Why Authentication is the Key to Securing the Digital Front Door of Government - How to improve digital service delivery for citizens and employees
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
1 Februrary 2022 Why Authentication is the Key to Securing the Digital Front Door of Government Sponsored by How to improve digital service delivery for citizens and employees Sponsored by Freshworks February 2022
2 Table of Contents Introduction: the Challenge of Public Sector Authentication 3 The Role of Digital Identity Management 4 Digital Identity in Government 6 • Limitations of legacy systems and more 7 • The value of identity and authentication 8 How to Secure Identity in Digital Government Services? 9 • What is Identity as a Service, and how can governments leverage it? 10 • The vital capabilities in an IDaaS system 10 • Key Capabilities of an IDaaS solution 10 • IDaaS Features 13 Final Thoughts on IDaaS for the Public Sector 14
3
>> Introduction: the Challenge of Public Sector
Authentication
Today, people have come to expect the same seamless digital experience when accessing
government services as they do when they interact with businesses.
Digital identity is the integral component in providing a positive experience and operates like
the digital front door to government services and which allows government to understand a
single view of its citizens. By adopting an identity-first approach, governments and the public
sector can improve existing services and launch new ones faster and more securely, Auth0’s
Public Sector Identity Index Report has found.
Digital identity is also a driver for social and economic inclusion, an opportunity to provide equal,
fast and convenient access to both public and private services, the Secure Identity Alliance
noted in its 2021 research report, Giving Voice To Digital Identities Worldwide. The Alliance
strongly advises that countries should prioritise government-supported digital and mobile
identities.
Yet without robust, secure authentication as part of identity and access management (IAM),
digital government services will be unable to rival commercial ones. However, public sector
teams in Australia and New Zealand have a bias towards building in-house solutions, despite the
obvious challenges, Auth0’s 2022 Public Sector Identity Index Report - Australia & New Zealand,
has identified. When government relies on traditional approaches to identity it’s often marred by
overhead costs, requires unique talent to build and manage, and can slow down the delivery of
value to the public.
By contrast, adopting Identity as a Service
(IDaaS) offers government of all tiers
the opportunity to fully embrace digital
government and realise the benefits of digital
transformation. As the Index Report has
identified, there are several important elements
in partnering with an identity solution that can
enable governments to reallocate resources to
deliver additional value to its constituents. To
realise it’s benefits in government, it starts with
an understanding of the role of IAM and how
to leverage it through IDaaS for streamlined,
highly secure and functional government
to citizen and government to business
interactions.
This white paper will examine the challenges
in authentication in IAM in citizen and
business access to government services. It
will explain how IDaaS represents a solution
to the challenges of building and maintaining
in-house identity management and why
improving citizen access to services lifts
the vital metric of trust in government
– something that’s vital across all tiers. To
support this, Okta and AuthO can partner
with the public sector to deliver the IDaaS
requirements for both citizens and business
that support governance, collaboration and 1 ‘Our Public Service Our Future’ 2019, p21, https://pmc.gov.au/sites/default/files/
improved user controls. publications/independent-review-aps.pdf
2 Ibid, p46
4
>> The Role of Digital
Identity Management Governments need to deliver a ‘One stop
shop’ approach to allow their citizens
With the pandemic-driven surge in digital
to easily access their various services,
transactions and the ongoing digital
transformation efforts across both business regardless of which agency delivers the
and government services, IAM has become the service. A suitable IDaaS will facilitate
cornerstone of secure, seamless user access delivery of this approach”
and management. The global pandemic has
dissolved physical boundaries traditionally Syd Moutou,
operating in services and transactions across Technical & Project Manager ,
NSW Department of Primary Industries
all sectors. This has raised the importance of
identity and access management as integral
to providing safe, seamless digital interactions, There are two distinct paths in which
as noted in Gartner’s 2021 Identity and Access government need to develop digital access
Management guide. to services and systems. For individuals,
IAM encompasses a suite of tools and government to citizen requires an approach
technologies that manage users access to that is tuned to the individual and their need
devices and networks. It can range from cloud to access services and support. As a public
to on-premises applications and run the gamut sector organisation, government needs to
of devices from phones and computers to interact with business for the provision of
servers and controllers. infrastructure to underpin citizen services and
the wheels of government. In both of these
On a functional level, IAM establishes the channels, verifying and managing digital
digital identity of a user based on identity identity is increasingly important, giving rise
credentials which need to be monitored, to a growing need to bolster and improve
maintained or modified. From an organisation’s government identity and access management
perspective, IAM grants users access to the systems and processes.
