Security

Admit Once

Governments are looking for one-stop access control that grants authorized users access to multiple applications.

by / September 5, 2002 0
A Web portal is like a theme park - a single entryway leading to a broad array of services and activities. But imagine if, once you paid admission, you had to cross an inner fence through a different gate, and then pass out again each time you wanted to board a ride or buy a snack.

That's what many visitors encounter when they do business with government online. Often, a constituent who enters a government portal to conduct secure transactions with multiple agencies must use a different user ID and password - or sometimes a digital certificate - to access each agency's actual Web site.

"We want to get away from the concept of the citizen having to maintain multiple IDs and passwords," said Gene Martel, digital government services manager at Arizona's Government Information Technology Agency (GITA). "You want to make your services available, but you also want to make them convenient."

Creating electronic inconveniences for constituents could drive them back to sending forms through the mail or visiting bricks-and-mortar offices.

Washington is one of the first states to experiment with the single sign-on concept. Through the state's Transact Washington certification system, a citizen obtains one digital certificate (through the state's public key infrastructure system) and uses it to access multiple secure applications.

"If you're granted access to those applications, you can, with the same certificate, get into Transact Washington once and then move seamlessly between those applications without being challenged," said Scott Bream, public key infrastructure manager at the Washington Department of Information Services (DIS).

Do-It-Yourself Difficult
When Washington began exploring the idea of a single sign-on mechanism, state officials soon decided to outsource the project, and, ultimately, used a system from IBM to create Transact Washington. The rationale behind outsourcing was that a proprietary gateway like Transact Washington is difficult and expensive to put in place.

Other governments - including Arizona's - want to adopt the single sign-on concept, whether for use with digital certificates, with ID/password combinations or with multiple levels of authentication.

Washington's DIS talked with other states about sharing the Transact technology, perhaps by allowing other states to run applications behind Washington's firewall.

"But a lot of other states didn't want to do that," said Lance Calish, senior project manager at the DIS. "It's just sort of an ownership thing."

States could run their applications on their own sites and still have users go through the Transact gateway to reach them.

"But now you're talking about the network typologies, and the performance would just not be worthwhile," Calish said.

Also, maintaining a proprietary gateway over the long term presents unique problems and challenges.

"We realized that every time there was a system upgrade, or some new functionality requested by the end user, they had to come back to us for an upgrade, and it was very expensive," said Adam Westphal, e-portal architect at IBM Global Services and lead architect for the company's Secure Gateway product.

The product is based on the company's work on Transact Washington and Fortress, another system used by Washington to manage public anonymous applications.

But, the company developed the new product as an "e-utility" - an ongoing, subscription-based service that governments can subscribe to, rather than shelling out money for large up-front costs.

Just Like Cable TV
"People who enjoy cable pay an installation fee, somebody sets them up and then they decide how many channels they want," Westphal said. "We're going to have a low cost of entry, much lower than if they tried to build it themselves, and then a monthly e-utility fee to support a team that would be behind the scenes providing ongoing support, maintenance and upgrades."

A government can then provide the services to other agencies within the enterprise. The company can host the gateway system or implement it on a government's own facilities, managing the system remotely, providing upgrades and new functionality under the e-utility contract.

Arizona was already working with the company on building an e-government portal with secured access when the e-utility concept was raised as a possible avenue to take when building the portal.

It didn't take much arm-twisting to convince the state to drop its plan for a proprietary gateway and sign up for the pay-as-you-go service, GITA's Martel said, noting that the utility option would cost less, since the company would use the same infrastructure to provide services to multiple governments.

"We haven't solidified the cost just yet. But we do know that it is going to be affordable," he said.

Behind the Gateway
Each application behind the gateway has an administrator who decides what information to collect from prospective users by creating a Web page that users fill in to register for the application.

The administrator then reviews the captured information. If the user is approved, the gateway sends the registration data to the agency's application. To ensure privacy, the gateway itself does not retain the user's registration details.

A user registers separately for each application he or she wants, providing whatever information the application requires, and each registration is a one-time event. Once the user gains approval to use the applications, he or she signs on only once to log into the gateway. That brings the user to a personalized page listing the applications he or she is allowed to use. Once inside, a user who is authorized to access certain applications can pass freely from one to the next.

Governments devise their own policies for granting access to various applications. If they use digital certificates, they are responsible for issuing them or contracting with a third party to do so.

Credit Unions Register Cars
Arizona pilot tested an early version of the service last spring with a Department of Motor Vehicles application that allowed a credit union to issue a 90-day vehicle registration permit to a customer who borrows money to buy a car.

A credit union's representative must pass through the secure gateway to prove that he or she is authorized to issue the permit.

"At this point, it's done through user ID/password/PINs, but in the full blown version of the secure gateway, we're looking to tack on the use of a digital certificate," Martel said.

Beyond that, Arizona hasn't yet chosen particular applications to place behind the gateway. One possibility under discussion, Martel said, would allow state workers to conduct transactions involving their benefits, payroll and other personnel matters.

Health-care providers might also use the gateway. Providers need access control to protect data when they file routine reports with the state. With growing concern about homeland security, providers also need access control to report information about unusual disease patterns.

"Why would we want to have multiple access-control methods?" Martel asked, adding that a one-stop access control makes good business sense. "What we're trying to do with portal environments is take away some of the more complicated, maybe even burdensome, components of electronic government and do it in a more centralized environment, so the agencies can rely more on satisfying their business requirements and conducting these transactions."
Merrill Douglas Contributing Writer