#CTC2019 #CTC2019 Identity and Access Management: How Do I Know You Are Who You Say You Are? Snorri Ogata, Chief Information Officer, Los Angeles County Tricia Penrose, Director Juvenile Operations, Los Angeles County Mike Baliel, Chief Information Officer, Santa Clara County
29
Embed
Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
#CTC2019#CTC2019
Identity and Access Management:How Do I Know You Are Who You Say You Are?
Snorri Ogata, Chief Information Officer, Los Angeles County
Tricia Penrose, Director Juvenile Operations, Los Angeles County
Mike Baliel, Chief Information Officer, Santa Clara County
#CTC2019#CTC2019
StrategicContext
Snorri Ogata
CIO, Los Angeles
Identity and Access Management 2September 12, 2019
Source: Gartner
DigitalEco-System
#CTC2019#CTC2019
What is Identity Management?
Identity and Access Management 3September 12, 2019
The management of individuals and principals, their authentication, authorization, and privileges within or across system and enterprise boundaries.
#CTC2019#CTC2019
Identity Management in the Real World
Identity and Access Management 4September 12, 2019
RestaurantReservations
OnlineBanking
FantasyFootball
Online Purchases
Performance Mgmt System
Remote Case Access
#CTC2019#CTC2019
Why Do We Need IAM?
• Protecting the individual and the court
• Improved user experience • Single sign on
• Improved information sharing
• Increased productivity / decreased costs
• Foundation to a digital court eco-system• Courts
• Partners
• Vendors
Identity and Access Management 5September 12, 2019
If the Court is confident it knows who you are, we can create new personalized experiences.
#CTC2019#CTC2019
Digital Court Eco-SystemPowered by: Court + Technology Architecture + Service Providers
• Electronic Filing
• On-line Payment
• On-line Reservations
• Remote Privileged Access
• On-line Document Assembly
• Remote Appearances
• Online Dispute Resolution
• Digital Evidence Management
• Etc…
Identity and Access Management 6September 12, 2019
Identity Matters
#CTC2019#CTC2019
History of Identity Management and the CourtsYear Milestone Endorsing Organizations
2005 Global Federated Identity and Privileged ManagementJustice technology framework for sharing information.
U.S. Department of Justice Global Advisory Committee (incl. COSCA, NACM, NCSC)
2005 OpenID authentication protocol developed Symantec, Microsoft, AOL, Sun Microsystems, …
2006 OAuth begins as an implementation of OpenID Twitter
2007 OpenID 2.0 Yahoo, Microsoft, Verisign, …
2010 GFIPM Implementation Guide v 1.0 Global
2012 Global Reference Architecture v 1.9.1Information sharing guidance
Global
2012 OAuth 2.0Defines protocol for authorizing services for a user
Google, Microsoft, Apple, Facebook,…
2014 OpenID ConnectBuilt on top of OAuth 2.0 and defines authentication
Google, Microsoft, Amazon, …
2018 National Identity Exchange FederationImplementation arm for GFIPM frameworks
Global(Endorses OAuth 2.0 and OpenID Connect)
Identity and Access Management 7September 12, 2019
• Remote Access to Court Records rules were ambiguous for non-public use cases
• CRC 2.515 (et seq) modified to recognize entitled users which includes:• Parties• Attorneys• Legal aid organizations• Government agencies• Designees (delegated access)• A few others
• CRC 2.523 further states courts must:(a) verify the identity(b) (using) a statewide … identity
management … system”
Opportunity• Statewide E-Filing efforts saw benefit of
authenticated users
• Other Service Providers working on integrating identity management:• Remote Appearance• Court Reservations• Traffic Recurring Payments
Identity and Access Management 8September 12, 2019
#CTC2019#CTC2019
Identity in Action: Los Angeles CountyJustice Partner Portal (CA Innovation Grant)
The Pilot
• Privileged remote case access to case information (data/documents) based on a user’s identity and claim.
• Case Types Currently Supported:• Juvenile Dependency• Family Law• Probate
• Adoptions• Traffic
• Mental Health
In the numbers
Number of Agencies/Orgs: >40
Number of Hospitals: >40
Number of Registered Users: >8,000
Active Users per Mo: ~5,000
Monthly Utilization per Mo:Searches (case/name)Document views
>300K>300K
“Off hours”* utilization: * Evenings, weekends and holidays
>15%
Identity and Access Management 9September 12, 2019
#CTC2019#CTC2019
Information Technology Advisory CommitteeIdentity Management Workstream
Policy Track
• Make Recommendations on Implementation Policies
• Provide direction to Technology Track
• Communications and Alignment with key stakeholder groups
• Members:• CEOs, Judges, Operations (incl.
