As they grapple with security and data access, Utah, Michigan, Pennsylvania and Indiana explain how they are leveraging identity and access management to achieve their single sign-on goals for both staff and citizens.
When it comes to identity and access management (IAM), state IT executives want to emulate the solutions developed by retail giants such as Amazon. “Think about how citizens access their favorite retail website,” said Erik Avakian, chief information security officer of Pennsylvania. “They can go to different areas of the site and buy what they need with one unified credential.”
Modeling itself on today’s digital retail world, the Keystone State is integrating identity proofing, social media log-ins and password strength meters. “These are things people expect when they go to other major websites, so we are trying to bring that type of experience to government,” he added. “Regardless of the agency they are doing business with, citizens will have a unified credential they can use across multiple applications.”
To some people, IAM might seem like a technical security issue about back-end authentication between systems. But it also serves as a cornerstone of digital business. Without an enterprise-level IAM strategy, state agencies will continue to operate in a siloed fashion, and each application will require its own password system and identity-proofing solution.
“As more states move to implement digital government strategies, identity comes into play, because it is part of securing those types of transactions and enabling the digital experience,” said Avakian. But what is the best approach? Four states have tackled IAM at the enterprise level, creating laboratories for possible success elsewhere. Here are their stories.
Some state governments have been working on single-sign-on (SSO) capabilities for years, while others are planning their first pilot projects. But executives have come to accept that IAM is less of a one-time project and more of a discipline. “Like security, IAM is a lifestyle,” said Gartner analyst Kevin Kampman. “It is not going to go away. The objectives change, the terrain is changing, the needs are changing, and you need to be able to adapt to that.”
Utah has been working on SSO capabilities since 2002, primarily focused on provisioning and deprovisioning employees and enabling access to the applications they need for their jobs, Fletcher said. Utah ID provides access to about 900 different applications and services. Now the state is applying that approach to business- and citizen-facing applications as well. Utah provides more than 1,300 online services, and more than half provide services to businesses.
In 2016, legislation was passed that requires the Department of Technology Services (DTS) to create a single-sign-on business portal. With a budget of $1.3 million annually, the first phase of the portal is expected to be completed in July 2019. The new portal works primarily with four agencies: Tax Commission, Department of Workforce Services, Labor Commission and Department of Commerce. Business owners will be able to sign up for notifications, such as a tax payment deadline; and service providers, including accountants and attorneys, will have the opportunity to manage multiple businesses.
Utah is not stopping with business owners. DTS is working with the state Medicaid agency to integrate its applications into the SSO effort. “The thing that initiated the business single sign-on was that some legislators wanted to extend that type of service to the citizens at large,” Fletcher explained, “so this business portal is just the first step.”
Fletcher explained that the portal will become a common eligibility system that cuts across all of the health and human services departments as well as unemployment, making them fully integrated and easier to use. Eventually DTS wants to take it beyond state agencies to local governments as well.
The state of Michigan is another example that shows you are never really done with IAM. It has been working on its MILogin enterprise IAM solution for more than five years, with different use cases for employees, businesses and individual citizens. Citizens can use MILogin to renew their driver’s license, hunting license or fishing license. Employees across all agencies now use MILogin to access the statewide enterprise and resource planning system called SIGMA, said David DeVries (below right), who recently left the position of CIO and director of the Department of Technology, Management and Budget.
By almost any measure, the state has made impressive progress. Almost 230 Web and mobile applications are integrated behind MILogin, and more than 4 million Michigan citizens have logins. “We have an established program here,” DeVries said. “Our challenge has been, and still is, to keep up with the technology because it is constantly changing.”
DeVries established a policy that all new software programs and all major rewrites or upgrades will have MILogin as their front-end identity piece. Several systems are going live with the SSO log-in in 2019. DeVries pointed to the state’s new vehicle registration system that will be using the MILogin, which he anticipated going live in February. “Our main requirement was that the vendor was not going to bring his own log-in system to use. They were going to incorporate ours. We are forcing that through the other programs. That is another challenge: how to encourage that, enforce it, and then keep the cost down.”
In 2013, the National Institute of Standards and Technology awarded grants to Michigan and Pennsylvania to pilot identity management solutions. That started the conversation in Pennsylvania on how to streamline the citizen experience and enhance security and has led to the Keystone Login SSO initiative. “We want to get to a unified credential that is secure and provides different levels of assurance depending on the type of transaction the citizen is trying to do,” said CISO Erik Avakian (below left).
