MAY/JUNE 2014 • ISSUE 24 GOVERNMENT TECHNOLOGY REVIEW
SECURING IDENTITY IN THE NEW WORLD
Sociamlent n r e v o g r door
u o y t a s i ? e t i b u o Will y
ENTERPRISE APPS IN CLOUD LIMBO PUTTING THE ‘BIG’ IN ‘BIG DATA’ ULTRA-SECURE CA TOUR GTR SOCIAL MEDIA AWARDS
CLOUD ROUNDTABLE
GTR
The GTR Knowledge Series provides compelling content and thought leadership for CIOs, IT managers and other senior decision makers from all levels of government through a dynamic online information portal.
KNOWLEDGE SERIES
Y IT R
Complete your free registration online at www.gtrknowledgeseries.com.au
FIED U N I TI O N S CA S U NI E
U C SE
I B
IG B
TY I R U SEC
B
U
SI
L A CI IA SOED M
UD O L C ILE S B O M APP
/ Y IT O N IL I B T O CA M DU E
A T DA
AL LOC ATE AL ES S T DER M IC RVICMENT E S FE COM D SERV A L RN N IGIT GOVE D BA D A O BR FO R CM S S E TR CE N S A T UD ICATION DA O L C PL GTR Knowledge Series registrants will: AP ES E V IC D E IL • Gain access to on-demand video IT Y MOBSECUR content in the Knowledge Centre, & & O E including webinar interviews with keynote V I D TI O N S CA speakers that will include CIOs and IT E, RE & E U NI TUR A C M U W R D A & Managers from Government and the COM S TR H A R SOF T W FR A FORMSIONS N I T Education sector as well as thought PL A LICAT N
E
SS
CRM
CO
N
TI
N
A PP
M CP
• Receive regular email updates about new and upcoming content that has been added to the Knowledge Centre.
Y
• Have the opportunity to learn more about the products and services that are being offered by leading technology vendors in the interactive virtual exhibition halls.
IT
experience that is tailored to your interests and needs.
U
leaders from within the private sector, both from Australia and overseas. All content can be sorted and filtered by topic to ensure a compelling knowledge
The GTR Knowledge Series will cover in-depth the following topics: • • • •
E-Government Cloud Services and Infrastructure Mobility Broadband and Communications Technologies • Data and Information Management • Security and Privacy
Contents
Cover Story
SOCIAL GOVERNMENT IS AT YOUR DOOR: WILL YOU BITE? Far from the uncertainty of the early days, today's public-sector social-media strategies are more ambitious and far-reaching than ever. Early adopters are turning in strong and significant results, paving the way for other organisations to follow. Citizens will be the winners as socialmedia intimacy reshapes the way governments operate.
REGULARS 2 Editor’s Letter 4 News 46 Opinion: Ovum, Esri, ADT, TechnologyOne, Teradata, NextDC, Datacom, Bellridge, Hitachi Data Systems 56 NBN Update
FEATURES 14 Symantec Certificate Authority GTR gets a tour through Symantec's highsecurity Melbourne identity-management facility.
16
21 GTR Social Media Awards We run down the finalists in GTR's inaugural social media excellence awards.
Special Features
24 Enterprise business applications Cloud-first government has become the future – but what do they do in the meantime?
8
CASE STUDIES
30 SECURING IDENTITY IN THE CLOUD ERA Effective identity and access management (IAM) has always been a challenge, but with cloud computing distributing identity across a range of systems it's become a completely different sort of pain. Yet as cloud solutions continue to mature, a range of techniques are helping bridge the gap and extend corporate identity controls to cloud and mobile.
ROUNDTABLE: BUILDING THE AUSTRALIAN CLOUD Cloud computing's inexorable growth has continued unabated, with new investments and new entrants driving the rapid maturity of Australian cloud offerings. But has the local cloud caught up with overseas competitors? And can the Australian cloud support the growing demands of the public sector?
13 NSW Fire & Rescue A large-scale identity platform is helping track volunteers and employees alike. 28 MTC Government-backed jobs provider overhauls its network and server infrastructure for growth.
