Top Banner
Canadian Digital Identity May 28, 2015
41
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Identity Summit 2015: 2Keys Canadian Digital Identity

Canadian Digital IdentityMay 28, 2015

Page 2: Identity Summit 2015: 2Keys Canadian Digital Identity

Overview

Introduction

Digital Canada 150

Digital ID and Authentication Council of Canada (DIACC)

Government of Canada Credential Federation (GCCF)

Pan-Canadian Identity Standards

Proof of Concept – Identity Validation

Canadian Digital Interchange (CDI)

Copyright © Identity Summit 2015, all rights reserved.

Page 3: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Introduction

About 2Keys• 17 year old employee owned Canadian IT Security company• Public Sector and Financial Sector• Managed IAM Security Services

– Systems Integration– Application Development and Support– Security Operations Centre– Service Desk– Operated under SLA– On-premise and “in the Cloud”

• Professional Services– Threat Risk Assessments (TRA)– Privacy Impact Assessments (PIA)– Vulnerability Assessments (VA)– Public Key Infrastructure (PKI)

Digital Trust

Policy

Process

Operations

Technology

Page 4: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Page 5: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Digital Canada 150

Digital Canada 150 is a Federal Government strategy for Canada's digital future. Based on 5 pillars:

1. Connecting Canadians2. Protecting Canadians3. Economic Opportunities4. Digital Government5. Canadian Content

The goals of this strategy are to be achieved before Canada’s 150th birthday in 2017.

Page 6: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Digital Canada 150

Connecting Canadians• Make high speed internet services of at least 5 Mbps available

to 98% of Canadian households.

Protecting Canadians• New laws and national strategies to protect citizen privacy and

safeguard against cyber bullying and other online threats (getcybersafe.ca).

Economic Opportunities• Funding for digital entrepreneurs through the Business

Development Bank of Canada and the Canada Acceleratorand Incubator Program.

Page 7: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Digital Canada 150

Digital Government• Become a a leader in using digital technologies to interact with

Canadians.• The Open Data Portal (data.gc.ca) provides a single point of

access to government datasets.• CODE: Canadian Open Data Experience. A 48 hour Hackathon

to build the best apps utilizing data from Canada's Open Government portal (canadianopendataexperience.ca).

Canadian Content• Ensure Canadians have easy online access to Canadian content

that will celebrate their history, arts and culture.• The Memory Project (thememoryproject.com).

Page 8: Identity Summit 2015: 2Keys Canadian Digital Identity

Digital ID and AuthenticationCouncil of Canada

Copyright © Identity Summit 2015, all rights reserved.

Page 9: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Digital ID and Authentication Council of Canada (DIACC)

• Started in 2012 as a result of recommendations from the Federal Government’s Task Force for the Payments Systems Review.

• Goal is to develop a Canadian digital identification and authentication framework.

• Non-profit coalition of public and private sectors.• Initial representation from the Federal Government, the

provinces of British Columbia and Ontario, Bank of Montreal, Desjardin Group, TD Bank, and Telus.

Page 10: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Digital ID and Authentication Council of Canada (DIACC)

• Public launch in May 2014.• Now open to new members.• Similarities to NSTIC, but not funded by government.• Dependency on membership fees and private sector funding

handicaps POCs and net new innovation with influences from specific agendas and existing vendor solutions.

• Membership is growing. More representation from public and private sectors is required and will stimulate creativity, innovation, and create value.

Page 11: Identity Summit 2015: 2Keys Canadian Digital Identity

Government of CanadaCredential Federation

Copyright © Identity Summit 2015, all rights reserved.

Page 12: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Government of Canada Credential Federation (GCCF)

Overview• Authentication as a Service to 27 Federal Government Relying

Parties, securing over 80 online services.• First step to a digital identity ecosystem.• Separates credential from identity.• Each government department is responsible for binding the

credential to an identity, as per their specific requirements.• Leverage the efficiencies and enhanced security of centralizing

authentication today, while working on a solution for managing digital identity.

