Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

National identity strategy presentation may 10, 2016

764 vues

Publié le

Based on my recent activities in Africa, I have updated my proposed national citizen digital identity strategy to include:
* Benchmark it against Estonia
* Include overview of the number of different RFP's required and show how they can be combined with local and off-shore suppliers
* Compare against what the World Bank's ID4D study recommends

  • Soyez le premier à commenter

National identity strategy presentation may 10, 2016

  1. 1. Proposed National Citizen Digital Identity Strategy Huntington Ventures Ltd May 2016 The Business of Identity Management Copyright © 2016 Huntington Ventures Ltd. All rights Reserved
  2. 2. Improving Your Economy • You want to increase GDP per capita, reduce unemployment and be an African leader in creating an innovative economy • The attached proposal uses a similarly sized country, Estonia, that has done this in Europe: – - In 1987 Estonia’s GDP per capita was about $2,000 • In 2015: – - GDP per capita is $26,355.4 as compared to your country’s? – - Unemployment is 6.984% as compared to your country’s? – - Ranks #15 for ease of doing business as compared to your country’s? – - Ranks #9 in the Index of Economic Freedom as compared to your country’s? • How did they do this?
  3. 3. They Leveraged the Internet • Over 2,000 e-services ranging from e-prescriptions, e-tax, i-voting, e- health care, e-school to seamless interactions with local banks and telephone companies
  4. 4. They Leveraged the Internet • More than 245 million digital signatures have been made, with more than 1 million active identity cards and more than 384 million electronic authentications
  5. 5. Their Current Plans… • Over the next decade, they see the population virtually growing from 1.3 million to 10 million by creating “e-residents” • Their strategy is to enable people outside of Estonia to make investments in Estonia, create new businesses there and use the bridge as a way to commerce in the European Union
  6. 6. They Did This By Creating: • High level framework • Principles • Legal framework • X-Road • e-Identity (e-ID) • Senior government leadership • E-Residency
  7. 7. High Level Framework
  8. 8. • At the heart of the Estonian model is a very simple concept: one citizen-one identity • When the Estonians were designing their systems in the late 1990’s and early 2000’s they adopted the same principle that large Fortune 500 companies were using – a common unique identifier for every customer, employee and contractor • This allowed them to streamline their online and in- person services • It also allowed citizen identity lifecycle “triggers” to then be instantly sent to various government systems e.g. name change, address changes and death One Citizen – One Identity
  9. 9. Single Citizen Identity Access Management Government Portal Citizen Ministry Apps/Services Ministry Apps/Services Ministry Apps/Services Municipalities Apps/Services 3rd Party Apps/Services Accesses via their phone or the internet Crown Corp. Apps/Services Identity - Foundation of e-Governance
  10. 10. Birth Name Change Gender Change Death Address Change Tel. Number Change Parent/Guardian Change Marriage Divorce Authoritative Source Authoritative Source Authoritative Source Authoritative Source Authoritative Source Authoritative Source Authoritative Source Authoritative Source Authoritative Source Business Processes Business Processes Business Processes Business Processes Business Processes Business Processes Business Processes Business Processes Business Processes Citizen Tombstone Identity Directory National Citizen Identity Lifecycle
  11. 11. • One identity per citizen • Any changes to the identity are then shared with other apps/services consuming them – One place for a citizen to change things like addresses and phone numbers – Citizens don’t have to fill in the same information over and over in forms for different apps/services • Same identity used for access management Single Citizen Identity
  12. 12. Ministry Apps/Services Municipalities Apps/Services 3rd Party Apps/Services Crown Corp. Apps/Services Citizen Identity Management System Identity Changes Automatically Sent
  13. 13. Single Citizen Identity Citizen Accesses via their phone or the internet Government Portal Ministry Apps/Services Ministry Apps/Services Ministry Apps/Services Municipalities Apps/Services 3rd Party Apps/Services Crown Corp. Apps/Services Citizen Identity Access Management System All Apps/Services Leverage the Same Access Management System
  14. 14. • A small percentage of your citizens have internet accesss • HOWEVER there is a high cell phone penetration rate • The proposal seeks to leverage the cell phone and provide a seamless citizen user experience when they gain access to a smart phone • The proposal leverages voice authentication • Where more sensitive apps or services are accessed, a 4 digit pin will also have to be entered Leverage What Citizens Have Today…