GTR MAY/JUNE 2014 | 1
Editor's Letter READING GTR WILL IMPROVE YOUR SOCIAL LIFE Things have been busy at GTR headquarters lately, what with the successful completion of two conferences and the launch of a new online venture called the GTR Knowledge Series (GTRKS, at www.gtrknowledgeseries.com.au). I've been sitting down with a range of public-sector CIOs to hear their thoughts on their roles, on the industry as a whole, and the ever-changing challenges facing them in the public sector. They make for fascinating viewing and we already have interviews with not one but two former US government CIOs as well as the CIOs for the Department of Defence, Treasury, and more. We have recently begun expanding the content into the education space as well as the public sector, giving us insight into the unique characteristics of an industry where scale and ever-demanding users present even more challenges than usual. I encourage you to drop by the site and watch some of the interviews – and let me know what you think, or who you'd like to hear from in the future. While we'll be featuring the in-depth interviews and other content online, we'll continue to fill each printed issue with the same features, case studies, roundtables, and other content that you already know and love. For example, our cover feature focuses on public-sector social-media success stories, but there are many more: the great lineup of speakers at May's Social Media for the Public Sector conference, which I had the privilege of chairing, all had very interesting stories to tell about their own transformations. The mood at the event was at once more vibrant and optimistic than its 2012 predecessor. Back then, discussions were generally couched in terms like 'but my CEO won't let me...' or 'we are banned from using social media' – but now it is clear that the early-mover advantage is long gone. If you're not building social media into your everyday planning and execution, you're already behind the curve. Also in this issue, we look at the security challenges posed by identity and access management (IAM). This increasingly important and complex capability is being complicated by the rise in use of cloud-based applications whose relative informality poses new challenges for CIOs working to develop and enforce consistent access-control policies. Elsewhere in the issue, we look at public-sector finance applications, catch up with the latest in printing technology and catch up with the finalists in the inaugural GTR Social Media Innovation for Government & Public Sector Award. Read about their projects in the magazine, then get the story from these innovators in their own words as you watch my GTRKS interviews with each. As always, I welcome your thoughts on this issue, the GTRKS, or your own challenges in public-sector ICT.
EDITOR David Braue e: editor@govtechreview.com.au NATIONAL SALES MANAGER Yuri Mamistvalov e: yuri@commstrat.com.au Tel: 03 8534 5008 ART DIRECTOR Annette Epifanidis e: annette@commstrat.com.au Tel: 03 8534 5030 DESIGN & PRODUCTION Nicholas Thorne CONTRIBUTORS Kelly Mills, Kevin Noonan, Adam Turner MELBOURNE OFFICE Level 8, 574 St Kilda Rd. Melbourne Vic 3004 PO Box 6137, St Kilda Rd Central 8008 Phone: 03 8534 5000 Fax: 03 9530 8911 Government Technology Review is published by CommStrat ABN 31 008 434 802
www.commstrat.com.au All material in Government Technology Review is copyright. Reproduction in whole or in part is not allowed without written permission from the Publisher.
To subscribe to GTR magazine phone: 03 8534 5009
David Braue, Editor E: editor@govtechreview.com.au
2 | GTR MAY/JUNE 2014
email: subs@govtechreview.com.au or go to www.govtechreview.com.au/subscribe
SUBSCRIBE NOW
IN DEPTH INFORMATION TECHNOLOGY COVERAGE FOR THE PUBLIC SECTOR GTR Magazine incorporates technology reviews and experience from all levels of government and includes news, case studies, opinion and roundtable discussions. Subscribe to GTR magazine at iSubscribe Go to http://bit.ly/1kIPq7n
News BUDGET CUTS HITTING GOVERNMENT CIOS MORE THAN PRIVATE-SECTOR PEERS: GARTNER Government CIOs are more likely to expect their IT budgets will drop than CIOs in general and over a quarter of them expect budget decreases in 2014, new research from Gartner has found. The firm's 2014 CIO survey, which involved interviews with 228 government CIOs and 2339 respondents in total, found that 26 percent of government CIOs anticipated their IT budgets would decrease in 2014. That was roughly equal with the 27 percent who expected budgets to decrease in 2013. With strong pressure to cut programs and services, government bodies have faced disruptions from mandates to embrace lower-cost, high-scale commercial alternatives – a trend that is complicated by the finding that at least one-third of IT expenditures are now being made by business units outside the authority of the IT organisation. This 'shadow IT' trend was creating its own headaches for CIOs and needed to push them to rein in such casual spending, Gartner research director Rick Howard said in a statement. “Regardless of how much IT spending happens outside of the IT organisation, CIOs must address the presence of shadow IT by affirming their position as the designated and recognised point of IT responsibility,” Howard said. “Accountability for the information assets of a government agency cannot be distributed, and governance will ensure a corporate officer, the CIO, is at the table whenever or wherever an IT investment is being considered.” Implementing that organisational change will require the establishment of clear boundaries between the CIO, chief digital officer, and CTO, Howard said - yet the transformation also requires a different approach to sourcing technology. Fully 75 percent of government CIOs indicated they are already working on changing their sourcing approach, with 60 percent currently managing a 'mixed model' of providers, 26 percent depending on a primarily insourced approach and 13 percent preferring an outsourced model. Such models need to be carefully introduced to ensure that the CIO walks in lockstep with other parts of the business, Howard advised. “To maintain organisational relevance in today's digital industrial economy, CIOs need to work in collaboration with their executive peers to strike the optimal balance of 'grow' and 'transform' with running the business,” he said. “The most successful government CIOs will relish the opportunity to manage IT effectively in an increasingly diverse ecosystem of vendors and solutions by combining specialised knowledge of government business practices and policies with the executive role, in order to promote architecture standardisation, interoperability, robustness, agility and security.”
