The way to close that is to centrally manage the authentication and authorization pieces of identity management so it's all being done the same way."
The state is planning a three-pronged deployment approach, and the first prong is handling state employees. "Those are the easiest people for us to start with because we know who they are -- we can identify, quantify and qualify," said Brent Roberts, an identity management analyst with the state.
The second prong will involve working with businesses, and the third will involve citizens. "Adding citizens will be one of our larger challenges," said Roberts. "There are 8 million people in the state, and you have to have some sort of structure to verify a person is who he or she says they are. That's a very large and complicated thing to do."
North Carolina piloted the identity management system in its Department of Corrections and Department of Revenue a year ago, adding the Department of Public Instruction soon after. The Department of Revenue is working to provide IDs to businesses in the state; instead of having different IDs and passwords for every agency they deal with, businesses eventually will have just one.
The Department of Public Instruction, meanwhile, is testing the system's ability to accommodate local government users, since many education authorities in North Carolina are under the jurisdiction of local government, not state.
Finally, the Department of Corrections has applications that support both internal employees and external parties, such as the FBI and Interpol. Those agencies need IDs and must be managed separately and differently, Fenton said. "That's a highly secure environment, so this will be an opportunity to make sure this system is hardened to the point where it can handle extreme cases," he said.
Once a user is authenticated to access a system, the functions they can perform must be authorized, which is often more difficult. For example, in the Department of Public Instruction one user might be identified as a teacher, and teachers are authorized to perform only certain functions. North Carolina is using a combination of individual and group IDs to address these requirements. "Each teacher will have a personal ID plus a group ID that would define their role in an organization," said Fenton. "So it's groups that are defined rather than individuals. That means that the number of entries is much less."
If the pilot goes well, Fenton said North Carolina expects to develop a statewide rollout plan by the end of first quarter 2003. Actual rollout to other agencies may occur by late summer.
Floating in the Same Direction
Meanwhile, the pilot already is producing benefits. The system is lowering administrative costs because agencies are managing one identification system instead of several. Security also is improved because authorization and access changes are made once, and those changes instantly are available to every application that uses the identity management system.
Originally, the state purchased 1 million licenses for approximately $500,000. Once officials decided to expand the system, they were faced with having to purchase many more licenses. Fortunately, North Carolina received a grant from President Bush's anti-terrorism fund that will be used to expand the number of licenses to potentially cover every citizen in the state.
Despite its early achievements, implementing North Carolina's identity management system has encountered challenges, the biggest of which is coordinating everyone in the state to work toward a common goal. "We have 26 agencies and 80 boards and commissions," said Garrett. "We have to get everyone floating their boat the same direction, and we have to get them to understand the importance of identity management."