Page 13: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Government of Canada Credential Federation (GCCF)

Providing Choice• Users can choose how they authenticate to Federal

Government online services.• GCKey – Government of Canada Branded Credential• Sign In Partner – allows the use of an existing credential from a

participating financial institution.

Page 14: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Government of Canada Credential Federation (GCCF)

Page 15: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Government of Canada Credential Federation (GCCF)

Sign In Partner• A commercial service contracted by the Federal Government.• Allows the use of an existing credential from a financial

institution.• Currently five financial institutions participate.• Deemed to be a Level 2 Assurance credential.• Privacy Protecting*. The financial institutions are not aware of

where their credentials are used, and the relying parties are not aware of which credential provider was used.

• No identity attributes are exchanged.

Page 16: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Government of Canada Credential Federation (GCCF)

GCKey• A voluntary, anonymous, user controlled credential.• Available to everyone: citizens, non-citizens, and businesses.• User choice. A single credential for access to online services, or

different credentials for different services.• User Controlled. Created by the user, and can be revoked by

the user.• Privacy Protecting. No PII collected. Issues a unique persistent

anonymous identifier to each Relying Party.• Government accredited Level 2 Assurance credential.

Page 17: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Government of Canada Credential Federation (GCCF)

Page 18: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Government of Canada Credential Federation (GCCF)

GCKey• Developed and operated by 2Keys as a Managed Security

Service for the Government of Canada.• Built on the ForgeRock Platform.• Operated under SLA of 99.8% uptime with no scheduled login

outages.• 24 x 7 x 365 Security Operations Centre.• 24 x 7 x 365 Level 1 and Level 2 Bi-lingual Service Desks.• Multiple geographically diverse instances.

Page 19: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Government of Canada Credential Federation (GCCF)

GCKey Key Facts• Go-live date was September 2012.• Over 7 million credentials issued.• Over 6 million active credentials in use.• Over 4 million authentications per month.• When given a choice, users choose the native GCKey credential

over 3rd party non-government credentials by a factor or 10 to 1.

Page 20: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Government of Canada Credential Federation (GCCF)

Considerations for Public Sector online services:• Protecting user privacy is non-negotiable.

– There is no business risk calculation to be made. Any privacy breach will be front page news.

• For web SSO of government online services, global logout is an absolute must.

– Cannot risk leaving a user unknowingly logged into a service. Must consider the use of shared kiosks at government service centers and shared computers.

• With BYOC, providers must be carefully vetted – a credential federation is only as strong as the weakest link.

– How secure is the technical solution? The business processes?– How susceptible is the service desk to social engineering? – Is there a natural trust relationship? What’s the tendency for sharing?

Page 21: Identity Summit 2015: 2Keys Canadian Digital Identity

Pan-CanadianIdentity Standards

Copyright © Identity Summit 2015, all rights reserved.

Page 22: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Pan-Canadian Identity Standards

Pan-Canadian Standards for:• Trust Framework• Identity Validation• Identity Retrieval• Identity Notifications

Will ensure that all jurisdictions use consistent terminology and procedures to enable a Pan-Canadian approach to identity services.

Leverage trusted processes carried out in one jurisdiction for use by another.

Page 23: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Pan-Canadian Identity Standards

Standardizing Concepts and Terms• Personal Information

– Information about an identifiable person

• Identity Information– Sufficient to ensure uniqueness within a service– Minimal set of attributes required by the service

• Identifier– Minimal set of attributes to uniquely identify an entity

• Assigned Identifier• Identity• Identity Resolution

Page 24: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Pan-Canadian Identity Standards

Standardizing Data Sets• Personal Information Categories• Associated Data Elements

Standardizing Services• Identity Validation• Identity Retrieval• Identity Notifications• Identity Resolution

Page 25: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Pan-Canadian Identity Standards

Core Identity Attributes• Name• Date of Birth• Date of Death• Sex, Gender, Documented Sex• Place of Birth• Place of Death• Assigned Identifier• Status• Address• Associated Person

Page 26: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Pan-Canadian Identity Standards

Value of Standardized Identity Services• Better delivery of services.