4 | GTR MAY/JUNE 2014
Cloud first policy to reshape Queensland government tenders The state government of Queensland has directed the state's IT procurement policies on a new tack as it institutes a cloud-first policy that will see its ICT operations transformed from service provider to service broker. The decision was contained in the state's new Cloud Computing Implementation Model (CCIM, at bit. ly/1k6rRuE), which was published in May and outlines the state's expectations from the cloud model. These include cost reduction, debt reduction, sustainability, innovation, faster realisation of business benefits, business agility, improved security, and improved information sharing. The review, which grew out of a February 2013 Commission of Audit report that recommended the adoption of an ICT-as-a-service strategy and “discontinue ownership and management of significant ICT assets and systems”, runs through a laundry list of problems with the previous model and the ways cloud will improve them. These include previous “high-cost and bespoke ICT solutions” that will be replaced by “well-defined, standardised and highly-configurable shared services which continue to evolve and innovate based upon the needs of a large and diverse customer base”; aging technology requiring continual refresh and upgrades that will be replaced by an “evergreen
model” where service providers and competitive market forces drive lifecycle management; and an improvement in information security through the shift from resource-limited internal security organisations to cloud service providers with “extensive” security accreditations and “wellestablished security management processes which undergo regular external audit”. There are warnings, too: for example, the report warns that consumption of a broad range of cloud services from multiple suppliers “may lead to a high-heterogeneous and distributed ICT environment”. To avoid this complexity, the CCIM recommends the establishment of a “coordinated service brokerage approach” combining technical integration platforms and external cloud brokers to aggregate, simplify, secure and integrate a range of cloud services. The state government's implementation model includes five key focus areas that will enable and accelerate the government's uptake of cloud-based ICT services: cloud ready, cloud foundations, cloud engagement, cloud accelerate, and cloud governance. Some 26 recommendations are outlined to help the state government deliver on its cloud-first strategy. The state ICT action plan will be updated to incorporate those recommendations that are to be progressed.
BIOMETRICS KEY TO BORDER-SECURITY EFFICIENCY: MORRISON Increased use of biometrics technologies will play a key role in the technologically-supported effort to improve Australia's border security as the newly merged Customs and Immigration departments tap into the technology to realised savings outlined in the recent federal Budget. With estimated savings of $480m from merging the two massive organisations, both departments will be looking to new technologies to reduce costs and improve security. With government minister for immigration and border protection Scott Morrison set to headline the upcoming Biometrics Institute Asia-Pacific Conference, the role of biometrics in delivering these efficiencies may soon be better understood. Morrison outlined the government's views on the use of biometrics in improving border security, supporting a range of systems at the 'super agency' that are anticipated to deliver new efficiencies to the process of border protection. Improving this process would rely “first and foremost” on biometric data collection and processing technologies, Morrison said in his speech. “Through the utilisation of these technologies, Australia's border management systems will provide travellers with experience processes that expedite their movement across borders, end to end, but enable the ABF and security agencies to identify external risks long before an individual attempts to enter Australia.” Clearance information, including biometric authentication details, would be provided by future travellers to automated gates and checked against details stored on their passports. Border protection officers will intervene only where any “match to intelligence or risk” is identified, with all ordinary travellers cleared through the system in less than a minute.
“These systems offer processes that both expedite the legitimate traveller and provide the best possible chance of identifying risk to Australia's security long before it reaches our border,” Morrison said, foreshadowing greater co-operation with other regional governments to improve data exchange processes. “The Coalition is committed to pursuing data swaps, not failed people swaps, to protect our borders,” he said. A global concern, the Biometrics Institute maintains offices in London and Sydney and runs networking meetings and training courses in Australia, New Zealand, the UK, Belgium, Singapore and the US. Its constituency of over 130 member organisations is heavily skewed towards Australia, where 50 percent of its members reside. Its latest annual Industry Survey found strong interest in biometrics usage amongst members, with fingerprint recognition overtaking facial recognition in 2013 as the area most respondents are interested in. Iris recognition was third. Asked what were the most important recent trends in biometrics, 16 percent of respondents said biometrics at the border and the adoption of biometrics in everyday activities (15 percent) had been the most important developments in the biometrics industry within the last 12 months. Technology advances and large-scale national ID deployments were also highly referenced, although with less frequency than in previous surveys. The 2013 survey was also notable because it saw border security (which was named as the most-expected technology to be implemented by 11 percent of respondents) lose its longrunning primacy to the use of biometrics in smartphones and mobile devices (20 percent). Government and public-sector agencies comprised 44 percent of respondents. Other organisations presenting at the conference included the US FBI, New Zealand Immigration, South Australia Police, Queensland Police, and Australian Taxation Office – reflecting the broad interest in biometric technologies across different spheres of government services.
