2006 CACR Privacy and Security Conference

November 3, 2006

Identity:Setting the Larger Context, Achieving the Right Outcomes

2

Identity: Outline

Introduction Context Way Forward Outputs Summary

3

Identity: Introduction

4

Identity: Clients & Outcomes

External Clients: Individuals and Businesses Improved delivery of government services Increased safety and securityEnhanced human rights and freedoms

Internal Clients: GC Employees and Contractors Increased productivityDecreased time to on-board, off-board personnel Increased compliance with security, privacy and IM

policies

5

Identity: Objectives

• Bridge the gap between the many service and security communities

• Engage stakeholders and gain consensus• Develop a conceptual framework that can be

used for:– Developing and aligning to a single GC-wide vision– Developing GC-wide identity principles– Establishing a common view of identity and

compatible program and project approaches

6

Identity: Approach

Mandate/Priorities

Risk Analysis

Assurances

BusinessProcesses

Technologies/Solutions

Principles/Policies

Services/Capabilities

What is our scope and how do we align to the relevant principles and policies?

What are our risks with respect to identity?

What assurances do we provide or require?

How do we plan to deliver services or deploy our capabilities

How must we organize ourselves and what process must we use?

What are our options for technologies or solutions

How do we use identity to fulfiillour mandate and address our priorities?

Clients &Stakeholders

Who are our clients and stakeholders; what do they need?

Work ProductsSteps Key Questions

ProjectCharter

Needs &Outcomes

LexiconPrinciples

Risk-Event Model

AssuranceModel

ServiceAgreements

BusinessArchitecture

TechnicalCriteria

Inputs

Policy Guidance

TechnicalGuidance

Standards

Practices

Solutions

Existing IDM Products

RelevantPrinciples

Technologies

IDMPolicy,

Directives,Standards

IDMEnterprise

Architecture

IDMGuidelines,

Tools,Best Practices

Outputs

GC-Specific IDM Products

IDMSolutions

7

Identity: Context

8

Identity: Government Context

Government Context: Working together in the public interest to ensure that we uphold what we believe and value as a society.

Government Context: Working together in the public interest to ensure that we uphold what we believe and value as a society.

Identity is critical to our society, our governments and institutions

9

Identity: Drivers • Privacy & Security Drivers:

– Economic: Identity Theft/Fraud

– Public Safety: Law Enforcement

– National Security: Anti-Terrorism, Border Security

• Citizen-Focused Drivers– Citizen-Centred Service Delivery

– Increasing Client Satisfaction

– Ensuring Rights of Citizens

• Integrity and Accountability Drivers:– Program and Service Integrity

– Transparency

• Organizational Transformation Drivers:– Rethinking of Government as a Single Enterprise

– Shared Services Model

– Inter-Agency and Inter-jurisdictional Collaboration

10

Authenticating Identity Communicating

Identity Establishing

Identity

• Shared jurisdiction:• Federal role:

for those arrivingin Canada

• Provincial / Territorial role: with Vital Statistics - born in Canada

• Based on relativelystandard set of coreattributes including:

• Name• Place of Birth• Date of Birth• Gender• Citizenship

• Numerous organizationsinvolved at all levels ofgovernment, for example:

• Federally issued..• Social Insurance

Number (SIN)• Passport

• Provincially issued..• Birth registration #• Birth certificate• Health card• Driver’s license

• Most organizations require a similar base of information to provide identification

• Some additional needs specific to the organization

• Separate stand-alone processes by department or program for authentication:

• Epass • CRA • Service Canada

Etc.• Many different functions for validation or verification for clients’ identity • Many enabling technologies: PKI, biometrics, tokens

Current Roles…

Ideal Roles…

Identity: Roles of Government

11

Identity Management Today

Government departments/agencies have similar needs with respect to identifying individuals and request similar information

Purpose – primarily Security and/or Service delivery

Same or similar information collected, and then shared in ad hoc and disparate ways:

Clients provide same information – different times, different formats

Complex network of information sharing agreements between federal government and other jurisdictions

Many bilateral agreements with provinces and territories related to the use of personal information

Integrity varies, depending on source and on associated program/service risk

12

Identity: Way Forward

13

Identity: Defining the Opportunity

‘The Government of Canada’s ability to fulfill its mandate can be greatly improved through a common understanding of identity. A whole of government approach to identity is a critical requirement to the integrity of government programs and services.’

As approved by ADM Identity Committee, Mar 3, 2006

‘The Government of Canada’s ability to fulfill its mandate can be greatly improved through a common understanding of identity. A whole of government approach to identity is a critical requirement to the integrity of government programs and services.’

As approved by ADM Identity Committee, Mar 3, 2006

14

Identity: Defining the Issue

‘Making sure you are dealing with the right person’‘Making sure you are dealing with the right person’

15

Identity: Defining the Concepts

Identity Management: the set of principles, practices, policies, processes and procedures used to realize the desired outcomes related to identity.

Identity Management: the set of principles, practices, policies, processes and procedures used to realize the desired outcomes related to identity.