Tricia Penrose) and me
Technology Roadmap Track
• Establish Technology Standards
• Develop Adoption Roadmaps and provide technical assistance• Courts
• Service Providers
• Justice Partners
• Members: • Court CIOs (incl. Mike Baliel) and
Judicial Council IT
Identity and Access Management 10September 12, 2019
#CTC2019#CTC2019 Identity and Access Management 11September 12, 2019
Policy Implications
Tricia Penrose, Juvenile Director
Superior Court of California,
Los Angeles
#CTC2019#CTC2019
Identity Authentication Authority
Alternatives Explored:
Social: Open Table (reservation service provider) and Facebook (Identity Provider)
✓Branch: identity is centrally controlled similar to financial institutions
✓Federated: Enter in agreements with (certain) organizations to authenticate users
Identity and Access Management 12September 12, 2019
Recommendation: The Judicial Branch will be the authentication authority for public facing (B2C) users. MOU partners will be Federated (B2B).
Which seemsmore secure?
#CTC2019#CTC2019
Multi-Factor Authentication
Alternatives Explored
Single Authentication• ID and password only.
✓Multi-Factor AuthenticationID and password PLUS use of a secondary form of digital identity. Can be: confirmation code, authenticator app, text message, email, …
Identity and Access Management 13September 12, 2019
Recommendation: Use Multi-Factor authentication everywhere
#CTC2019#CTC2019
How to Link Digital and Physical Identities?(identity proofing)
Use cases explored:
✓Litigant: Transactional or Physical
✓Attorney: State Bar
✓Government Agency*: Federated AD
✓Other*: Azure B2B* Note: Identity proofing is responsibility of partner through MOU.
Identity and Access Management 14September 12, 2019
Recommendation: Digital Identities (for certain services) should be proofed and/or validated by an external source.
#CTC2019#CTC2019
Who has the Authority to Delegate Identity?
Use cases explored:
✓Litigant: On their authority
✓Attorney: On their authority
Government Agency: No All access controlled by Agency.
Other: No. All access controlled by Organization.
Identity and Access Management 15September 12, 2019
Recommendation: Allow litigants and attorneys the ability to temporarily delegate their access levels to another registered user.
#CTC2019#CTC2019
What Protections should IAM provide to Delegators?
Alternatives explored:
No protections: Caveat emptor.
• Identity based: State Court identity required.
• Time based: Access must be renewed periodically.
• Audit based: Delegate access shall be visible to delegator.
Identity and Access Management 16September 12, 2019
Recommendation: Delegated access should be reaffirmed every six (6) months and Delegator should have visibility of delegee activities.
#CTC2019#CTC2019
What Identity Attributes are Sharable?
Alternatives Explored:
No sharing
Share everything automatically
✓Minimize what is shared
✓User controlled sharing
Identity and Access Management 17September 12, 2019
Recommendation: Clearly define minimum identity attributes and empower user to control sharing.
#CTC2019#CTC2019
How to Drive Vendor Adoption?
Use cases explored:
Optional: Vendors encouraged to utilize.
✓Mandatory: Vendors mandated to utilize.
Recommendation rationale:• Vendors are biased to “what’s best for
them.”
• The consumer benefits from their single identity unlocking capabilities to a multitude of services (single sign on)
• Precedent set with statewide E-Filing RFP which required utilization of branch identity solution.
• Superior Court of Los Angeles County including in RFPs with no resistance.
Identity and Access Management 18September 12, 2019
Recommendation: Include provisions in Digital Court RFPs that mandate use of Branch Identity Management.
#CTC2019#CTC2019
Technology Implications
Identity and Access Management 19September 12, 2019
Mike Baliel, CIOSuperior Court of California,
Santa Clara County
#CTC2019#CTC2019
Why Microsoft Identity Management?
• Standards support: OpenID Connect and Oauth 2.0
• Cloud-based + FedRamp blessed
• On the right “lists”:• Gartner Magic Quadrant• Forrester Wave
• Cost:• B2B Use Cases included with O365 subscription (if applicable) FREE• B2C Use Cases very affordable ~$0.0026 / authentication(1M authentications / month = $2,600, first 50,000/mo are free!)
• Flexible: Social or Branch as the Identity Provider