GTR recognised in IT publishing industry awards Commstrat, publisher of Government Technology Review, is proud to announce that GTR received two Highly Commended commendations in recent IT industry publishing industry awards. The annual MediaConnect IT Journalism Awards, known in the industry as the 'Lizzies', are fiercely contested and honour achievements by individual journalists and collective teams in producing the best technology journalism and media across Australia and New Zealand. GTR was cited as a Highly Commended title in the Best Magazine and Best Business Technology
Coverage categories in the midst of what organisers said was the most competitive field ever. GTR editor David Braue picked up two individual commendations, winning Best News Journalist and receiving a Highly Commended commendation in the Best Telecommunications Journalist category. The wins mark a strong year in the history of GTR, with circulation and readership both increasing and the recent launch of the new Government Technology Review Knowledge Series offering exclusive interviews with a broad range of public-sector IT leaders and technologists.
GTR MAY/JUNE 2014 | 5
News Up to 300 new mobile base stations will be built in outer metropolitan, regional and remote areas by late 2015 as the government fulfils a 2013 election promise http://www. liberal.org.au/mobile-black-spot-programme by injecting $100m into its Mobile Black Spot Programme (MBSP). The program, which will also rely on cocontributions from states and the private sector, will target major transportation routes, small communities and disaster-prone areas with $80m in infrastructure funding as well as committing $20m to addressing well-known 'black spots' suffering from poor mobile and wireless broadband coverage. Funding is expected to include between 250 and 300 new or upgraded mobile base stations around the country, with actual numbers based on cash and in-kind contributions expected to be contributed by third parties. “There are some locations where the economic viability of expanding the existing network may be marginal, but modest
Photo credit: CC BY-SA 3.0 Joe Ravi
GOVERNMENT BUDGET COMMITS $100M TO FIX MOBILE BLACKSPOTS
government financial support may tip the balance,� the Liberal Party election policy stated. Victoria's Government, for one, has already committed $40m to fixing mobile black spots and delivering Wi-Fi on long-haul train services across the state.
Tenders for the new infrastructure will be let in the second half of this year, with chosen providers expected to be announced in the first half of 2015. Base stations are expected to be in place from the second half of 2015. Mobile infrastructure operators Telstra, Optus and Vodafone will be expected to match the government's investment of $80 million in its Mobile Network Expansion Programme, providing their own investment of $80 million. The programme copies Western Australia's Regional Mobile Communications Programme, which attracted $39.2m in state government investment and will deliver 113 new or upgraded mobile sites. MBSP grew from the 2011-12 Regional Telecommunications Review, which found that mobile coverage was the most frequentlyraised concern among residents. Blackspots accounted for more than two-thirds of the 222 submissions received by the review and were raised during all of the 20 regional consultations conducted during the course of the review.
