Full partnerships will take time to develop, but state and county agencies are exploring expanding ideas of teamwork beyond traditional notions of collaboration, and looking at concepts of federated identity that could lead to active, secure information sharing later this year.
In Gartner Research's Decision Point for Federated Identity and Cross-Domain Single Sign-On, an April 2015 report that it refreshed in August of last year, the firm defined "federation" broadly, as "any time an identity managed by one domain is used to access an application or resource in another domain."
The company credited the advent of cloud, particularly the software-as-a-service (SaaS) model, but also the rise of mobile devices, social networks, “and the increase in cross-domain access driven by the creation of new APIs” as driving need for federated identity and identity and access management (IAM), especially to support single sign-on (SSO).
“Federated identity is now a core IAM capability,” the report stated.
Officials in Minnesota, Michigan and Indiana would likely agree. State and local agencies there are evaluating federated identity concepts as a way to link city, county and court agencies; become more business friendly; and potentially forge a unified citizen document stream.
Mary Ruddy, a research vice president at Gartner who produced the report, said more government organizations at all levels are working on citizen-facing systems, which reflects a growing need in the area.
Cybersecurity is indeed a key issue in Hennepin County, Minnesota’s most populous county and home to Minneapolis, its largest city. Officials there have brokered a trust agreement with the Fourth Judicial District Court aimed at “sharing data with business partners in a secure, managed environment” according to a recent PowerPoint.
The two agencies share not only a building, but also use of Microsoft Active Directory on the back-end, so officials, who had wanted for years to be able to share SharePoint attachments and improve agency connections, are now on the cusp of doing just that.
The arrangement will center on Active Directory Federation Services from Microsoft, which uses a claims-based access-control authorization model to maintain application security and to implement federated identity.
By the third or fourth quarter of 2017, the county and the court plan to be communicating via Skype through federated identity, Hennepin County CIO Jerry Driessen told Government Technology. The two agencies will likely link their email systems in the first quarter of 2018 and their SharePoints in the second quarter of 2018. All three partnerships are enabled through Microsoft and Federation Services.
Driessen said the arrangement will enhance connections between agency personnel — law enforcement and county social workers, for example — and enhance security by “understanding exactly who gets what and authorizing individuals to get that.”
“It’s almost counter-intuitive but, you know, if you understand your data better and understand the use cases better and actually use the existing tools to put security around it, you can make your security stronger,” Driessen said.
The six-step process the agencies will use reviews identities through an authentication broker and an ID provider before granting access.
From the perspective of John Erar, CIO of the Fourth Judicial District Court, federation provides for better security access across both organizations "because essentially every user has their own identity,” he said. “We don’t know of another federated environment where this type of agreement exists and so we’re very excited. I think the paradigm shift to sharing information and working more closely together with [business-to-business] organizations in our jurisdiction is the future."
In Michigan, officials in Oakland County, northwest of Detroit and the state’s second-most populous county, have issued their third RFP in about 10 years seeking proposals for an IAM system. But according to Chief Technology Officer Jim Taylor, “It’s truly about an identity security system more than anything.”
Oakland County’s IT department is centralized and handles IT for 82 different county departments and agencies, roughly 60 external government agencies that use its government-to-government cloud solutions, and 150 public safety agencies across nine other counties, CIO Phil Bertolini said.
Additionally, while the county has around 4,000 employees, officials estimate their total number of identities in federation to be around 30,000.
Interagency communication is generally good because it has to be to cover such a broad footprint, Bertolini said. But other standardization issues are worrisome — including integrating technology solutions with individual IAM solutions into the organization as a whole, and finding an IAM vendor capable of crafting a solution to identify employees from a variety of agencies.
Identifying the best solution from responses to the county’s first RFP became expensive, Bertolini said, and responses to its second RFP didn’t generate as many answers as hoped. Responses to its third RFP are numerous but likely to be expensive as well.