systems and devices in a given context on
the basis of verifying someone’s identity The role and importance of identity and
through digital means. Users may be given access management can’t be understated,
certain permissions based on their role or with Gartner noting that today economy-
other aspects of their identity and this is wide transactions and systems now rely on
administered through a system of identity and the management of identity and access to
access management. digital networks, applications and services.
In Australia, this is guided by a whole-of-
These IAM systems need to be secure, robust government digital service platforms strategy
and streamlined so that they are highly that outlines how government departments
functional and verifiable in the way they work. and agencies are involve in the provision of
The checks, logs and reports around the user’s digital services. The overarching goal is to
activities must be properly recorded and the ensure that services are accessible, secure and
access rules related to each digital identity meet user needs.
enforced according to the approved device or
system. At the outset, in developing a single, consistent
digital identity system, Australia is behind
In a commercial environment, IAM is integral other similar nations. Across the ditch, for
to provide strong customer experiences which instance, Kiwis have the RealMe identification
results in increased conversions, loyalty, and tool, a personal ID to access government-
retention. Within government, IAM plays a key provided services. One of the more advanced
role in enhancing digital citizen services and countries is Estonia, with its government-
can heighten the level of trust citizens have driven centralised e-identity system, which,
in their government, while improving security according to a 2021 Secure Identity Alliance
and promoting equitable access of services. report, has 99% of government services online.
For instance, Deloitte has found a direct link
between the citizen digital experience and At a federal level, the government currently
predicting their overall trust in government. operates a range of external and internal
5 digital platforms, such as myGov, the access point for Medicare, ATO and Services Australia, a single digital identity authentication service, a national inbox and personal avatar assistants for when people are dealing with the government. There are also a range of state-based digital services platforms. The myGovID digital identity credential, the digital equivalent of the 100-point ID check, can now be used to log in to myGov accounts. However, there have been criticisms of the system, with some security researchers saying that it could allow attackers full access to accounts. It is also the case that myGovID is putting the identity system first and then trying to retrofit the credentials needed for authentication which isn’t always straightforward. The government is looking to further this and expand the capabilities of government digital platforms into the future. For example, it plans to personalise the myGov dashboard, enabling citizen to access and keep track of government services, and it also wants to provide a set of business registry services to establish a reliable, accessible and trusted source of business and company information in Australia. A Payments In service is planned that would allow people to pay a government invoice with their preferred payment type, and for agencies to receive payment and reconciliation reports without having to manage payment types. Also on the roadmap for future development is to improve end-user service delivery, decision making through smarter use of data and back office support functions. The government has also proposed a standalone digital identity system to access a range of government services, with the intention to make it quicker and easier for people to prove their identity. While a myGovID is needed to access many of the services noted above, this proposal would enable external organisations to become identity accreditors under the Trusted Digital Identity Framework. In all of these initiatives, one of the key features will be a focus on providing multiple entry points, enabling people to interact with government when and where it suits them. It might be authorisations that permit families, partners, dependants and businesses to complete selected transactions on behalf of others, acting as admin on accounts, or providing virtual assistance to ensure people can get any help they need. In addition, digital records transformation, and government ICT procurement and contract management are also undergoing transformation towards the creation of scalable, secure and resilient digital capabilities. This snapshot reveals of some of the ways government is developing digital capabilities both for the provision of citizen services and as a public to private sector organisation. In all of these, the gateway to access to digital government services will hinge on identity and access management and demonstrating that secure, seamless digital identity capabilities will be vital to eGovernment across the board.
