment, different laws and organizational structures.

In December 2004, the Legislature passed a law mandating an IT consolidation plan. They gave the CIO -- who prior to that, had sort of run a shared-services organization without a lot of control over agency things -- significant control over projects.

We have more teeth than we had before. That's part of it. The other part of it is, from my view, the organization -- even our own -- never made a commitment to it. You have an identity management solution sitting there and your own e-mail doesn't use it.

To reinvigorate this, we renamed it. All new projects are required to either use NCID or show to some significant degree why they cannot or why they should not. Our new HR/payroll system that will be rolling out over the next two years -- followed by a complete ERP [enterprise resource planning] on the same platform -- will be using it. So every state employee will have to have an ID to begin that. Our e-mail system will be switched to it.

Another part of it is, because nobody committed to it, they didn't beef up the infrastructure the way they should, and it just sat there and withered. We've now made a commitment to it, organizationally in the shared service, organizationally around the ERP program, and every IT project in North Carolina has to sit in front of me and tell me how they're going to do it, or why they can't. And why they can't is a significant burden. They have to tell us why they're going to invest more money and not move to this scenario.

It's got to be tough to explain why you shouldn't have to do this.
Someone asked me how we're getting people to do this. Generally we're bullying them into it. Everybody's going to come right off the bat and say, "Oh, I can't do it; this adds risk to my project."

It's one of those things you have to have leadership commitment to early on. So we just need to shove them over -- part of that's through force, part of that's through logic, part of it is getting them ready, so down the road we can lower the barriers to transition them in.

But it's mostly a commitment. The reason the first one didn't work is because they didn't commit to it. They didn't drive it. This is one of those things ... the absolute top-of-the-list thing for success is you must be committed to it. This is in that category. You can build it, but they will not come unless you make them.

Metcalfe's law is basically an adoption curve of networked things. You have a low adoption rate until you hit a certain point, a critical mass. The way you get through that early part, in this particular case, it almost has to be by commitment.

For the state employee part of this, as we roll out our HR/payroll [this] year, we'll cross that adoption curve. We're in that phase of being committed and just grunting it out. But I believe that by this time next year, it will be default for new things having to do with state citizens.

We're working on ways to engage our universities and local governments because they use our services a lot. There has to be an engagement with them that you validate who's who. And then, there's a whole series of processes of how you use this with citizens, which is where your real payback comes from eventually.

Do you have any citizen-facing applications?
We have some. I know the secretary of state's office is using it for corporate citizen kind of functions in some ways. The Department of Revenue [DOR] is preparing to use it first for corporate taxes and then citizen income taxes.

Just because you have an identity-management system does not solve your need to relate, for example, a set of income tax filings and an income tax account to a particular ID. A citizen may be able to come into our portal and register for and get an NCID, but then if they want to associate that ID with their income taxes or their DMV [Department of Motor Vehicles] record or something like that -- so they can log on and do business that way -- there's still a subscription process you have to go through that's very much like what you would do if you created an independent ID for that user in that agency.

We can't say this guy's registered, therefore he can see his taxes and he can see his motor vehicles records, etc.

We can say he's registered, then he has to go through a process at DMV or DOR and answer some secret questions about that account, and then they could link the two together.

We can authenticate the person, but then [the agencies] need to authorize them in a way to use their systems. The connectivity between those two things is an interesting process, and it's different for different services.

Would you say the project was partly driven by the state's general IT consolidation efforts?
Sure. You sort of have architectural vision for where you want to go. We, like every other state, would like to make much more use of the Internet and electronic access through whatever means to serve our citizens. But to do it in some sort of fashion that doesn't cut that citizen up into a different person for each agency they touch is much more difficult.

We have about 8 million citizens in North Carolina. We have 100,000 state employees. If we just take those 100,000 employees, and each of them needs to use five business systems during their work, if they have one password, that's 100,000 passwords to take care of; if they have five, that's 500,000 passwords to take care of. The cost of taking care and maintaining name and password pairs in sync so someone can use them is linear with the number of passwords.

Will NCID include a single sign on?
We are not trying to do single sign on. We're trying to do a single name and password.

As a service provider, the benefit is just to lower that number of name and password pairs. If we have 8 million citizens and each of them needs the DOR thing, the DMV thing, etc., [and] so if there are five [passwords] for each citizen, then that's either managing 8 million names and password pairs -- or 40 million.

It doesn't bother me that I might have to type that same name and password 10 times a day, as long as it's the same name and password.

