SALT LAKE CITY — To call effective access management a challenge would seem to many government IT professionals a complete understatement. Changing employees, shifting roles, and disjointed agencies and systems make giving the right people secure access a hard-to-hit moving target, to say the least.
In Utah, a state consistently poised at the intersection of government and technology, officials are looking to the future — to a time when employees, businesses and the general public have seamless and secure access to the systems they need, and nothing more.
Officials discussed the challenges and their current gate-keeping efforts at the Utah Digital Government Summit held June 7.
Utah’s Chief Technology Officer David Fletcher says identity is not a simple as it might have been in the days before technology was infused in nearly every facet of daily life. The idea of multiple “identities” belonging to the same person has evolved as a very real concept in the online arena.
“People have lots of identities; some of them they want to protect more than others, some of them they don’t really care about," he said. "In the world that we live in, especially if we look at millennials and that population, they’re all about sharing their identity, right?"
While you may be comfortable sharing sensitive information with a health-care network or bank, you likely would not be willing to share the details of your health history with an employer or social network.
He points to a need for a long-term strategy that includes buy-in from the state and local partners. At the national level, he said programs like the push to create an identity ecosystem through the National Strategy for Trusted Identities is Cyberspace (NSTIC) is one area where government and the private sector are looking at more secure, verifiable identity management.
“I think we are entering a new era for digital ID. We’ve got a lot of things coming together that all relate to ID and not just for access management, but also for data analytics applications, just tons of different things that we are doing across the enterprise that we can do better if we have a more comprehensive strategy that we can all buy into for ID,” Fletcher said. “We need a strategy that is going to encompass citizens, as well as businesses, as well as government entities so that we can provide a more secure and easy-to-use identity ecosystem in the future.”
Fletcher said he sees multifactor identification becoming more prominent in the state and local technology domain.
The division of agencies and their business services — not to mention the challenges of identity management — was part of the impetus for Rep. Bruce Cutler’s, R-Murray, legislation to establish a single sign-on business database to store information on the companies doing business in the state.
The legislation, signed in late March 2016, would create a centralized, multiagency portal to allow more seamless interactions between government and businesses operating in the state.
“My initial thought was, as I went out and was working with the groups working on children in poverty, was that the right hand doesn’t know what the left hand is doing,” Cutler told attendees. “…Each individual has their identity, each of us is unique, so the concept is that we are starting with businesses because there are fewer regulations with what we can share and what we can’t share.
“The goal is eventually, you are you," he continued. "When you log in, you get the access to whatever you should get access to. It’s a big, huge goal. It’s tremendous, but that’s where we want to go.”
Another major initiative underway at the state level is the potential adoption of electronic driver’s licenses, which could be viewed via smartphone. Recommendations will go before the Legislature within the next few months.
From use at airport security checkpoints and the bank to restaurants and bars, the driver’s license has unintentionally become a major form of identification. “It’s become, for many people, their primary form of identification,” Fletcher said.
To date, human resources has been largely responsible for acting as the “source of truth” when it comes to on-boarding new employees and defining their roles within the larger organization.
As they leave, Darrus McBride, an IT manager with the Department of Technology Services, said there is potential for automation in the process of withdrawing access. Role-based access is currently managed by the application owner.
“We need to work on a strategy … to connect everybody,” he said, adding that authentication mechanisms like OpenID Connect, that pass access tokens instead of passwords, are a valuable tool in the identity management space. The simple identity layer can be used with enterprise, business and mobile applications.
“The future is there for us to grab, but we can’t grab the future if we hang onto the past,” he said. “Moving ahead, we have to think creatively, we’ve got to be maybe more open to certain technologies that have been up and coming and are here that we haven’t adopted yet. That’s what’s going to change and revolutionize us."