6
>> Digital Identity in
Government
Government-initiated digital identification is
essential and promises many benefits, such as
improved service delivery, personalisation and
public data intelligence, but lifting the digital
bar also faces a raft of challenges. To provision
digital identity – whether it’s government to
individuals or government as a public sector
organisation interacting with businesses –
public sector initiatives will need to overcome
certain obstacles, from technical debt to
budgets.
At a federal level, the limitations of legacy
systems is the greatest challenge to digital
government. While state and local agencies
find paper-based processes as the leading
obstacles to digital modernisation, according
to a 2019 Granicus report on the state of
digital modernisation in government. It also
found the cost of maintaining legacy systems
with constrained budgets and pressure to
modernise driven by evolving citizen behaviour
is adding to the challenges of developing
digital services and access. This all hinges on
having a secure identity management and
access system.
Another fundamental challenge is the nature
of government itself. It has a dual role and is
both a citizen-to-state conduit for services
and a quasi-commercial entity that needs to
provide tendering, commercial agreements
and so on with a seamless customer
experience.
Most profoundly, by definition government
is subject to change based on electoral
The challenge with the whole-of- outcomes that naturally flow on to public
government approach is making sure the sector directions, staffing and policy direction.
platform is on an open standard that’s The three tiers of government in Australia,
reusable and scalable for the rest of which will be overseen by political parties
government to use” of different strips at any one time, make for
a difference of priorities and processes in
Christopher Goh, identity and authentication across digital
General Manager, Customer Oriented government services.
Registration and Licensing (CORAL),
Queensland Department of Transport and Main
Roads
7 >> Limitations of legacy systems and more The reasons for the problems with digital identity and IAM across government today are many. The inevitable gap between legacy systems and newer, digital platforms creates a challenging starting point from which to begin overlaying systems and processes for digital connectivity or transforming them toward digital-first systems. Internally, siloed approaches to application development, regulatory compliance and security often results in inconsistent systems, a patchwork of security settings and uneven access privileges. Consider the task within public sector departments of managing different domains, user groups and locations that need to be harmonised through a digital identity platform. In addition, the widespread use of contractors in addition to permanent in-house personnel creates something of a two-tier system of users where privileges and access needs to be strictly monitored while not creating unnecessary obstacles that impact workflow, communication channels and productivity. A lack of a centralised IAM means the proof of digital identity is a fragmented, decentralised process that makes it harder and more time consuming for individuals to verify their identity to access government services. It also frustrates the smooth, efficient functioning of government to business interactions, whether it’s provisioning technology or as a trusted partner. Specifically, Granicus research has also found that complex budgeting and procurement processes hold public sector organisations back from adopting cloud technologies. Whenever it undertakes nation-altering transformations such as developing platforms for digital identity, government will always face a bureaucratic burden on innovation, with the need to meet transparency and safety requirements, overcome inevitable public misgivings, particularly when it relates to personal information and identity, political opposition and the requirement to provide accountability and oversight. It’s not that these should be overlooked, it’s understanding the impacts of technical debt and government requirements that apply in this context. They are also dealing with large volumes of users, the entire adult population when it comes to something like a digital identity, so any system faces the issue of scale right from the get go. Things like free, webmail email addresses that may be abandoned or compromised immediately add to the security considerations. Governments also face the very real prospect of creating unintended honey pots of vast troves of personal information, attractive to cyber criminals and hackers to exploit. Also with personal information, much of which is highly sensitive and confidential, it requires a centralised, authoritative data repository that must have enterprise-grade security.
8
>> The value of identity
and authentication
We can pull together different systems that
In Australia, digital activity represented almost are quite disparate, that don’t normally talk
6% of the total value of economic activity,
to each other and are managed by different
worth $109 billion for 2019-20, according to
people and bring them all together so
data from the Australian Bureau of Statistics.
that the user has a seamless experience in
This was a rise of more than 7%, higher than
the overall economic growth of 2%. While connecting with the different parts.
this is an economy-wide measurement, it
Debbie Brookfield,
indicates how digital services and transactions
Business Systems Manager,
is growing faster and is in the top 10 most
NSW Department of Primary Industries Food
valuable industries in the country. Authority
When it comes to the provision of digital
services, government is clear in its aims:
creating platforms that make it is easy and
safe to interact with government online; and
government ICT infrastructure that promotes
the transformation and delivery of modern,
future-proof digital services. Individuals
stand to gain time savings, productivity
improvements, access to employment and
increased use of financial services and this
in turn leads to higher sales, increased tax
revenues, cost savings and reduced fraud,
according to McKinsey, with benefits that
also flow to government and the privacy
sector. Across government, digital identity will
eventually underpin trusted digital interaction
and help create efficiencies and drive down
costs of service delivery from in-person and
call centre to online transactions.