GOT SOMETHING TO SAY? YOUR OPINIONS MATTER TO US. Send your commments about an article, this issue, or GTR magazine in general to editor@govtechreview.com.au 6 | GTR MAY/JUNE 2014
Security
I AM WHAT IAM BY KELLY M IL
LS
T
he legacy of the failed Australia Card identity scheme has hindered Australian government agencies from realising the dream of having a sole online identity for every citizen. The reluctance to address the issue means the government is missing out on big dollar savings corporates such as the Big Banks are enjoying due to savings in the call centre. Many believe government could do better: “There are loads of ways that we interact with government that doesn’t need a very high degree of assurance,” Gartner research director Anne Robins explains. Banks have services available online as it makes economic sense, and the convenience is seen as a benefit. “People want to participate because it is a benefit to them, and I think a lot of people would feel the same way about doing these things online with government,” Robins adds. PASSWORDS BY THE DOZENS Transacting online with government agencies is far preferred to waiting on the end of the phone or standing in a queue – yet citizens have become bombarded with online services from government. It is not an uncommon scenario when registering for an online service to input the same information with every agency. Users often then write down the username and password, albeit the vast majority of people use the same password, in a notebook. Through the my.gov.au portal, the Federal Government has attempted to create a solution. Services from Medicare, Centrelink, the Australian Taxation Office, Child Support, the National Disability Insurance Scheme and the
MyGov is trying to give citizens a portal but there is the impression that if you use myGov you are giving Centrelink or Medicare information. It all seems like it is mixed in together, and people are uncomfortable.” Anne Robins, Research Director, Gartner
Department of Veterans’ Affairs can be accessed via the secure myGov account with one username and password. It's an ambitious undertaking but not everyone likes it. “MyGov is trying to give citizens a portal,” Robins says, “but there is the impression that if you use myGov you are giving Centrelink or Medicare information. It all seems like it is mixed in together, and people are uncomfortable.” The approach of myGov is misplaced, she says, in light of the success of New Zealand’s RealMe government identity service. Launched in July 2013, the service has centralised the verification of a person’s identity, but each agency still maintains their own data. “I think if you look at these two models,” she says, “you will see one has gone a long way down the path of making sure people do feel their privacy has been protected and that it is all about the control that they have. “The myGov model is much more about saying we are going to force you into this tunnel and you have to do everything through this point, I am just not sure people feel comfortable with that.” SECOND-GENERATION ONLINE SERVICES Australian government agencies, from all levels, have been roundly criticised as being slow to adopt advances in the identity space. Many agencies are trying to solve the problem on their own – some, such as the Australian Tax Office, are looking to do more and offer a richer service – but there has been no real strong leadership at a whole of government level about addressing citizen identity. “A complication of the government’s service obligation is that they just can’t say 'I’m going to make it available online and you can like it or not',” Robins says. “They have to support all of the multi channels.” Governments, like the private sectors, are looking for higher levels of online participation and ways to reduce overheads on help desks or call centres. Robins believes the challenge is that government will solve the problem one agency at a time. “It’s going to be complicated and expensive,” she warns, “and people are going to hate it if they have to do different things for each agency.” There is the possibility an agency could step out on their own and show leadership, thereby creating a bit of groundswell. “But I think it needs a much stronger push from the top down,” she says, “to actually put this on the agenda of department chief information officers. They are all suffering from cutbacks, keeping expertise in-house; this is still not a burning problem for a lot of them.”
GTR MAY/JUNE 2014 | 9
Security
SOCIAL SIGN-ON Innovators in government are, on the other hand, really pushing to adopt Facebook or some other social media sign-on and identity brokering service. “There is a lot of controversy about whether I want to cross my personal or Internet identity with my government identity,” First Point Global co-founder Jan Zeilinga says, noting that some citizens may feel this would give government too much visibility into a person’s private life. From an Australian government perspective, Robins adds, there are some circumstances today where a citizen would like to access a service by clicking through from Facebook. “You're accessing fairly basic information,” she says. “It is good for relatively innocuous transactions where the convenience outweighs the need for more security than that.” As people deem Facebook as “friendly” and people feel good about using it, she believes it might be a good way for government to become more accessible. On the issue of security, both Zeilinga and Robins believe Facebook can be more secure than a simple username and password for first level enquiries as people put a value on their Facebook profile. “The reality is I can enter rubbish into a registration service and create an email account,” Zeilinga says.
The real problem with using a social sign-on is the government of this moment has not grasped that there is a risk differentiation between different transactions, Robins explains: “You should be able to match the right level of authentication and verification of the transaction to what you are doing.”
There is a lot of controversy about whether I want to cross my personal or Internet identity with my government identity.” Jan Zeilinga, co-founder of First Point Global
BYO IDENTITY Using a social media identity as a means of accessing services online is a trend that government agencies will need to accommodate going forward. Whereas the new generation of identity access solution are able to broker into social media identity stores to tie the authentication together, current legacy identity access management systems don’t have a means of catering for this. Dimension Data Australia security practice national manager Jason Ha explains there is technology that can broker first level social media authentication, then decide how much of a higher challenge is required to given citizens access to services. “Social media brokering can function as a good first level authentication up to a certain point for citizens,” he says, “and then if the adaptive context requires a higher level of privilege, that is when they can interface into an internal identity construct.” However, the problem is that most Australian government agencies have not embarked on a new platform for this world. “Most of them are at the strategy and even architecture stage to determine what the new software will look like,” Ha says. HIGHER-LEVEL AUTHENTICATION Social sign-on is just one way to identify a persona. The key challenge is taking the persona and linking it to a real person. “The actual technologies are quite simple and services are quite simple,: Zeilinga says. “It is more about how to upgrade an individual and how much trust you put in that.” At the bare bones level, cost savings are driving government agencies to make sure everyone has an online account. “If they can get 90 percent of their online consumers using a third party for authentication, and they are pushing out that management of username and password, that is significant savings in the call centre,” Zeilinga adds. At the technology level, agencies realise that even if they embrace social sign-on, it is the step-up authentication process that is tricky. “When you combine risk factors together you get something very strong,” Zeilinga says. “It is when you are relying on one method that you start pushing the boundaries of being over confident.”
