In the past, New York State computer systems typically were used by a small set of users within a single government entity. Today's state computer systems are used by a wide variety of people, across all levels of government, by citizens and business partners alike. The Internet has been a major driver of this change by enabling citizens to remotely access systems and transact business directly with government agencies.
Trust in the privacy and protection of information exchanged over the Internet, and other networks, plays an increasingly vital role. New York State must address issues of user authentication and accountability as well as data confidentiality and integrity. Trusting the identity of users is a key part of a solution. Traditionally this is achieved by issuing individual user-ids for individual systems. However, the increased number of systems and growing number of users has made this approach impractical, costly, and insecure. New York State must move towards a standardized Identity and Access Management (IAM) process where one credential issued to a user can be trusted across systems and government entities. The CIO Council's Technology and Security Committees have joined forces to address this issue. They envision an IAM solution that:
". . .will provide users the ability to request access to data, applications and systems and it will allow owners of those systems to grant access with the confidence that the identity of the users has been validated using a standard protocol. This confidence will extend across the state enterprise connecting to all levels of government, business partners and the public and will improve security, interoperability, and efficiency."
For New York State to achieve this vision there must be basic standards and consistent documented processes that have been agreed to and are trusted by all entities as to how credentials are issued, protected and managed. The Security and Technology committees have drafted such a set of rules entitled Identity and Access Management: Trust Model. The draft Trust Model establishes four Trust Levels, which provide a progressively higher level of confidence that the individual is who he or she claims to be. The Trust Model establishes a standard set of processes which include:
- registering or identifying users,
- issuing credentials,
- using the credential, and
- record keeping and auditing.
- the vetting process used to establish the identity of the individual to whom the credential was issued,
- the confidence that the individual who uses the credential is the individual to whom it was issued.
The Trust Model builds on the approach being implemented by the Federal government. It is on based the E-Authentication Guidance for Federal Agencies, issued by the Office of Management and Budget on December 16, 2003 and NIST 800-63 Recommendation for Electronic Authentication, issued July 2004. Compliance with emerging Federal standards represented by these two documents is critical if systems are to continue to interface with Federal and other state systems. In the future its use may be mandated for those participating in Federal programs, so in addition to the operational reasons outlined above there may also be financial benefits to a uniform trust model.
A structured approach to design and implementation, using common, shared processes and technologies, will create efficiencies in workload and costs.
The draft Trust Model will be published in the coming weeks and be available for review by the entire CIO Council.
Reprinted from the April New York State IT Newsletter.