  15. 15. • Like payments – Your citizens have to pay for things like car/motorcycle registration, license renewals, taxes, paying fines, paying for water and power bills, etc. – If citizens could use their cell using things like e- wallets to pay for these and not have to go into a government office…THEY WOULD LIKELY BE VERY INTERESTED Re-Engineer Government Services
  16. 16. Banks Telcos Paying Bills Using Their Cell or Internet
  17. 17. • Register infants, obtain a biometric footprint and give them an electronic identity which is tied to their parents/guardians identities in the central citizen national directory • When the child’s first day of school, obtain digital fingerprints, voice scan and face scan (Iris TBD) • Each subsequent first day of school year, update face and voice scan • If there is a change to the parent/guardian of a child, this will be fed automatically from the authoritative source to the central citizen identity directory Citizen Identity Lifecycle– It Starts With Birth
  18. 18. • All authoritative sources for birth, name change, parent/guardian status, marriage, divorce, gender change and death are tied to the national citizen identity system via API’s which in turn feed the national citizen identity directory • When a adult applies for things like an national ID card, passport, driver’s license, health care, social security program, etc., their identity is validated by providing several biometrics which are then matched against the national citizen identity directory • Assuming the match is positive, the citizen’s tombstone level identity information automatically flows from the national citizen identity directory through secure API’s to the ministry application/service Adults Applying For Various Identity Cards
  19. 19. • At regular intervals (e.g. every 5 or so years), all citizens must update their face and voice prints at a government office – This could be done for things like driver’s licenses and national ID card updates • For all those citizens who are already adults, then a grandfather process will be designed to register them and/or update their biometrics – This will include business processes including things like police checks and, electronic verification of birth, marriage, name change documents against the national citizen identity directory – As well, all identities will be searched against the death registry to ensure the person is not masquerading as a person who is dead Updating Biometrics & Grandfathering in Existing Adults
  20. 20. • When a person dies, the authoritative source for recording deaths will then automatically update the citizen’s entry in the national citizen directory via API’s tied to the national citizen identity provisioning system. – The national citizen identity system will then automatically notify all ministry apps/services via the national citizen identity provisioning service and secure API’s. – All ministry apps and services will now be updated and program delivery stopped or adjusted When A Citizen Dies
  21. 21. • When cards like the national ID card are created they will have the following functions: – Ability to store a 4 digit pin • This pin will be something the citizen knows. If the card is swiped against a card reader, the pin will be checked against the national citizen identity authentication infrastructure. – If the authentication is successful, on the service counter screen will appear a picture of the person » This must match the person who has presented the card and pin • As well, a voice authentication can also be taken at the counter and authenticated against the national citizen identity system – If successful, the government counter person has a high degree of assurance the identity is whom they claim to be • These are practical risk mitigation measures against people who are trying to masquerade as someone else to the government as well as to municipalities, banks, telcos, etc. Re-thinking the National ID Card
  22. 22. – Ability to store a digital certificate which is protected by another 4-digit pin • When the citizen wants to sign a legal document, they will swipe their card against a reader and enter their 4 digit pin as above • If successful, they will then enter a second 4 digit pin. This pin will also be verified by the PKI infrastructure associated with the national citizen identity system • Assuming the pin is valid, then a digital signature is now used for the legal transaction Leveraging The National ID Card For Digital Signatures
  23. 23. • As the new emerging US National of Institute’s Standards (NIST) derived credentials are released, the government will then slowly implement these – This will allow for things like physical National ID cards and driver’s licenses to be electronically installed on citizen’s smartphones. – When a citizen loses their phone, the citizen will simply call a toll free service and report their phone lost. • The associated derived credentials on them will also be inactivated Create Electronic Copies of Physical Cards Like National ID, Driver’s License, etc.