We make this practically transparent, and in many cases, it's only a few lines of code. That's easy. Passing certificates around so once you've logged in -- you're always logged in. That's hard. That is technically hard. It would be equivalent to boiling the ocean, you'd never get there.

As we get more portal-based interfaces and more things that allow us to walk through those portals and build in that way so the credentials pass through and get handed, then it might get easier. But why would I want to give up 90 percent of the benefit by struggling with that really hard technical piece when I can bring both end-users and the systems very significant benefit and security?

Looking at the differences between now and the first effort, for the ID management technology, is it pretty much the same or is the technology different now?
We kept the same licenses. When we took a look at reinvigorating the project, there are a couple of things out there. The software we had licensed still held a very significant portion of the market share.

We took the licenses we had; we spent a significant amount of money strengthening the underlying infrastructure; we replicated things; we invested a lot of effort and significant money in bringing the application up to speed; we did some enterprise licensing for things like LDAP [lightweight directory access protocol] directories so we can deploy them without significant additional cost.

We did a number of things and made some investments in our capability and in our infrastructure, and we keep it up. It can become -- if you're not careful -- a serious single point of failure. So you want to mitigate that, both with resiliency and survivability in your application itself and in many cases, like our ERP system. It has its own set of LDAP directories that it will run off of, and we'll sync with it.

If for some reason our ID management system goes down, the only thing they can't do is change names and passwords. They'll still run totally without it. That's important for survivability and performance.

Do you have any plans for anything like biometrics or public key infrastructure?
We do have plans. We are in the later stages of planning two-factor authentication. We do need, in some cases, a two-factor authentication. We will be implementing that, and that could proceed to biometrics if necessary. And this is where the potential for Real ID comes in. A Real ID could be viewed as not much more than a well authenticated second-factor authentication that everybody had ...

... Ideally I think, according the government anyway...
We thought about this. We know and knew about the Real ID stuff coming. But first off, it's not very well defined to me yet.

Not to anyone.
Secondly it's not a DMV problem. It's a statewide problem. Nobody is going to make those deadlines, I believe. I don't think anybody is going to come close to those deadlines.

Do you believe North Carolina will be Real ID-ready in May 2008?
Not a chance. We need a way to manage identities across our state employee population and across our citizens -- and we need it sooner than waiting till 2008 to even figure out what's going on. All the investment we've made in this, even if we have to change the technology, we will have put in place the processes, the concepts, the relationships, the basis for using Real ID to authenticate.

We may have to change our technology, but technology is not that hard to change. People and processes and relationships are hard to change.

It could look like this. You could have your NCID that has your name and password. For the next couple of years we could have VeriSign or Entrust as a second factor of authentication. But as we start issuing Real IDs that have machine-readable formats and all kinds of things with them, as the readers become more available, we just use that as a second factor, and you kill two birds with one stone. We believe that it is worth the investment now, even if we have to change the technology.

Can you discuss the benefits you've realized or anticipate realizing?
We certainly haven't met any ROI [return on investment] goal on this so far. It's still early in the process, and our investment still outweighs the kind of benefits that have been returned. But as I said, it doesn't take much calculating if you're reaching out to citizens and you think they may have two, three, four, five, six, seven different engagements with different agencies or services in North Carolina -- and you have 8 million citizens -- to see the difference between 8 million passwords and 40 million passwords.

We clearly believe there's an absolute cost benefit in that. Plus you're delivering better service. You're not even counting the benefit of better security, better passwords management, better arrangement, better termination processes, better initiation processes. Those are sort of obvious. They're soft. It's hard to measure them, but it doesn't take much to get to the point where you believe it will be worth a lot.

We still haven't talked about the convenience to the citizen. Government, it seems to me, tends to cut these folks up in awful little chunks. We don't treat them as individuals. Have you ever been to a company talking about a product focus versus a customer focus? Have you watched what the telephone companies have been doing the last five years? Everything was a separate bill. You were a different customer for each product they sold. Now they're trying to be really focused -- you're their customer, and through that mechanism, they give you lots of products.

The analogy is perfect. The government is the same way. We have lots of services and products that we need to, or we're required to, or we should be providing to our citizens. But we need to be customer focused, not product focused. This alone, along with the portal capability, could be the point where we begin to pull those things together.

That's the reason we think this is worth committing to, and the reason we're using both money and political capital to try and move forward -- even though it's a little difficult.
Chad Vander Veen

Chad Vander Veen is the former editor of FutureStructure.