Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
CIS14: Kantara - Enabling Trusted and Secure Online Access to Government of Canada Services
1. Enabling Trusted and Secure
Online Access to
Government of Canada Services
July 2014
Presented by: Christine Desloges
Treasury Board of Canada Secretariat
Government of Canada
2. 2
GC Security and Identity
Roles & Responsibilities
u Treasury Board of Canada Secretariat (TBS)
• Management board and employer
• Sets overall strategy and direction on policy and performance
• E.g. Policy on Government Security, Directive on ID Management
u Shared Services Canada
• Delivers common and shared IT services to federal departments
• Enables horizontal policy implementation
u Departments and Agencies
• Deliver Government of Canada programs and services
• Apply policies set by TBS
• Integrate to Federated Credential Solution
u Office of the Privacy Commissioner
• Independent oversight of Canada’s Privacy Act and Personal Information
Protection and Electronic Documents Act (PIPEDA)
3. 3
Strategic Relationships
u Inter-jurisdictional: Joint Councils – Public Sector Service Delivery
Council and Public Sector Chief Information Officer Council
• Identity Management Sub-Committee (IMSC)
u International Dialogues
u Digital ID and Authentication Council of Canada (DIACC)
• A non-profit coalition of public and private sector leaders recommended by the
Task Force for Payments System Review
• Committed to develop a pan-Canadian approach to digital identification and
authentication and facilitate development of interoperable policies, standards
and systems
4. 4
Committed to Advancing e-Services
u Committed to advancing online services
• Economic Action Plan 2014 highlighted efforts to standardize, consolidate and
improve service delivery to achieve efficiencies
• The Policy on Service, coming into effect in fall 2014, provides strategic
direction for GC service design and delivery, with a focus on e-services
• Web Renewal Initiative improves effectiveness of the GC’s web presence by
streamlining and consolidating online information and services under the
Canada.ca portal
• Cyber Authentication and Federating Identity initiatives are underway which will
further digital service delivery
u Expectations of Clients
• Seamless, convenient and secure e-enabled delivery channels
• Ability to interact seamlessly with different orders of government, through
multiple channels
5. Pan-Canadian Collaboration
5
Principles:
ü Respects privacy
ü Client choice
ü Governments have a
key role to play
ü Collaborate with
trusted FPT (Federal,
Provincial, Territorial)
and private sector
institutions
ü Phased approach to
evolving services and
infrastructure
Federated Approach
Trusting credentials and identities:
• Across jurisdictions
• Across sectors
• Internationally
Federating Credentials Federating Identity
‘trusting credentials
issued by other jurisdictions
and industry sectors’
‘trusting identities
that have been established
by other jurisdictions’
Collaborative
effort
between
jurisdictions
and
sectors
6. Private Sector
Authoritative Sources
(Financial institutions, etc.)
Government of
Canada
Authoritative Sources
(Social Insurance Register, ID
(Status) Hub, BN Hub, etc.)
Provinces /
Territories /
Municipalities
Authoritative Sources
(Vital Statistics, Driver’s Licence, etc.)
6
Federating Identity Vision
GC Online Service
Individual applying for
service or benefit
2. Enrol in program
(Provide Name, DOB, etc.
plus consent to validate)
Component CS-01 Page Credential Selector
Access Key English Modification Communications Policy Rqts
Departmental Banner
Français Home Contact Us Help Search canada.gc.ca
Breadcrumb trail >
Department Canada Resource Centre
Department specific
content…
Frequently Asked
Questions (FAQs)
Proactive Disclosure
Access My DDDDDD Account
My DDDDDD Account provides a single point of access to view and update your information.
To access your My DDDDDD account you need to log in using one of two ways:
1. Log in with a Sign-In Partner – this option allows you to log in with a User ID and password that you may already
have, such as for online banking. Tell me more. List of Sign-In Partners.
Note: When choosing this option, you will be temporarily leaving the DDDDDD. For additional information, please
see Important Notices.
2. Log in with Access Key– this option allows you to log in using a Government of Canada User ID and password.
For additional information about these services, please refer to the Frequently Asked Questions (FAQs).