The statistics reveal that in extending full
digital identification coverage to people it
could unlock economic value equivalent to
3 to 13 percent of GDP in 2030, with just
over half of the potential economic value
potentially accruing to individuals, according
to a McKinsey 2019 report. However, the
impact of the challenges and obstacles faced
by government in securing digital identity from
both streams, government to individual and
government to business, are many
Without careful system design and policies to
promote the uptake of digital identification
systems and mitigate risks, nations like
Australia could be missing out on realising
the full extent of improvements like inclusive
growth, quantifiable economic value to
individuals and significant noneconomic
benefits. In particular, without the appropriate
strategy the digital development effort (and
budget) will be wasted, money and time that
can’t simply be recouped or replicated. When
9
users face high-friction signing up to access digital services, it can lead to weekend passwords
or security to remove any unwanted barriers, weakening security and potentially opening
unnecessary vulnerabilities.
Data is key to improving the provision and delivery of services, but using systems with multiple
authentication and identity methods that don’t enable a single view of the customer across
a range of digital services makes this impossible. Added to these, many custom applications
are like monolithic systems where the IAM is baked in, which then prevents government
organisations from moving to a newer, more responsive architecture. In-house IAM is usually
missing some of the important features needed to achieve the goals of a digital roadmap and, to
bring this about, would require a large dev effort, and skills, time and budget would most likely
to cover this.
The security landscape is changing quickly, with new threats emerging and increasing
vulnerabilities driven largely by the surge in digital transactions and distributed workforce
changes. Government, like the private sector, should be concerned about data breaches and
the heightened security risk, but staying across the latest threats and acting quickly if an attack
occurs can’t be guaranteed through current in-house set-ups. However, public sector entities
will struggle to protect their citizens’ identities and personal information, and even hamper their
own efforts to provide low-friction access to critical services, without sufficiently robust security
postures. This can result in sub-standard user experiences and stalled digital transformation
efforts across the public sector.
>> Secure Identity in (WEF) has noted. It has found that supporting
identity management is key to governments
Digital Government improving citizen trust. Developing human-
centric digital identities is an enabler to
Services rebuild the economy and strengthen trust in
government as we draw out of the pandemic,
Traditionally, public sector organisations and according to the WEF.
agencies use internal applications, which
might be Active Directory, but as they move While government’s role is key, what’s needed
into more cloud-based applications there’s is cooperation across the public and private
a need to put appropriate authentication sectors. The WEF points to the emergence
mechanisms in place. It might be offering of digital identity trust frameworks led
multi-factor authentication, a single sign-in for by governments working with the private
multiple applications or digital ID log-in, there sector. Australia and New Zealand along
can be many different protocols departments with Canada, the EU and the Smart Africa
and agencies need to work with. Yet there are Alliance are developing frameworks across
significant challenges in attempting to build an sectors health, employment and travel that
identity system in-house. encompassing data responsibility, cyber
security, interoperability, inclusion, governance,
In most cases, there isn’t the appetite to build redress and liability.
an identification and authentication platform
from scratch internally in government,
especially when it means having another
application that would then need to have
skilled contractors working in-house to need The hardest part is to set up the governance
to service. It’s also important to have access to and assurance framework and then keep
support and technical assistance when needed on open standards to validate identity from
it, something that’s easier with a managed system to system.
service.