  24. 24. • This was done by doing many things in parallel to the national citizen identity strategy • Provided internet to all schools • Then they created “e-school” • Began to teach children how to code • They encouraged start-up software companies – Skype is but one example of a company that began in Estonia Estonia Raised Their GDP Per Capita
  25. 25. Education • In the last decade, Estonia has ranked in the top twenty in the world in the domains of reading, mathematics and science as determined by the Programme for International Student Assessment (PISA). • More impressively, Estonia has the lowest proportion of low-achievers of PISA participating countries. • More than a third of Estonian students from low socioeconomic backgrounds are among the best performers on PISA. • Reference: http://www.ncee.org/2014/04/global-perspectives-e- stonia-how-estonias-investment-in-it-skills-impacted-improvements-in- the-economy/
  26. 26. Students Can Log On At School Using Their Voice Single Citizen Identity Citizen Accesses via their phone or the internet Government Portal E-School Citizen Identity Access Management System
  27. 27. • Citizens will be able to call a toll free number for health care – They will authenticate using their voice and then give their permission for a health care worker to view their health record and then assist them • SMS vaccination messages will be sent to parents/guardians of young children • All health care records will use the same identity Leverage the Same Infrastructure for Health Care
  28. 28. Leverage Identity With Health Single Citizen Identity Citizen Accesses via their phone or the internet Government Portal E-Health Citizen Identity Access Management System Citizens able to call a toll-free health care number
  29. 29. Solution: Use A Phased Vision
  30. 30. Then Migrate To The End State
  31. 31. How To Do This? • I have led, as well as have rescued, many large Fortune 500 identity projects (including Boeing and Capital One) and recently was the identity architect for the Government of Alberta’s digital citizen identity and authentication project • I break down large complex projects into crawl, walk and run phases • I also leverage wherever possible existing knowledge, experience and technology
  32. 32. Pre-Phase I - Discovery • Estimated time: 6-10 weeks • Bring me in to do the first discovery • I would work with a number of local analysts • Deliverables: – Documentation of existing identity workflows and data structure used for identities today in major government systems – Review of current governance/legal framework – Review of how payments are made today by citizens to the government – High level review of existing infrastructure – Estimates for first phase budget costs and resource requirements – Determine who can fund the next phase
  33. 33. Crawling • Estimated time: 6 months • Deliverables: – Detailed gap analysis for the following areas: • Governance • Architecture • Identity • Infrastructure • Services and Service/Application integration • Cyber security • Training/Maintenance – Numerous RFP preparations to cover the many different components this program entails – Detailed proposed implementation plans for the next two phases – Budget and resource requirements
  34. 34. Team • The team would include: – A number of different subject matter experts (SME’s) covering areas such as: • Governance • Identity and access management • Voice authentication • Network/High Availability • Interactive voice response • Payment portals • Cyber security • Health • Education – e-Governance Academy Foundation from Estonia – I want to ensure that there are a number of local national SME’s as part of the gap analysis to begin knowledge transfer
  35. 35. Addressing Security • Imagine it’s a few years down the road and your country has 1,000 or more citizen e-services online, similar to what Estonia has • At that point, the country becomes a prime target for an attack. This is what happened in Estonia in April-May 2007 • It is totally possible malware could be introduced into the code such that organized crime could demand a ransom or bring down the services • It is also possible to create a denial of service attack to do so • To mitigate against this risk, as part of the crawling phase, we would bring in folks from Estonia as well as the Nato Cooperative Cyber Security Defence Centre of Excellence, which is located in Estonia • Design would then use current best practices • These systems must be up and available 24x7x365 and have high levels of code security and mitigation measures for a denial of service attack.
