Foundations for a good identity management platform
Governments around the world are moving towards providing constituents with access to digital services that are secure and easy to use. It’s a core priority for the Australian Government, having recently announced its 2025 Digital Transformation Strategy.
Over the next few years, government services will be increasingly digitised, delivering more consistent and seamless interactions, providing greater choice in how people access services and improving constituent satisfaction towards service delivery.
In part, this technology is already underway. Australia’s Govpass is deploying digital identities that conveniently allow constituents to get more done online.
While this kind of technology is still in its infancy, there are already key features emerging that make for a good identity management platform. So, what should governments and businesses look for in this technology?
End-user experience – convenience and ease of use – should be a core priority for any organisation deploying an identity management platform. People need to be able to access the services they want at a time and in a way that suits them.
This process must also be intuitive, to ensure widespread uptake. Citizens now demand that government services work as smoothly and easily as their transactions in the private sector – think a self-service banking app or a one-click Amazon check-out experience. Offering this level of self-service brings convenience for users while saving time on office visits or phone calls.
There is also a considerable cost-saving incentive for government agencies to utilise self-service processes; in fact, governments around the world have been known to save in excess of US$2 billion through digital transformation, such as the UK government which saved US$2.37 billion in 2014.
While convenience and ease of use is imperative, it’s vital to ensure that security is not sacrificed. According to a recent study by Accenture, Australian organisations are dealing with double the number of security attacks this year compared with last year.
This highlights how important it is to have effective security infrastructure in place. Maintaining adequate security is challenging and can be a balancing act – systems must be kept protected against cyberattacks, while delivering a positive user experience that is not overly onerous for end users.
Identity management platforms should start small and have room to scale and expand. The benefit of starting small is that it provides the opportunity to test the platform as a concept, see how it works and address any issues before broadening its remit to other areas.
The overall objective is to create a single, consistent and accurate view of every person, including all of their access rights to every system across government agencies. This will allow agencies to engage with constituents more effectively, but also provide a single, repeatable process that allows for the development and roll out of new services more efficiently.
The best identity management platforms will be sure to deliver four key components:
-
Identity assurance
Gone are the days of standard username and password access – today, we are able to utilise multifactor authentication including processes such as text entry, account detail verification, SMS, biometrics and behavioural analysis.
These can all be used in combination to authenticate a user’s identity. By including these additional layers of access, it becomes much harder for cybercriminals to penetrate a system, while limiting the additional effort required of the account holder.
-
Access assurance
While identity assurance ensures authentication, access assurance verifies authorisation. Once the person accessing the system has been identified, the next step is to make sure they have access to the correct services.
Access assurance is one of the most important capabilities for an identity management platform, as ‘orphan’ or ‘rogue’ accounts could be vulnerable to data breaches. Rights to different services must be quickly and efficiently provisioned and, where necessary, removed.
-
Identity federation
Identity federation permits multiple organisations to give access to users across systems and enterprises using the same identification data. It moves past the limitations set by legacy systems and allows people to access services from the different agencies they engage with regularly.
-
Identity governance
With your selected identity management platform, you must be able to define, enforce, review and audit identity management policies, and map the identity function to regulatory compliance requirements and records retention policies.
By having embedded analytics capabilities, you will be able to predict where vulnerabilities may occur in the future and plot user behaviour to track anomalous activities.
Throughout this process, the government must ensure it’s able to strike the right balance between convenience and privacy. The public sector is held accountable to the same standards set by notifiable data breach laws and GDPR as the private sector.
Not only does this ensure that government agencies are adequately protecting data, but it also limits the information they ask of citizens. Given this, it’s important that users understand why certain information is being asked of them. Citizens don’t want to feel like they are being monitored by Big Brother, so transparency is key to avoiding this.
Identity management technology is readily available, and can be quickly rolled out with all of these key features, once the use cases (different citizen services) are identified.
The onus is now on governments to implement these platforms and engage with users for feedback, to ensure citizens are having positive interactions that are similar to those they experience with the private sector.