According to the Edelman Trust Barometer, 66 Christopher Goh,
per cent of people lack trust in data, but there General Manager, Customer Oriented
Registration and Licensing (CORAL),
is one fundamental digital infrastructure layer
Queensland Department of Transport and Main
that can bring transparency to interactions: Roads
digital identity, the World Economic Forum
10
>> What is Identity as a
Service and how can
governments leverage
it?
To address these challenges, many
organisations are looking to adopt secure,
flexible identity systems. Identity as a Service
(IDaaS) defines cloud-based solutions for
identity and access management, complete
with certain capabilities and features as
single sign-on, multi-factor authentication
and identity management that enables users
(customers, employees and third parties) to
securely access information and networks,
both on and off-premises.
>> Key Capabilities of an
IDaaS solution
An IDaaS solution will need to provide
certain capabilities to function as a seamless,
secure citizen to government and business
to government identity solution. It will
need to enable user management, provide
authorisation and identity security, adhere to
privacy regulations and adapt to changing use
cases.
>> User management
and authentication
One of the essential ingredients in the
identification and authentication system is the
ability to control permission to systems and
information by granting users different roles.
IDaaS systems simplify this process by
centralising identity and putting these
controls into a single location such as the
user dashboard. This helps ensure the right
people have access to sensitive data and is
more secure than enabling IT departments The customer has to be the centre of
to manually control access to individual what we’re doing and making it as easy as
applications. possible for them is the key
Authenticating users will guarantee that
Debbie Brookfield,
citizens and business representatives are Business Systems Manager,
legitimate and prevent bad actors from NSW Department of Primary Industries Food
accessing sensitive information or making Authority
fraudulent transactions.11
>> Authorisation and
identity security
Authorising users is vital to ensure that each
person accessing a system has the appropriate
permissions. IDaaS can also provide security
features such as MFA, brute force and anomaly
detection, in addition to rigorous access
control, all vital at a time when phishing, the
misuse of legitimate credentials and identity-
based attacks are on the rise.
Credential stuffing attacks, where usernames
and passwords from one organisation
(obtained in a breach or purchased on
the dark web) are used to access user
accounts at another organisation are
one of the most common forms of cyber
attacks. IDaaS solutions often come with
additional attack protection capabilities that
protect governments and their citizens with
capabilities such as brute force protection and
breached password protection to provide best
in class, identity security, on demand.
For government, IDaaS solutions can help
protect governments and citizens with brute
force protection and breached password
protection to provide best in class identity
security on demand.
>> Privacy compliance
The growth in privacy regulations in recent years, such as the EU’s GDPR, the California
Consumer Privacy Act (CCPA) specifically, as well as the growing number of nation-specific
privacy regulations has put additional importance on the role of identity management across
both private and public sector organisations.
If breaches occur, organisations that fail to comply with these regulations face increasing
penalties, loss of trust and significant reputational damage. Users are also being granted more
rights to mange and control the use of their data under these privacy regulations and this
includes transparency around data collection, the right to data portability and differing rules
across multiple jurisdictions.
Government can avoid the risk and the burden of managing compliance by instead utilising
IDaaS with a partner. A centralised identity solution can offer certainty around compliance and
costs, while ensuring the public sector department or agency is fully compliant.12
>> Extensibility,
adaptability, scalability
Globally, the future is going back to a token-
Finally, IDaaS enabling government agencies based and credential-based identity system
and departments to adapt to the changing underpinned by a strong authentication and
needs for authentication. Using custom- authorisation platform
built IAM solutions, there will be added
maintenance and build costs – not to mention Christopher Goh,
wait times – involved in scaling. General Manager, Customer Oriented
Registration and Licensing (CORAL),
IDaaS providers can issue updates for Queensland Department of Transport and Main
mandated sign-in changes and having an Roads
extensible identity platform can enable
a smooth transition when there are
departmental and agency changes across
government. Two groups with IAM systems
that can’t talk to one another can’t benefit
from each other’s data, but an IDaaS provider
can act as a translator between different back
ends.
>> Delivering public sector digital identity
It’s clear that the push towards cloud applications and managing the security considerations
while dealing with growing volume of customer data has made managing identity more
complex and challenging. Public sector organisations will need suitable identity and access
management solutions to verify legitimate users and securely manage their access to systems
services, while blocking potential intruders.