“Then the question is, when do we bite the bullet as a county to get this done?" Bertolini told Government Technology. "Well, the time is now. We’re going to have to do it. The security situations that are popping up all over the world today are going to force us into this."
He said the process of protecting Oakland County’s sensitive data will help officials understand what needs to be encrypted, as well as what can ultimately be released to the public, adding the agency will release to the public what it believes should by law be available.
Ideally, the county hopes to move forward to implement on its current RFP in the third or fourth quarter of 2017, at an estimated cost of more than $500,000 to do so, plus what Bertolini described as “significant” annual costs.
It’s unclear whether the subject of federated identity will come up on Wednesday, June 7, when the county hosts a government-to-government marketplace day for people who are part of the county marketplace. But Taylor said that “a big cybersecurity piece” is planned.
In Indiana, the state’s Office of Information Technology (OIT) is in the “beginning stages” of rolling out Access Indiana (AI), a single sign-on project that will ultimately let visitors use the same login and password across multiple government applications, Stephanie Wilson, press secretary to Gov. Eric J. Holcomb, told Government Technology .
It’s currently being used by the state’s INBiz program, a one-stop shop for new businesses implemented by Indiana Secretary of State Connie Lawson.
“Projects like INBiz pool the resources and knowledge of multiple state agencies," Wilson said via email, "and Access Indiana provides a streamlined experience for users.”
Graig Lubsen, director of communications and external affairs for OIT, said via email that AI is “external-facing for INBiz users,” but has also been debuted in a soft roll-out for state employees.
Since summer of 2016, Lubsen said, any application that required a login and was managed by the state OIT or the IN.gov program has been required to use AI to manage logins.
“This was the beginning of building out a suite of applications that citizens could access with a single login," he told Government Technology via email. "The goal is to have a portal by the end of 2017 where one can login to get to any of the applications that use AI."
Access Indiana, a Microsoft Azure solution that began under former Gov. Mike Pence, “was pegged as a good identity management tool to wrangle the vast amount of businesses that would need to use the system,” Lubsen said. “After INBiz was launched, we recognized that this identity tool could be scaled to work for the citizens, as well."
Wilson said another suggestion sparked by the governor’s recent call for agency leaders to submit great ideas is now in the “very early discovery stages.”
The state, she said, is also “considering” creating a master citizen record across all of state government aimed at streamlining interactions and eliminating duplication. Of the more than 250 suggestions that Holcomb received, she said it’s the one “that rose to the top for further investigation."
Common stumbling blocks to implementing federated ID management include security and locating “low-cost, widely-used digital identities that were identity-proofed” or able to be confirmed; but thanks in part to growing standardization in applications, migrating to federated identity is becoming somewhat cheaper.
Gartner's Ruddy cautioned agencies, however, that only about 70 percent of SaaS applications support security access markup language or other federation technologies.
The burgeoning digital driver’s license (DDL) movement may also have some intersection with federated identity, she said — and could potentially ease the process. This summer, four jurisdictions — Colorado, Idaho, Maryland and Washington, D.C. — will pilot DDL programs.
“I’m not saying it’s a trivial amount of work that I’ll promise you tomorrow, but the hard part in talking about this was always the network effect and the identity proofing," Ruddy told Government Technology, "and you’re already going into the [digital] driver’s license to go through that process."
Officials in Minnesota and Michigan said they’re continuing to examine federated identity solutions.
Driessen, who led Hennepin’s digital government/e-government initiative about five years ago, said he thinks the concept could have a similar positive impact for other cities, school districts and health-care organizations as well. Later this year, he plans to have a facilitated conversation with IT directors from the state’s 87 counties about how the county handles open data.
In Michigan, Bertolini said IAM is a “must,” not a “nice to have,” and should be done across all levels of government. “If we can find a way to work across government lines,” he said, “we’ll be that much better off, that much more secure.”
NEW ON THE PODCAST