Years in the making, the state is moving closer to its goals for more cohesive identity management.
Roughly two years after partnering with Deloitte to create a platform that would enable a more secure, and user-friendly digital experience, Ohio officials have rolled out internal single sign-on (SSO) to state employees and external business owners and will integrate key identity records this fall. The move represents an important step toward offering similar public-facing capabilities to residents.
Ohio is well on its way to achieving the larger goal of not just forging a single digital identity across state systems for residents, businesses and employees, but implementing fully formed identity management, said Derek Bridges, program administrator of the Ohio Administrative Knowledge System in the Department of Administrative Services. Achieving that “full identity life cycle,” Bridges said, also means ensuring the security and privacy of user identities and maintaining National Institute of Standards and Technology (NIST) compliance.
The process, initiated with a 2016 RFP, won’t be complete for some time but the underlying platform and two essential websites are already live. In early June, the state debuted myOhio, its enterprise intranet for employees, and is integrating the state’s 1,600-plus related systems. In early July, the state launched Ohio Business Gateway, its portal for business owners to file and pay taxes and complete transactions including those related to sales and use tax, employer withholding and unemployment compensation. The state is working with businesses that use its services to map their journeys onto the new system. These efforts constitute the project’s first phase.
Later this year, Ohio will take several additional steps as it reaches the beginning of the project’s second and likely final phase. It will integrate all Bureau of Motor Vehicle (BMV) records into the new system, creating a new digital back end. That’s a foundational step toward rolling out additional citizen-facing systems, as BMV maintains around 10 million resident identifications. The state will likely deploy a fraud analytics capability then, aimed at monitoring site users’ activity and ensuring those logging in are genuine users. Ultimately, Bridges said, the goal is for the state to meet residents’ expectations of service in a new era of online availability and security.
“Our customers’ expectations are for the state to offer a digital experience and digital interaction that’s on par with what they experience commercially, and government has a lot of work to do to meet those expectations. I think that when you are deploying something like that, your customers … they’re trusting us with considerable amounts of data and it’s imperative that we take every measure possible to safeguard it,” Bridges said.
The fraud analytics solution on the way should enable the state to use “big data technology” to screen users to differentiate between legitimate and fake log-ins, and deploy threat detection and response, Bridges said. It will give the state real-time threat response and additional forensic, analytic abilities, he said. But more broadly, it will mesh with Ohio’s ongoing data analytics program as part of the conversation around bringing big bringing big data to bear on cybersecurity.
The state, Bridges said, has taken the cautious approach of doing an internal rollout first, to “iron out any kinks” before releasing public-facing SSO through Ohio.gov, the state’s primary website. But even debuting SSO for staffers and business owners has already yielded considerable efficiencies, in about five months or less. Since myOhio went live, its self-service architecture has reduced help desk calls by 60 percent — without any “hard measures,” the program administrator said, to compel self-service.
“But that will be coming. And so, we would expect that 60 percent drop to eventually be a 90-plus percent reduction. If you think about it, you don’t really want things like account management, password reset — things like that, you don’t really want them going through a help desk because there’s a potential for social engineering,” Bridges said. IT officials have moved with care during the internal deployment to minimize disruption, he noted.
He praised enthusiastic state agencies for going beyond mere commitment to the project to financial involvement. Its first phase was funded by $16 million in state funds and more than $2 million in a U.S. Commerce grant from NIST. But state agencies have invested more than $10 million from their own budgets toward integration, “a good sign that agencies take this very seriously and they see the value of it,” Bridges added.
Another $7 million in capital funding will become available later this year, which will help power the project’s second phase. The exact timing of public-facing SSO is unclear ahead of the Nov. 6 election; current Gov. John Kasich is ineligible to run again after serving two four-year terms. Bridges said, however, he believes the project’s second phase will probably be a priority “regardless of who wins.”
“With phase two, we’re going to make it cheaper, faster and easier to integrate. And at that point, it’s going to be up to the strategy of the administration to see how they want to deploy it from there,” Bridges said.