The end-goal is to simplify authentication, aiming for the digital exchange of verifiable identity-
linked information of any kind. In addition, adopting secure development and deployment
practices such as DevSecOps will support public sector entities to accelerate their time to
market and grant their mobile workforce secure access to both on-premises and cloud-hosted
business applications. This is particularly important to better manage access across multi-host
IT estates, critical with the widespread uptake of remote working.13
>> IDaaS Features
IDaaS manages the authentication flow between the end-user and the applications. It may also
be used to mediate authorisation to certain areas of the application or to access certain data
within the applications. In government, this involves managed three separate identities. There
is the customer (citizen) identity and access management to government-provided services.
Workforce log-in that manages staff and contractor access to internal applications. In addition,
government to business identity management is needed to enable government agencies and
departments to integrate identity with their business partners.
There are certain features important to have in an IDaaS solution.
Multi-factor authentication (MFA)
MFA is more secure than the traditional username/password method of logging,
particularly important given that passwords are vulnerable to multiple types
of attacks. It requires more than one form of identification to access networks,
usually a combination of knowledge (such as a password) and possession (such
as a phone) or inheritance (such as a fingerprint or retina scan).
MFA provides an additional layer of security and diminishes the likelihood of
unauthorised access. With just a password, hackers are unlikely to be able to
access an account without the second element of identification.
Biometrics
Although MFA is safer than just password protection, it’s not completely failsafe.
To address its shortcomings, new, safer forms of passwordless authentication are
becoming popular, such as biometric authentication using WebAuthn.
Biometrics uses something from the individual is as a means of verification.
This might include, facial recognition, fingerprint, hand or DNA identification.
Voice verification and typing recognition is also becoming more widespread for
distinguishing legitimated people for systems access.
Single sign-on (SSO)
To enhance the citizen experience, single sign on can reduce the friction citizens
face by providing a consistent login experience across all applications. In
practice, when accessing digital services, logging in to one application will then
automatically log in the user to the other designated applications.14
>> Final thoughts on IDaaS for the Public Sector
Increasingly the public sector must connect and interact with citizens and business through
digital channels and establishing and authorising digital identity is the lynchpin to ensuring
a smooth, secure experience. Developing human-centric digital identities is an enabler to
rebuild the economy and strengthen trust in government as we draw out of the pandemic,
according to the WEF. As a key driver of economic growth, the value creation of digital ID
will be equivalent to 3-13 per cent of GDP by 2030, according to McKinsey.
To realise these gains requires innovation in government, opening up new ways to impact
the everyday lives of citizens, as the OECD has said, which involves overcoming old
structures and modes of thinking and embracing new technologies, processes and ideas.
However, public sector agencies like many organisations lack the qualified resources and
skills to plan, develop, acquire and implement comprehensive solutions, according to
Gartner, even those that typically build applications in-house.
To overcome the hurdles, public sector agencies and departments are opting to leverage
IDaaS to manage costs and address the digital challenges they face – increased uptake
in digital transactions, rapid expansion of a remote workforce and growing security and
compliance challenges. And as IDaaS continues to evolve with new services and features, it
will allow partner organisations to stay ahead of the changes.
As the need for specialised expertise to handle the challenges grows, Auth0 Identity
Platform takes a modern approach to identity and enables the public sector to provide
secure access to any application for any user. Auth0 is the versatile platform that can be
customised to the needs of the organisation, delivering convenience, privacy and security so
government can focus on the needs of citizens. As the OECD declared, innovation promises
to unlock ways to ensure wellbeing, safety and justice for citizens, and serves as a catalyst to
spark creativity and action in society far beyond the walls of government.
About Auth0
Auth0 solves the most complex and
large-scale identity use cases for global
enterprises with our extensible and easy-
to-integrate platform, securing billions
of logins every year. The company’s
U.S. headquarters in Bellevue, WA, and
additional offices in Buenos Aires, London,
Tokyo, and Sydney, support its global
customers that are located in 70+ countries.
For more information visit
https://auth0.com/You can also read