Pennsylvania is seeking to move beyond siloed applications that require citizens to have user logins and passwords for multiple sites. “All these different user names and passwords are frustrating to the citizen and less secure because they have to remember all of them,” Avakian said. “The experience is disjointed. Keystone Login gets us beyond that.”
One application that has gone live with Keystone Login is a financial disclosure application used by more than 10,000 current and former employees to file annual Statements of Financial Interest under the State Ethics Act and/or Governor’s Code of Conduct (an executive order). Approximately 30 applications are scheduled to go live in 2019, including the voter services portal, business registration and professional licensing and an enterprise grants portal.
Pennsylvania’s Office of Information Technology is trying to get agencies to see Keystone Login as part of their legacy modernization process. “As agencies modernize or move to a new version, we say as part of this version, let’s migrate you to Keystone Login instead of using your own directory,” Avakian said. “We have APIs to help agencies come on board; there is an onboarding guide, and a communications plan put into effect. We have been working hand in hand with the agencies and have an applications team available to help them. It is definitely something the agencies need help with. But we didn’t do it in a silo; we are all moving together.”
Indiana expects several agencies to go live with its Access Indiana SSO solution in 2019. The state’s Office of Technology and Management Performance Hub have been working since 2017 with four of the state’s largest citizen-facing applications from the Bureau of Motor Vehicles (BMV), Health and Human Services, Workforce Development and the Department of Revenue.
Graig Lubsen, communications and marketing director at Indiana’s Office of Technology, sits on three of the four working committees involving Access Indiana. He said Indiana sees SSO as a first step toward the state taking a more holistic view of citizens and the services they access by creating a single client account across agencies. “If you don’t have everybody using the same credential, you can’t have a singular view of a person or citizen from the state government’s perspective,” Lubsen said. “We had to tackle single sign-on first.”
Better understanding citizen interactions with state government could lead to the state being able to recommend services that they would either qualify for or could be interested in, according to Dewand Neely (right), the state’s chief information officer. “The state could maybe utilize the citizen information to save money, such as on mailing costs by being able to centrally verify a person’s address. We can also develop a central portal for a citizen to manage their experience with state government, customizing the design to show things the user interacts with or messages that are of interest.”
The state chose to work with NIC subsidiary Indiana Interactive to build the solution. “Initially we were using another off-the-shelf product from a major technology company, which we had in place for INBiz, our business one-stop portal,” Lubsen explained. “But as we developed the requirements, we found that there were too many restrictions on what we could do with that solution, so we chose to build our own.” (For instance, adding multi-factor authentication would have been too expensive using the previous solution, he said.) “We have saved a bunch of money and were able to add flexibility in terms of password requirements and the user flow and experience.”
Like other state IT execs, Neely and Lubsen have found that legacy system integration is a more involved process: “Our Department of Homeland Security has a public safety portal that is being built from scratch,” Lubsen said. “We were able to add the sign-on component with only 10 hours of development work. With the BMV, their system is older and it took them weeks to do.”
Neely explained that from discussions with agencies early in the development process, his team is aware that each new agency will have unique needs. “This has shown itself from various password complexity requirements or even the password history. It’s important that we have phases where we bring in agencies over time and not bite off everything at once. This means Access Indiana must be resilient, scalable and flexible to meet these demands.”
Integration work for the BMV and Department of Revenue is already done, but the state may wait until other agencies are ready to make a “bigger bang” as they all go live with Access Indiana together, Lubsen said.
Indiana has found that good governance is a key part of the IAM process. The work is led by an executive committee made up of the heads of all participating agencies and the governor’s office. There also is an advisory committee of the IT directors and a marketing committee made up of communications directors from each of the agencies. A call center committee was established to determine how the state was going to handle calls about creating an account. They chose to outsource that work to a third party. “We didn’t want to throw that onto the agencies, and we need to have 24/7 support,” Lubsen said. “We tried to look at it from all the angles and make sure these committees are composed of subject matter experts to drive the process forward.”
Through Indiana’s governance structure, the IAM team accepts feature requests from all project partners and then each partner rates how high a request is ranked. “There are currently 16 items in our backlog, such as strengthening confidence in user identities, which are being sorted by order of importance, based on agency votes.”
Gartner’s Kevin Kampman encourages IT leaders to see IAM as an evolution as they work with agency partners. “It doesn’t take long before you realize that, like security, identity touches every activity you do, so you need a comprehensive approach to identity in order to succeed,” he said. “Otherwise, it is just like driving on a rocky road: You are going to have bumps all the way. You want to be able to smooth that out by having a consistent and shared view of how you deal with identity in different contexts.”