  36. 36. Numerous RFP’s Required • There is no one company that can supply all the different components • Therefore numerous RFP’s are required: – Open source identity and access management software, design and implementation – Contract to assemble a set of test voice prints – Voice authentication RFP with vendor bake-off using the test voice prints – Open source interactive voice response software, design and implementation – Open source payment portal design and implementation – Back-end payment processing contract for credit, debit and cell phone e-wallet payments – Contract for Estonia e-government advisory – Contract for malware and denial of service attack best practice design and implementation – Contract for high availability design and implementation – Contract for 3rd party penetration testing – Contract for open source health care software design and implementation – Contract for open source education management design and implementation
  37. 37. Walking Phase • Estimated time: 2 years • Deliverables: • Implement laws and acts as defined by the gap analysis and the infrastructure, security and support, etc. • Citizens will be able to use their cell phones to call into a government number authenticate using their voice and be able to pay bills using their voice, via the cell phone e- wallet, SMS bank account or debit/credit card • Citizens will also be able to interact with government services via their cell phone and SMS • Implement the legal framework gap requirements • Mesh the infrastructure with new highly available data centres.
  38. 38. Speed Up the Process • I am proposing your government license from the Government of Alberta, the intellectual property for the citizen payment portal and the identity and authentication system as a starting point • This will cut down implementation times by a year • Then modify it for the use of voice and interactive voice response with the payment portal • Note: New Zealand uses voice authentication for their call centres
  39. 39. Running Phase • Estimated time: 2 years • Deliverables: – Implementation of the required governance, infrastructure, security, support etc. as defined by the gap analysis to enable introduction and use of the digital e-National ID Card – Citizens will be able to digitally sign documents and begin to access services similar to those offered by the Estonian government today to its citizens – Create a National e-Governance Academy Foundation
  40. 40. Your People Run the System • Goals are: – To have all people who are running the system to be your country’s national folks – Your government create their own e-government foundation academy which can then sell their knowledge across Africa • To do this, it means your country has to “walk the talk” in all aspects of the project
  41. 41. Use Me As A Trusted Advisor • Using all my experience I will: – Guide the program in the early days to determine all the gaps, prepare RFP’s and help assemble the various teams required • Pair me up with Program and Project Managers – I want to ensure that we successfully implement the program and various sub-projects – Therefore, I will help select these people and then train them to design, implement and then sustain the infrastructure • I will work with the Government to ensure that RFP’s go to combined national and other countries experts to build up local expertise as and where required • I have a successful track record in integrating complex systems with numerous vendors
  42. 42. In about 5 years… • Your could be the first in Africa to transform itself digitally • GDP per capita would rise, employment would increase and the way of life for most citizens would positively change in how they conduct business and interact with the government
  43. 43. Summary • Your country could become the Estonia of Africa - a small innovative nation that leveraged the digital world to rethink itself • Please contact me: – 1-604-861-6804 – guy@hvl.net – www.hvl.net
  44. 44. Appendix Slides
  45. 45. Senior Government Leadership • Implementing such a radical change in society requires the most senior government officials to guide the project • In Estonia, both the President and Prime Minister were actively involved in all stages of the project • This involved shepherding significant change through their bureaucracies and also keeping a steady hand when the infrastructure came under a massive denial of service attack in 2007. • Work began in 1992
  46. 46. World Bank ID4D Study • Recently the World Bank released a study “Identification for Development (ID4D) Integration Approach Study” • It recommends that countries implement national citizen identity strategies using a integration model similar to Estonia’s
  47. 47. ID4D’s Integration Model
  48. 48. Is the Answer to Adopt ID4D/Estonia? • The model in this proposal is very similar to Estonia and the one ID4D uses • HOWEVER, the ID4D and Estonia models are built upon all citizens/residents having access to the internet • Most of your country’s citizens currently don’t have internet access • Thus, from the citizen’s perspective, the cell phone is the communication technology to start with • The proposal uses interactive voice response and voice authentication with the internet infrastructure running underneath it • Thus, all citizens can take advantage of the solution if they are using their cell, a smart phone or a computer