SECURITY SOLUTIONS WITHOUT COMPROMISE. If you’re responsible for protecting people and property in government or large commercial environments, there is simply no room for compromise. Fortunately ADT Security has got you covered.
Our tailored solutions range from intrusion alarms, smoke detection and life safety through to Closed Circuit Television (CCTV), Access Control, Radio Frequency Identification (RFID) and Wireless Networks.
With vast experience in the government sector, ADT Security provides electronic security to millions of commercial, government and residential customers across your street and around the world.
When it comes to security, we know that one size does not fit all. Combining intelligent technology with vigilant expert security teams, we can design, install, monitor and maintain integrated systems to match your needs.
ADT Always There
TO FIND OUT MORE, CALL 131 238 OR VISIT ADTSECURITY.COM.AU/SOLUTIONS
Master Licences: VIC No. 65201491P | WA No. SA42314 | SA No. ISL152299 | NSW No. 405187443 | ACT No. 17501009 | QLD No. 3258669
A Tyco Business
Security NEW ZEALAND'S MODEL IDENTITY MODEL
Options for higher-level authentication could include the bank’s favourite tool of SMS or a
Social media brokering can function as a good first level authentication up to a certain point for citizens.” Jason Ha, Dimension Data Australia security practice national manager
realm of biometric tools. Yet despite its growing popularity, fingerprint scanning is no more secure than a Facebook login, Zeilinga warns, noting that it is difficult to get a fingerprint-based biometric system to an enterprise-enabled point. “Logistically also it is quite hard to get everyone to go through a provisioning process for fingerprinting, which would be like a 100 point ID.” Robins is also sceptical of the success of fingerprinting within the government sphere. “It may be big brotherish if they say you can use your fingerprint to lodge your tax return.” Voice printing, by contrast, is easy to do remotely. Robins says a lot of organisations such as health insurers and banks are already using voiceprint biometric scanning.
“Voice is not a future technology, government should embrace it,” Robins says. “It naturally fits into the call centre structure that they have in operation.” Whatever road Government chooses to take to provide services online, the main message seems to be that it is the combination of risk factors that provides a strong authentication. “Not only do you do a Facebook sign in, but they also fingerprint the machine you are coming from and your behaviours, so if your behaviours are abnormal then the agency might prompt you for a stronger authentication, a stronger question or something else to get an assurance level higher,” Zeilinger explains. “It is when you are just relying on one method, that you start pushing the boundaries of being over confident.”
12 | GTR MAY/JUNE 2014
The New Zealand’s government identity service RealMe is lauded internationally and has created opportunities for online efficiencies. Launched in July 2013, the end goal of the service is for citizens to have a single login and password for all secure online services delivered by public and private sector organisations in New Zealand. This dream is some way from becoming a reality. Currently New Zealand’s 4.5 million citizens can use RealMe as their single username and password to login to a range of government departments. However, a verified RealMe account, which can securely prove a person’s identity, can only be used with New Zealand banks BNZ and TSB Bank. RealMe can be used to open a range of BNZ transactional accounts online via their website. TSB Bank offers the RealMe service to enable a TSB Bank account to be opened via their mobile banking app. Other major banks are expected to be on board during 2014. RealMe can also be used to order important official documents, like birth, death, marriage and civil union certificates. Other services expected to join in 2014 include life insurance, KiwiSaver schemes and enrolling to vote. To register people need to visit a NZ PostShop, where they are digitally photographed and their identity is checked against passport records. Citizens need to re-enroll every five years. The advantage for users of the RealMe service is the high level of security: a code is texted to their mobile phone every time their RealMe identity is used. The advantage to businesses like banks is that it provides a higher level of identity verification than is currently available, because of the hook up with the government. Users need to consent before the system will provide their identity information to an organisation. Organisations also have to provide an alternative means of establishing identity. Gartner research director Anne Robins says the federated model the RealMe system follows is a good approach. “It has a very high proportion of uptake,” she explains. “They haven’t tried to centralise the delivery of the service; if you want to deal with a welfare issue you go to the department. But they have centralised the verification of the identity so that citizens don’t need to do that with each and every agency.” Some countries in Asia have what is seen as robust centralised identity systems for citizens. Jason Ha, national manager of the security practice for Dimension Data Australia, says countries such as Singapore or Korea have quite robust systems. “In Singapore you can do pretty much everything online, including voting, but most of it is fairly well brokered through the single identity, driven by the concept of the Singapore Identity Card.” The United States of America is viewed as “exceptionally” conservative on the issue, First Point Global co-founder Jan Zeilinga adds. “If you look at the United Kingdom government, they are pushing out assurance services to external entities.”
