2006 CACR Privacy and Security Conference

1
IdentitySetting the Larger Context, Achieving
the Right Outcomes

• 2006 CACR Privacy and Security Conference
• November 3, 2006

2
Identity Outline

• Introduction
• Context
• Way Forward
• Outputs
• Summary

3
Identity Introduction
4
Identity Clients Outcomes

• External Clients Individuals and Businesses
• Improved delivery of government services
• Increased safety and security
• Enhanced human rights and freedoms
• Internal Clients GC Employees and Contractors
• Increased productivity
• Decreased time to on-board, off-board personnel
• Increased compliance with security, privacy and
  IM policies

5
Identity Objectives

• Bridge the gap between the many service and
  security communities
• Engage stakeholders and gain consensus
• Develop a conceptual framework that can be used
  for
• Developing and aligning to a single GC-wide
  vision
• Developing GC-wide identity principles
• Establishing a common view of identity and
  compatible program and project approaches

6
Identity Approach
Work Products
Steps
Key Questions
Inputs
Outputs
Existing IDM Products
GC-Specific IDM Products
ProjectCharter
Mandate/Priorities
How do we use identity to fulfiillour mandate
and address our priorities?
RelevantPrinciples
IDM Policy, Directives, Standards
Needs Outcomes
Clients Stakeholders
Who are our clients and stakeholders what do
they need?
Policy Guidance
Lexicon Principles
Principles/Policies
What is our scope and how do we align to the
relevant principles and policies?
IDM Guidelines,Tools, Best Practices
TechnicalGuidance
Risk-Event Model
Risk Analysis
What are our risks with respect to identity?
Standards
AssuranceModel
Assurances
What assurances do we provide or require?
IDM Enterprise Architecture
Practices
ServiceAgreements
Services/Capabilities
How do we plan to deliver services or deploy our
capabilities
IDM Solutions
BusinessArchitecture
Solutions
BusinessProcesses
How must we organize ourselves and what process
must we use?
TechnicalCriteria
Technologies/Solutions
What are our options for technologies or solutions
Technologies
7
Identity Context
8
Identity Government Context
Government Context Working together in the
public interest to ensure that we uphold what we
believe and value as a society.
Identity is critical to our society, our
governments and institutions
9
Identity Drivers

• Privacy Security Drivers
• Economic Identity Theft/Fraud
• Public Safety Law Enforcement
• National Security Anti-Terrorism, Border
  Security
• Citizen-Focused Drivers
• Citizen-Centred Service Delivery
• Increasing Client Satisfaction
• Ensuring Rights of Citizens
• Integrity and Accountability Drivers
• Program and Service Integrity
• Transparency
• Organizational Transformation Drivers
• Rethinking of Government as a Single Enterprise
• Shared Services Model
• Inter-Agency and Inter-jurisdictional
  Collaboration

10
Identity Roles of Government
Ideal Roles
Authenticating Identity
CommunicatingIdentity
Establishing Identity
Current Roles

• Shared jurisdiction
• Federal role for those arrivingin Canada
• Provincial / Territorial role with Vital
  Statistics - born in Canada
• Based on relativelystandard set of
  coreattributes including
• Name
• Place of Birth
• Date of Birth
• Gender
• Citizenship

• Numerous organizationsinvolved at all levels
  ofgovernment, for example
• Federally issued..
• Social Insurance Number (SIN)
• Passport
• Provincially issued..
• Birth registration
• Birth certificate
• Health card
• Drivers license
• Most organizations require a similar base of
  information to provide identification
• Some additional needs specific to the
  organization

• Separate stand-alone processes by department or
  program for authentication
• Epass
• CRA
• Service CanadaEtc.
• Many different functions for
• validation or verification
• for clients identity
• Many enabling technologies
• PKI, biometrics, tokens

11
Identity Management Today

• Government departments/agencies have similar
  needs with respect to identifying individuals and
  request similar information
• Purpose primarily Security and/or Service
  delivery
• Same or similar information collected, and then
  shared in ad hoc and disparate ways
• Clients provide same information different
  times, different formats
• Complex network of information sharing agreements
  between federal government and other
  jurisdictions
• Many bilateral agreements with provinces and
  territories related to the use of personal
  information
• Integrity varies, depending on source and on
  associated program/service risk

12
Identity Way Forward
13
Identity Defining the Opportunity
The Government of Canadas ability to fulfill
its mandate can be greatly improved through a
common understanding of identity. A whole of
government approach to identity is a critical
requirement to the integrity of government
programs and services. As approved by ADM
Identity Committee, Mar 3, 2006
14
Identity Defining the Issue
Making sure you are dealing with the right
person
15
Identity Defining the Concepts
Identity a reference or designation used to
distinguish a unique and particular individual
(organization or device).
Identity Management the set of principles,
practices, policies, processes and procedures
used to realize the desired outcomes related to
identity.
16
Identity Strategy Statement

• Develop a common approach consisting of
• A common understanding of key identity concepts
  and principles
• A single view that promotes a consistent
  application while enabling transparency and
  accountability and
• A comprehensive action plan appropriate to the
  many systems, programs and government
  organizations that depend upon identity.