– Improved identity-proofing processes, streamline user enrolment.

• Increased integrity of programs and services.– Improved data accuracy, real-time validation, fraud detection.

• Improved efficiency and reduced costs.– Reduced need for physical document inspection and in-person visits.

• Increased velocity of innovation and transformation.– With standardized services in place, focus will be on delivering new value

adds.

Page 27: Identity Summit 2015: 2Keys Canadian Digital Identity

Proof of ConceptIdentity Validation

Copyright © Identity Summit 2015, all rights reserved.

Page 28: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Proof of Concept – Identity Validation

Identity Attributes as Entitlements• Attribute Based Access Control.• Utilize Identity Attributes and their Level of Assurance to drive

service entitlements.• User asserted identity attributes consider LOA 1.• Utilize the Pan-Canadian Identity Validation Standard to

promote user asserted identity attributes to LOA 2.• Attributes validated against existing government authoritative

parties or 3rd party services.

Page 29: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Proof of Concept – Identity Validation

Page 30: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Proof of Concept – Identity Validation

Page 31: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Proof of Concept – Identity Validation

Page 32: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Proof of Concept – Identity Validation

Page 33: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Proof of Concept – Identity Validation

2Keys Transaction Verification Service• Real-time user notification and

approval to mobile device.

Page 34: Identity Summit 2015: 2Keys Canadian Digital Identity

Canadian Digital InterchangePutting it all Together

Copyright © Identity Summit 2015, all rights reserved.

Page 35: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Canadian Digital Interchange (CDI)

An effort by the Government of Canada, along with Provincial and Territorial partners, to create a secure, reliable, near real-time, scalable messaging service to facilitate information exchange (i.e. identity attributes) across jurisdictions.

The service will:• Ensure a standardized and comprehensive approach for the

protection of personal information and ensure accountability from all partners.

Page 36: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Canadian Digital Interchange (CDI)

• Ensure identity information disclosure between jurisdictions is transparent – users will understand how and why their information is shared.

• Implement a secure and cost-effective solution that will allow parties to confirm identity information, and provide updated information between relevant jurisdictions and programs where legal authority exists to do so.

• Implement a solution without creating any new databases or repositories of personal information.

Page 37: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Canadian Digital Interchange (CDI)

Current Status• Request for Information has been issued, responses due by

May 29, 2015.• No commitment yet on whether a Request for Proposal will be

issued.

Page 38: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Canadian Digital Interchange (CDI)

2Keys Proposal• Distributed Architecture• Based on UMA• CDI Trust Framework

– Defines the “rules of the road”

• CDI Deployment Profile– Defines the APIs– Defines the messages formats– Defines the data elements

Page 39: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Canadian Digital Interchange (CDI)

Jurisdictional Clouds• Identity data in Canada is distributed.• Provinces/Territories are authoritative

on Birth and Death events.• Federal Government is authoritative on

Immigration status.• Resource owners should have control

over their data.• Does not preclude the use of shared

resource among jurisdictions.

Page 40: Identity Summit 2015: 2Keys Canadian Digital Identity

Copyright © Identity Summit 2015, all rights reserved.

Canadian Digital Interchange (CDI)

A Digital Identity Ecosystem

• The Canadian Digital Interchange is the beginning of a standardized Digital Identity Ecosystem, defining a common set of Identity Services for the public sector, and possibly the private sector in the future.

• Potential for an Identity Marketplace to emerge, providing a source of revenue for governments to sustain their services.

Page 41: Identity Summit 2015: 2Keys Canadian Digital Identity

Thank You

John Spicer

[email protected]

Copyright © Identity Summit 2015, all rights reserved.