  49. 49. Government Will Make & Save Money • Increase nightly interest payment revenue – All government payment portal payments go into one back-end government bank account each night to leverage interest • Save money by paying citizens directly into their bank and telephone accounts (e-wallet) for things like subsidies, etc. – Reduce issuing physical cheques and/or having to use expensive payment card systems – Give citizens the choice of how to be paid
  50. 50. Use Open Source • The proposal uses open source software wherever possible – Interactive voice response (IVR) - TBD – Payment portal - TBD – Identity and Access Management (ForgeRock) – API Gateway servers – TBD – Enterprise Service Bus – optional - TBD – Monitoring - ELK for monitoring (Elastic Search, Log Stash and Kabana) – Environment automation - Ansible for quickly spinning up and down servers in the various environments – Health care management – TBD – Education management - TBD • It is likely proprietary vendors will be selected for: – Voice authentication - TBD – Digital certificates – TBD
  51. 51. Biometrics… • Biometrics are not “perfect” • A measure of their accuracy is something called the “Equal Error Rate” (ERR) or “Cross Over Error Rate” (CER) at which point the false acceptance and false rejection rates are equal • Voice ERR is approximately 10%
  52. 52. Therefore… • Voice doesn’t work for everyone • A few percent of citizens will have trouble authenticating using their voice. Having citizens say a longer sentence when authenticating can mitigate this. • For those whom it won’t work, they will be given a username and password to enter via their cell phone
  53. 53. Person Playing Back a Citizen’s Voice? • For low risk applications, the citizen’s voice alone will be accepted for authentication • However, as the service level risk rises, citizens/residents will be required to enter an additional 4-digit pin. • When the e-National ID Card is released, citizens/residents will be able to use it in a manner similar to the way Mobile ID is used today in Estonia, via their smartphone. They will enter a 4-digit pin in addition to having the digital certificate on their smartphone. • All of this is defined in the Credential Assurance Standard
  54. 54. Cell Phone is Shared by Several Citizens? • Sharing of cell phones is quite common • To address this the strategy uses the following: – The primary cell phone holder will be identified in the central identity data store – When another citizen wants to use the same telephone then the primary cell holder will have to provide their permission – When any SMS messages are sent to the citizen, it will be labeled with their name such that the citizen is clearly determined – Agreements between citizens, telephone companies and governments will be obtained such that if the citizen’s cell phone number changes, the telco will automatically notify the central identity service
  55. 55. All That Glitters Is Not Gold • The Government of Alberta system is a good place to start but not to end up. Why? • Low level identity assurance – If you say you’re Mickey Mouse the system will accept this • No second factor authentication • Can’t do digital signatures
  56. 56. So Why Use Them? • It will reduce implementation times by about a year by licensing the intellectual property for their: – Privacy architecture – Use cases – Test cases (for only the IAM portion the team developed over 500 test cases) – Testing tool • The team supported platform (approximately 15 different browsers and mobiles. • For each platform the tests had to be run in each environment. So, just for the IAM portion alone, it meant running 15 sets of over 500 tests PER ENVIRONMENT. Therefore, the team wanted to automate the testing as much as possible and developed a testing tool to accomplish this. – Data standards – Implementation guides to allow for services/applications to quickly integrate – Software code
  57. 57. Bottom Line… • Your country must develop a solution tailored to fit your needs and not drop ship or entirely adopt something developed elsewhere • HOWEVER, it should LEARN from others wherever possible • It needs to develop a solution: – For your citizens of all types and regions – Leveraging existing technology citizens have today – Run by your country’s people and companies – With an eye to standardizing wherever possible – To then lead Africa into the new economies which are rapidly emerging
  58. 58. National Leadership • The proposal seeks to have your country’s government lead other regional countries in defining common standards for Evidence of Identity and Credential Assurance • It also sees creation of a similar agency to Estonia’s e-Governance Academy Foundation to then train other African nations on how to achieve this
  59. 59. Guy Huntington Guy Huntington is a very experienced identity architect, program and project manager who has led, as well as rescued, many large Fortune 500 identity projects including Boeing and Capital One. He recently completed being the identity architect for the Government of Alberta’s Digital Citizen Identity and Authentication program.
  60. 60. Changing the World a Bit • Guy wants to change the world a bit by assisting developing countries to leapfrog ahead of most western societies by: – Leveraging citizen’s use of the cell phone and their voice to then access online government services – Utilize digital versions of their national identity cards on smartphones to enable use of this for digital signatures – Using mostly open source products with “standardized back ends” and customizable “front ends” – Reusing the same code and intellectual property in other jurisdictions to dramatically reduce implementation times and costs