Security
IDENTITY THE BURNING QUESTION FOR FIRE AND RESCUE NSW NSW Fire Brigades Aerial Pumper.
CC BY-SA 3.0 Bidgee
Typically large numbers of users makes management in most public-sector organisations a special kind of challenge, but when those users are constantly mobile and often joined by itinerant employees, the task becomes positively treacherous. For Fire and Rescue NSW (FRNSW), one of the world's largest fire and rescue services, the task has been made much easier with the implementation of an identity and access management (IAM) solution from NetIQ. Use of that company's Identity Manager has enabled IT staff to manage user information and access rights for nearly 14,000 full-time and volunteer fire fighters across 338 fire stations and 663 firefighting vehicles. Enforcing access consistency for those kinds of numbers – especially given the 7000 volunteers with no formal organisational ties to FRNSW – would normally be a menacing task for most IT managers. But Malcolm Thompson, assistant director of IT infrastructure, says the use of an automated IAM platform has boosted security integrity and fostered management autonomy amongst its users. “Capability is a key concept for us,” he explains. “We have to be 'can do' people, and we can't afford to waste time and effort on administration. Our role in IT is to set up automated systems that enable the business to manage its own assets. Identity Manager enables us to manage a huge set of users with just a handful of dedicated staff.” FRNSW has just 10 dedicated employees managing identities across the organisation's IAM function, which has expanded over time from just supporting FRNSW's own users to support a new role in which they use the same platform to manage nearly 100,000 identities on behalf of other emergency-services organisations. Those identities are delivered to organisations like NSW State Emergency Services and NSW Rural Fire Service, with built-in identity federation providing seamless links across myriad systems both inside and outside the organisation. By positioning itself as a central service provider, FRNSW has become a “recognised centre of excellence for IT services,” Thompson says. “Our IT services depend largely on our ability ro provision, manage and ultimately de-provision identities. We have a solid architecture in place, so provisioning new users is fast and easy.”
The concept of identity within the organisation has been expanded to refer to much more than just people: individual identities have been created for major assets such as the service's 663 firefighting vehicles. Thanks to integration with the service's automatic vehicle location (AVL) system and the turnout systems that alert fire stations to emergencies, those identities are also being used to track the status and location of each vehicle – assisting in optimising the organisation's response to emergencies. Broadening of the concepts around identity is becoming “more and more” common as organisations consolidate and extend their IAM deployments, says NetIQ's Asia-Pacific identity, security and governance product/business manager Ian Yip. “Organisations have a long-term view on this Internet of Things, and they're working to get frameworks in place to treat their stuff as objects,” Yip explains. “Objects will need accounts, permissions, policies, and access. Policies need to be applied because it can be difficult to manage, and you don't necessarily want to lock everything down.” Despite their capabilities, IAM systems alone aren't a direct replacement for the large asset management databases, which Yip said tend to be “large lookup tables”. Instead, they can be used to integrate contextual information such as an identity's location, in order to drive the execution of related policies and procedures.
A location-based policy, for example, might allow certain levels of access for a particular identity when that identity is located in the company's home state, while restricting access to other resources when the identity is travelling overseas. “The key word is context, and location plays a big part in it,” Yip says. “Contextual access control flows on from access control policies that need to be a bit more dynamic.” Integration continues to challenge efforts to manage resources based on identity, with legacy systems presenting integration challenges even as the balance steadily shifts towards cloud-based systems with open, APIbased interfaces. “It's going to get better,” Yip says. “The more organisations go to cloud, they're going to need to expose a lot of the application they've got in place – the data – to other programmatic bits and pieces, exposing them to the infrastructure. When they start to do that, they generally build more standards into things so they will work out of the box more easily.” One area where better integration will play a role is with the shift towards having socialmedia logins become increasingly usable for corporate purposes: for example, the NSW Fire and Rescue platform has also enabled the management of employees and non-employees who participate in FRNSW-sanctioned programs such as 'Waste the Waist' – an online-backed fitness education program through which over 1500 staff lost more than 2177kg in weight and 2391 centimetres off their waists. Such identities may be tangentially related to the service's mission statement, but their integration into the platform reflects the manyheaded approach that is now being taken towards identity. Social-media credentials will play an increasingly important role in such ancillary purposes, but Yip warns that they won't fully come into their own until there is broad access to federation standards. “A lot of the discussions we're having with government are looking at how they can share services, and use certain services that one department has built and potentially leverage from a technical and commercial standpoints.” “Federated access controls and identity play a big part, and the government just needs to look at that and the open standards around federation to be able to do that a lot more easily and quickly.”