17
Identity Outputs
18
Identity Draft Principles

1. Justify the Use of Identity.
2. Identify with Specific Reason.
3. Use Appropriate Methods.
4. Enhance Public Trust.
5. Use a Risk-Based Approach.
6. Be Collectively Responsible.
7. Uphold the Rights and Values of Canadians.
8. Ensure Equity.
9. Enable Consistency, Availability, and
   Interoperability.
10. Maintain Accuracy and Integrity.
11. Preserve Proportionality.

Draft as approved by TBS CIO
19
Identity Evidence Assurance
Evidence of Integrity (EOI) Assurance as a
whole, pertaining to a system, process, token
(physical or electronic), etc.
Evidence of Identity (EOI) Evidence that the
individual is really who they claim to be -
their true identity as required by law.
Evidence of Control (EOC) Evidence that the
individual has control over what has been
entrusted to them.


Assured by
Assured by
Assured by

• Assurance of Identity
• Level 1 Little or no confidence in validity
  of claimants identity
• Level 2 Some confidence in validity of
  claimants identity
• Level 3 High confidence in validity of
  claimants identity
• Level 4 Very high confidence in claimants
  identity

• Assurance of Control
• Level 1 Little or no confidence that claimant
  has control over what has been issued to them
  (e.g. token/identifier)
• Level 2 Some confidence that claimant has
  control over what has been issued to them
• Level 3 High confidence that claimant has
  control over what has been issued to them
• Level 4 Very high confidence that claimant has
  control over what has been issued to them

Assurance of Integrity TBD
20
Evidence-Assurance Functions
COMMON IDENTITY EVIDENCE-ASSURANCE FUNCTIONS COMMON IDENTITY EVIDENCE-ASSURANCE FUNCTIONS COMMON IDENTITY EVIDENCE-ASSURANCE FUNCTIONS COMMON IDENTITY EVIDENCE-ASSURANCE FUNCTIONS
INPUT (Evidence) FUNCTIONS (Evidence-Assurance) OUTPUT (Assurance) LEVEL
Evidence of Identity Assurance of Identity 1-4
Evidence of Integrity Assurance of Integrity 1-4
Evidence of Control Assurance of Control 1-4
PROGRAM or MANDATE-SPECIFIC EVIDENCE-ASSURANCE FUNCTIONS PROGRAM or MANDATE-SPECIFIC EVIDENCE-ASSURANCE FUNCTIONS PROGRAM or MANDATE-SPECIFIC EVIDENCE-ASSURANCE FUNCTIONS PROGRAM or MANDATE-SPECIFIC EVIDENCE-ASSURANCE FUNCTIONS
INPUT (Evidence) FUNCTIONS (Evidence-Assurance) OUTPUT (Assurance) LEVEL
Evidence of Eligibility Assurance of Eligibility
Evidence of Status Assurance of Status
Evidence of Trust/Reliability Assurance of Trust/Reliability
Evidence of Entitlement Assurance of Entitlement
Evidence of Privilege Assurance of Privilege
Evidence of Authority Assurance of Authority
Evidence of Custody Assurance of Custody
Evidence of Event Assurance of Event
Evidence of Residency Assurance of Residency
Evidence of Assurance of
1. Evidence Gathering 2. Validation,
Verification, Vetting 3. Adjudication
Evidence-Assurance functions are specific to the
program or mandate.
21
Identity Draft Framework
Justified Use
Legislative and Policy Context
Authorization
Identity Principles
Assurances
Access
Assurance of Identity ?
Assurance of Integrity
Assurance of Control
Assurance of Identity ?
Assurance of Integrity ?
Assurance of Control
Assurance of Identity ?
Assurance of Integrity ?
Assurance of Control ?
Service Delivery
Processes
EstablishingIdentity
CommunicatingIdentity
AuthenticatingIdentity
Security
Evidence
Assurance
Grant of Status/Authority
Functions
EvidenceAssurance
EvidenceAssurance
EvidenceAssurance
Enforcement
Lexicon
Audit/Compliance
Technology Enablers
Currently being developed by the TBS CIOB
Identity Team
22
Identity Summary
23
Identity Summary

• A single GC-wide approach that
• Recognizes common requirements throughout
  government
• Leverages current investments and
  accomplishments
• Independent of technology or solution

This is a journey in progress.
24
(No Transcript)