Identity: a reference or designation used to distinguish a unique and particular individual (organization or device).

Identity: a reference or designation used to distinguish a unique and particular individual (organization or device).

16

Identity: Strategy Statement

Develop a common approach consisting of:

1. A common understanding of key identity concepts and principles;

2. A single view that promotes a consistent application while enabling transparency and accountability; and

3. A comprehensive action plan appropriate to the many systems, programs and government organizations that depend upon identity.

17

Identity: Outputs

18

Identity: Draft Principles

1. Justify the Use of Identity.

2. Identify with Specific Reason.

3. Use Appropriate Methods.

4. Enhance Public Trust.

5. Use a Risk-Based Approach.

6. Be Collectively Responsible.

7. Uphold the Rights and Values of Canadians.

8. Ensure Equity.

9. Enable Consistency, Availability, and Interoperability.

10. Maintain Accuracy and Integrity.

11. Preserve Proportionality. Draft as approved by TBS CIO

19

Evidence of Integrity (EOI)Assurance as a whole, pertaining to a system, process, token (physical or electronic), etc.

Evidence of Integrity (EOI)Assurance as a whole, pertaining to a system, process, token (physical or electronic), etc.

Evidence of Identity (EOI)Evidence that the individual is really who they claim to be - their ‘true’ identity as required by law.

Evidence of Identity (EOI)Evidence that the individual is really who they claim to be - their ‘true’ identity as required by law.

Evidence of Control (EOC)Evidence that the individual has control over what has been entrusted to them.

Evidence of Control (EOC)Evidence that the individual has control over what has been entrusted to them.

Assured by: Assured by:Assured by:

Assurance of Identity •Level 1: Little or no confidence in validity of claimant’s identity• Level 2: Some confidence in validity of claimant’s identity• Level 3: High confidence in validity of claimant’s identity• Level 4: Very high confidence in claimant’s identity

Assurance of Identity •Level 1: Little or no confidence in validity of claimant’s identity• Level 2: Some confidence in validity of claimant’s identity• Level 3: High confidence in validity of claimant’s identity• Level 4: Very high confidence in claimant’s identity

Assurance of Control• Level 1: Little or no confidence that claimant has control over what has been issued to them (e.g. token/identifier)• Level 2: Some confidence that claimant has control over what has been issued to them • Level 3: High confidence that claimant has control over what has been issued to them • Level 4: Very high confidence that claimant has control over what has been issued to them

Assurance of Control• Level 1: Little or no confidence that claimant has control over what has been issued to them (e.g. token/identifier)• Level 2: Some confidence that claimant has control over what has been issued to them • Level 3: High confidence that claimant has control over what has been issued to them • Level 4: Very high confidence that claimant has control over what has been issued to them

Assurance of IntegrityTBD

Assurance of IntegrityTBD

+ +

Identity: Evidence & Assurance

20

Evidence-Assurance FunctionsCOMMON IDENTITY EVIDENCE-ASSURANCE FUNCTIONS

INPUT (Evidence) FUNCTIONS (Evidence-Assurance) OUTPUT (Assurance) LEVEL

Evidence of Identity Assurance of Identity [1-4]

Evidence of Integrity Assurance of Integrity [1-4]

Evidence of Control Assurance of Control [1-4]

PROGRAM or MANDATE-SPECIFIC EVIDENCE-ASSURANCE FUNCTIONS

INPUT (Evidence) FUNCTIONS (Evidence-Assurance) OUTPUT (Assurance) LEVEL

Evidence of Eligibility Assurance of Eligibility

Evidence of Status Assurance of Status

Evidence of Trust/Reliability Assurance of Trust/Reliability

Evidence of Entitlement Assurance of Entitlement

Evidence of Privilege Assurance of Privilege

Evidence of Authority Assurance of Authority

Evidence of Custody Assurance of Custody

Evidence of Event Assurance of Event

Evidence of Residency Assurance of Residency

Evidence of […] Assurance of […]

1. Evidence Gathering 2. Validation, Verification, Vetting3. Adjudication

Evidence-Assurance functions are specific to the program or mandate.

21

Authorization

Evidence

Service Delivery

Grant of Status/Authority

Technology Enablers

Identity: Draft Framework

Identity Principles

EstablishingIdentity

CommunicatingIdentity

AuthenticatingIdentity

Assurance of Identity

Assurance of Integrity

Assurance of Control

Assurance of Identity

Assurance of Integrity

Assurance of Control

Assurance of Identity

Assurance of Integrity

Assurance of Control

Security

Access

Enforcement

Audit/Compliance

Assurances

Processes

Functions

Justified UseLegislative and Policy Context

Assurance

EvidenceAssurance

EvidenceAssurance

EvidenceAssurance

Lexicon

Currently being developed by the TBS CIOB Identity Team

22

Identity: Summary

23

Identity: Summary

A single GC-wide approach that: Recognizes common requirements

throughout government Leverages current investments and

accomplishments: Independent of technology or solution

This is a journey in progress….

24