GTR MAY/JUNE 2014 | 13
Security
THE REAL COST OF TRUST BY DAVID BRAUE
Models for proving identity online are all built around the secure distribution of public and private encryption keys, which are used as part of the unique digital certificates that are used to sign all manner of financial and other transactions. The importance of those certificates cannot be overstated: as the basis for the Secure Sockets Layer (SSL) technology used within Web browsers, their protection and integrity are paramount. Hence the furore earlier this year, when it was discovered that a bug in the commonly-used OpenSSL encryption library could have allowed unknown snoopers to listen in on the exchange of digital certificates that aren't normally accessible. Even as public and private-sector organisations continue to work through the implications of that 'Heartbleed' flaw, others are working to ensure that the mechanisms for protecting certificates – and the public's trust in them – remain intact. Importantly, this includes physical as well as virtual controls to ensure that carefully defined security procedures are not violated. Unbeknownst to many, much of that physical protection is being managed through a nondescript Melbourne office building that is just one of four sites worldwide where identity-management giant Symantec – the world's largest issuer of digital certificates since it bought up industry pioneer VeriSign – manages and issues new organisational digital certificates. 14 | GTR MAY/JUNE 2014
The facility is normally tightly held under lock and key, but GTR recently had the opportunity to visit its deepest and darkest corners to find out just how this critical part of the identity story is maintained and managed. The site serves several functions, including the maintenance of an 80-strong contact centre through which companies wanting to obtain a digital certificate must work their way. This is a long and complex process that involves the secure management of a dizzying array of documents, as well as layer upon layer of anti-fraud checks that require sharp-eyed staff to be on the lookout for discrepancies in identity-related credentials from dozens of countries around the Asia-Pacific region. And there are discrepancies: efforts to obtain control over certificates through fraudulent means are commonplace, as are efforts to get new certificates issued in legitimate organisations' names. Faxed passport title pages with incorrect names, business registration papers with contact details falsified – in today's online economy, fraudsters will try anything to infiltrate services over which they have no legitimate claim. Beyond the contact centre – where we go as we wave to the many cameras continuously recording every movement in this lockeddown site – begins the series of physical controls through which employees must pass before they come even close to the heart of the facility. Those controls include not only the ubiquitous cameras, but a series of three ASIO-rated doors
where fingerprint scanning is the norm and complicated access rules prevent more than one person from passing at a time. Thermal sensors in the ceilings continuously count the number of people in the room and raise the alarm if it doesn't match the number that have correctly scanned into and out of the facility. Forget about trying to force your way into this facility: vibration sensors in the floors, walls and ceilings will pick you up well before you swing the sledgehammer a second time. Not that it matters: military-grade steel mesh is built into the ceiling of the facility. Infrastructure inside the site has been equally well-considered, with cabling for security, data and power systems on separate trays that are out in the open with sensors to ensure nothing compromises their integrity. Fibre runs must be intact and unbroken as a matter of procedure. Behind those doors is a team of specialists that work in a windowless room to provide technical support to customers around the world. And there, behind two further securely-locked and alarmed doors through which nobody can pass without the correct supervisor joining them, is a data centre in which several racks of servers stand next to two thick-walled steel enclosures. “Don't call them safes,” senior principal systems engineer Nick Savvides tells us, although there is no other way to describe them. Inside are trays of USB keys on which the certificate authority's master digital certificates are stored.
(clockwise from left): New keys are generated in the Ceremony Room, a sparse and non internet-connected room behind five military-spec doors; The thickness of the glass alone confirms the level of security in place; USB keys are authenticated and used to prove identity during a Key Ceremony.
These are, literally, the keys to the kingdom that is electronic commerce – the master certificates that are used to generate new root identities for e-commerce operators whose entire viability depends on the integrity of these systems. Simply holding these keys, however, won't get you anywhere. The serialised storage devices are useless without being brought into yet another room – again, nobody is allowed in by themselves – where nondescript white walls and several computers sit waiting for what Symantec calls the Key Ceremony to begin. Fittingly, the Key Ceremony requires the attention of the Key Master – a company employee who cannot be named – who facilitates
painstaking 'scripts' that can run to 600 pages or more and take two people eight hours or longer to complete. Those scripts include specific actions that must be taken by each participant in the Key Ceremony. Food is forbidden in the room, water is limited, and toilet breaks require packing up everything in the room and locking it away before resuming. If a mistake is made, the certificate must be revoked and the process started over. This procedure is carried out frequently, although neither Savvides nor the Key Master will say when, or even how often. Yet there they are: buried in that high-security facility in Melbourne, this team is the physical face of identity security –
the entire process of adding new certificates through complex,
and a cornerstone of the entire idea of trust on the Internet.