To log in with a Sign-In Partner, select the Sign-‐In
Partner
Log
In
button below.
To log in with Access Key, select the Access Key Log In
button below.
If you do not have an Access Key and would like to obtain
one, select Register.
Date Modified: YYYY-MM-DD Important Notices
GCKey
Passport
To log in or register with GCKey, select the GCKey
button below
GCKey
If you do not have a GCKey and would like to obtain
Passport Canada
Passport
Passport
Passport Canada. For additional information, please
1. Authenticate to
access service
e-Validation
Service
(Broker)
Operational
Today
Federated
Credentials
Beyond documents, beyond channel
3. Real-time
request for
validation of
information
(e.g Name, DOB)
4. Real-time validation
of information
enabling end-to-end
service fulfillment
7. Federating Identity Strategy
A Phased Approach
u Phase 1 – Federation of Credentials
• Privacy central to design with use of anonymous credentials
• Innovative relationship with the private sector provides client choice and
convenience
• Ensured access for all GC clients through a GC-issued credential (GCKey)
• Use of online banking credentials (Credential Broker Service & Sign-In Partners)
• Cost effective, standards-based solution
u Phase 2 – Federating Identity
• A whole-of-government approach for seamless e-service delivery
• Enables departments to form a Federation of trusted organizations and
leverage each others’ identity and credential assurance processes
• Reduces identity management administration costs
• Enables improved client experience and user convenience by supporting a
“tell-us-once” approach
• Anchored in the Policy on Government Security and aligned with Pan-Canadian
assurance model
7
8. 8
Bring Your Own Credentials
u Credential Broker Service (CBS) - An innovative relationship with
the private sector
• Enhances service to clients by enabling access to Government of Canada
online services using commercially available credentials
• Operational since April 2012 with a growing list of Sign-In-Partners
• Leverages private sector investments in cyber security and infrastructure
• Respects privacy through use of minimal, non-personally identifiable
information and anonymous credentials
• Positions the Government of Canada to benefit from ongoing industry
investments in secure cyber authentication technology
u GCKey Service – Provides option to use a Government of Canada
credential
• Ensures all Government of Canada clients have the ability to securely log in to
e-services
9. Cyber Authentication Renewal
• Foundational to the GC’s
Federating Identity Strategy
• Leverages private sector
investment in secure
infrastructure
• A growing list of Sign-In
Partners
• BMO Financial Group
• ScotiaBank
• TD Bank Group
• CUETS Choice Rewards
(Credit Union Electronic
Transaction Services)
• Tangerine
9
10. 10
Government of Canada Policy
Architecture
Policy on
Government Security (PGS)
Directive on
Identity Management
Directive on Departmental Security Management
Directive on IM Roles & Responsibilities
Controlled Goods Directive
Standard on Identity and
Credential Assurance
Guideline on Defining
Authentication Requirements
Guideline on Identity Assurance*
Protocol for Federating Identity*
Cyber Authentication
Technology Solutions (CATS)
User Authentication Guidance
for IT Systems (CSEC ITSG-31)
5 supporting
documents
developed by TBS
& Communications
Security
Establishment
Canada
Mandatory
instruments for
all departments
and agencies
* Currently in draft
11. 11
Moving Forward
u Treasury Board of Canada Secretariat (TBS) – Chief Information
Officer Branch is leading discussions on federating identity within
the Government of Canada, building on the solid foundation of
cyber authentication
u Privacy remains central to the federating identity strategy
u Policy positions will evolve through continuing engagement and
consultation with Government of Canada departments and
agencies
u TBS is engaging other jurisdictions and the private sector to
ensure consistency and a Pan-Canadian approach
12. Pan-Canadian Identity Messaging Hub
u Feasibility study in progress for a proposed Pan-Canadian ID
Messaging Hub which would enable Canadians to inform all
orders of government once about important life events :
• A real time, cost-effective service
• Enables the secure confirmation of identity (personal)
information
• Federal, provincial, territorial and municipal (FPTM)
partners
12