Employee Authentication Services EAS

1
Employee Authentication Services (EAS)
SocITM East Midlands Friday 12th June
2009 Natalie Smith Marketing and Comms Lead, EAS
For more information please contact Email
eas.info_at_dcsf.gsi.gov.uk Phone 020 7783
8581 Website http//www.dcsf.gov.uk/localauthorit
ies/index.cfm?actionsubjectsubjectID16
2
What are the drivers for Employee Authentication?

• Transformational Government ? need for
  information sharing
• Public concern over security of data ? Cabinet
  Office report
• Public concern over rights of access to
  information ? Database State
• Drive across Government for improved efficiency
  and cost savings ? Varney Report

Local Government Data Handling Guidelines
3
What is EAS?
EAS verifies the identity of a user attempting
to access shared information by using two
components to authenticate the user something
you know (a PIN) and something you have (a token
or card).
Having validated their identity EAS ensures that
their access rights and location are appropriate
to the information being shared
EAS is a cross-Government employee authentication
service, which enables users to access multiple
Government applications through a single token
and authentication process
See Video http//www.youtube.com/watch?vrJ5stVy-
38I. If you are unable to access YouTube the
video can be also be accessed on
http//www.dcsf.gov.uk/video/downloads/EAS210508.w
mv
4
Benefits of EAS

• It is easy to use and scaleable
• It is security endorsed and future-proofed
• It delivers a solution at the lowest possible
  cost
• It has been designed in collaboration with local
  authorities and other service users

VALUE FOR MONEY
SECURE
EAS
SUSTAINABLE
SCALEABLE
Referenced by the Local Government Data Handling
Guidelines report (2008) as a best practice
solution for local authorities in order to ensure
that all reasonable steps are taken to preserve
and protect the publics information. Referenced
by BECTA as a solution to achieve compliance
with the spirit of the Data Handling Procedures
in Government Report
5
How does EAS work?
The IdP stores information on the user and the
services they are entitled to access. This
information is supplied and maintained by the
Registration Authority and Enrolment Authority.
The IdP will authenticate the user when they try
to log on to a service providers application
A Registration Authority (RA) is the entity that
validates a users identity and registers them
onto EAS
An Enrolment Authority (EA) is the entity that
enrols service users onto different applications
subject to them meeting the requirements
specified by the application
The Authentication Broker is the hub of the
service which coordinates requests for
authentication between Identity Providers and
Services
A Service Provider is the organisation
responsible for an application using EAS to
authenticate users e.g. the ContactPoint project
Local Authority
Provided by EAS
6
What is the EAS service offer?
KEY
Current EAS service offer
Potential service offer - Product Development
Childrens and Educational Services
Local Organisational Capability
Housing and Benefits

• CLG Data Interchange Hub estimated early adopter
  Go Live using EAS - 2010

• ContactPoint Go Live using EAS June 2009
• IWP services including City Challenge
• DSG Applications including Collect in scoping
  phase

• Customer Information System (CIS) estimated
  early adopter Go Live using EAS - 2010

• Local Apps case-by-case basis
• Sharepoint applications IWP
• Remote access to local networks currently being
  piloted
• Regional hub RA configuration pilot in
  implementation

• Youth Justice Board initial engagement meetings
  taking place
• eCAF decision to be confirmed at board
• LSC initial engagement meetings taking place

• Other applications tbc

7
EAS Service Cost
Service user set up costs

• EAS token 10 per user (cost may be covered by
  service provider)
• EAS card reader 3 - 4
• Establishment onto EAS system approx 5k
• Accreditation to the scheme and training costs
  approx 5k
• Additional internal costs to manage set up as a
  project and procure hardware such as desktop PC
  and scanners (varies depending on service user)

Service user annual costs

• Token service charge 3-4 per user (may be
  covered by service provider for the first year)
• Additional internal costs to resource
  Registration and Enrolment Authorities varies
  depending on service user

