Positive ID

North Carolina identity management system improves security, saves money and promotes citizen self-service.

by / December 20, 2002
Since Sept. 11, 2001, states have stepped up efforts to improve security. For those involved in protecting computer systems, the dilemma has been how to better protect systems while keeping them accessible to legitimate users.

North Carolina is taking a unique approach. By using a system originally designed for an entirely different function, the state is strengthening network security while cutting costs and improving service to citizens.

Cost of Keeping Pace
Two years ago, North Carolina began planning an employee white pages database. The goal was to absolve administrators from tracking the movements of 60,000 state employees -- a time-consuming task. As employees changed addresses and phone numbers, the cost of keeping up with changes in numerous databases was rising. "We had all these folks, and they had to enter data in different databases in different ways," said Michael Fenton, North Carolina's chief technology officer. "The validity of much of that data was compromised. This caused problems with security, mailing paychecks, etc."

To simplify database upkeep and improve accuracy, the state issued an RFP for a system that would reduce the steps involved, as well as authenticate employees logging on to enter new data or use state services. "Because the government offers services both internally and externally, it's important to understand the identity of who is using the network and the systems available on that network," said Fenton. "It was also important to allow employees to access information and services on their own."

A contract was eventually awarded to Oblix, a Cupertino, Calif.-based company that developed an application called NetPoint, which manages identities and tracks individual users' privileges. At the same time, it allows users to serve themselves.

But as the state began putting NetPoint to work, officials soon realized the technology could be used much more extensively.

"It turned out that technology, as it evolved, was ideally suited for the bigger problem of identity management," said Fenton. "It soon became clear that the security aspect was going to be the driver behind this, not the employee self-service."

Shortly following the Sept. 11 attacks, North Carolina Gov. Michael Easley directed the state's technology team to improve the state's technology infrastructure. The idea of expanding NetPoint into a statewide identity management system gained nearly instant approval.

Controlling Access
North Carolina's identity management system eventually will control access to information and applications throughout the state -- both for government employees and citizens. Instead of using an individual ID for each separate application, users will access systems throughout the state using a single user name and password. A powerful authentication and authorization function will ensure each user is legitimate.

"We're trying to get a handle on who is on our network and what they're allowed to do," said Ann Garrett, state security officer. "We've got a lot of different pieces to bring together, but we're trying to bring an enterprise focus to it, set rules and raise the bar for security."

First, the state had to set security standards. Until recently, each agency had its own security and policy requirements; the idea of users logging onto the state portal once and accessing information or forms from various agencies quickly became complicated. By implementing a statewide security policy, the state began the problem-solving process. "A lot of it has been getting the standards developed, advertising them, educating, communicating, catching some things on the front end, working on the back end ," Garrett said.

North Carolina then made NetPoint a central service available to all agencies. "There are two pieces of identity management -- authentication and authorization," Fenton said. "Without the identity management system, each one of our lines of business would have developed their own methods for doing that. That itself turns out to be a security gap. The way to close that is to centrally manage the authentication and authorization pieces of identity management so it's all being done the same way."

The state is planning a three-pronged deployment approach, and the first prong is handling state employees. "Those are the easiest people for us to start with because we know who they are -- we can identify, quantify and qualify," said Brent Roberts, an identity management analyst with the state.

The second prong will involve working with businesses, and the third will involve citizens. "Adding citizens will be one of our larger challenges," said Roberts. "There are 8 million people in the state, and you have to have some sort of structure to verify a person is who he or she says they are. That's a very large and complicated thing to do."

The Pilot
North Carolina piloted the identity management system in its Department of Corrections and Department of Revenue a year ago, adding the Department of Public Instruction soon after. The Department of Revenue is working to provide IDs to businesses in the state; instead of having different IDs and passwords for every agency they deal with, businesses eventually will have just one.

The Department of Public Instruction, meanwhile, is testing the system's ability to accommodate local government users, since many education authorities in North Carolina are under the jurisdiction of local government, not state.

Finally, the Department of Corrections has applications that support both internal employees and external parties, such as the FBI and Interpol. Those agencies need IDs and must be managed separately and differently, Fenton said. "That's a highly secure environment, so this will be an opportunity to make sure this system is hardened to the point where it can handle extreme cases," he said.

Once a user is authenticated to access a system, the functions they can perform must be authorized, which is often more difficult. For example, in the Department of Public Instruction one user might be identified as a teacher, and teachers are authorized to perform only certain functions. North Carolina is using a combination of individual and group IDs to address these requirements. "Each teacher will have a personal ID plus a group ID that would define their role in an organization," said Fenton. "So it's groups that are defined rather than individuals. That means that the number of entries is much less."

If the pilot goes well, Fenton said North Carolina expects to develop a statewide rollout plan by the end of first quarter 2003. Actual rollout to other agencies may occur by late summer.

Floating in the Same Direction
Meanwhile, the pilot already is producing benefits. The system is lowering administrative costs because agencies are managing one identification system instead of several. Security also is improved because authorization and access changes are made once, and those changes instantly are available to every application that uses the identity management system.

Originally, the state purchased 1 million licenses for approximately $500,000. Once officials decided to expand the system, they were faced with having to purchase many more licenses. Fortunately, North Carolina received a grant from President Bush's anti-terrorism fund that will be used to expand the number of licenses to potentially cover every citizen in the state.

Despite its early achievements, implementing North Carolina's identity management system has encountered challenges, the biggest of which is coordinating everyone in the state to work toward a common goal. "We have 26 agencies and 80 boards and commissions," said Garrett. "We have to get everyone floating their boat the same direction, and we have to get them to understand the importance of identity management."
Justine Brown Contributing Writer