Please note the above costs are estimates, final
costs will be given once a detailed scoping
exercise has been completed
8
The on-boarding process
Letter of Intent
Q-Pack MOU
GO LIVE
CONTACTED
ENGAGED
SCOPING
IMPLEMENTATION
RA Build
Engagement Workshop
Process Requirements
Awareness
UAT
Technical Requirements
Stakeholder engagement
Accreditation
Readiness Assessment 1
Readiness Assessment 2
Readiness Assessment 3
Readiness Assessment 4
9
The Implementation Process

• Groups of RAs will be batched into flights that
  pass through the same milestones in same
  timeframe
• Space for 15 RAs on each flight
• 1 flight every 2 months

• Flight 1 Go Live in early September 09 (13/15
  places confirmed)
• Flight 2 Go Live late September 09 (11/15 places
  reserved)
• Flight 3 Go Live December 09 (3/15 places
  reserved)

10
Benefits of a regional approach

• Reduced cost for authorities, mainly District,
  who have only a small number of EAS users
• Shared learning and documentation
• Regional consistency with the user's Registration
  and Enrolment process and experience
• Development of a shared service through
  centralising the EAS support function this may
  also lead to other shared service opportunities
• Begin the dialogue and process of creating a
  legal and accountable Regional body for this and
  other major sharing initiatives

11
Questions Please
12
What is a Registration Authority (RA)?
Accountability sits with the Chief Executive or
Section 151 Officer
Registration Authority
Service Owner
Registration Enrolment Function
Registration Manager responsible for ensuring
policies are implemented and managing
Registration Agents
Registration Manager
Credential Issuer responsible for issuing the
credential to the user and lifecycle management
of the credential
Enrolment/Registration Agents responsible for
registration and enrolment processes being
followed
Credential Issuer
Enrolment Agents
Registration Agents
Sponsor responsible for initiating the
registration process, ensuring that policies are
followed and changes of circumstance are acted
upon
Sponsor
User
Sponsor
Sponsor
User
User
User
User
User
User
User
User responsible for following the policies of
the scheme and all services they are enrolled onto

• An RA does 3 things
• Verifies the identify of users and registers them
  onto the EAS system
• Manages the lifecycle of credentials and
  attributes within EAS
• Verifies the user requirements needed to access
  specific shared services, as identified by the
  service owner, and enrols the EAS end user onto
  these

13
Implementing an RA what does it mean?
Using the EAS shared IdP significantly reduces
the burden of implementation for end users
EAS Shared IdP
Creating your own IdP
Process Requirements
Process Requirements

• Setting up the RA
• Procure tokens (these will be provided by the
  shared service)
• Design the Registration Enrolment Authority
• Train registration and enrolment resources
  (training supplied by EAS)
• Assign trusted roles
• Set up secure PCs (with Internet Explorer 6) and
  smart card readers
• Install secure storage for tokens
• Implement training for end users
• Audits
• Comply with tScheme Registration, Enrolment
  Lifecycle Management profiles and achieve
  accreditation through a simple audit
• Comply with long-term sample based audits to
  demonstrate ongoing compliance with the Trust
  Framework

• Setting up the RA
• Procure tokens
• Design the Registration Enrolment Authority
• Train registration and enrolment resources
• Assign trusted roles
• Install secure storage for tokens
• Implement training for end users
• Additional Requirements
• Comply with full tScheme profile, including
  ISO27001 equivalent base profile
• Conduct annual external audit
• Allocate additional team members to resource the
  IdP
• Devise training of RA and EA resources
• Source tokens

Technical Requirements
Technical Requirements

• Establish the link between the Registration
  Authority and the EAS Shared IdP (action
  completed by EAS through eDT)

• Establish the link between the Registration
  Authority, independent IdP and the EAS
  Authentication Broker
• Additional Requirements
• Certify infrastructure to ISO27001
• Establish and implement secure infrastructure to
  Impact Level 3 (RESTRICTED)
• Technical integration with the Authentication
  Broker
• Procurement of licences for the IdP
• Build IdP