As requested by folks these are the presentation notes for Securing Citizen Facing Applications. Hope these help with your IDM planning and implementation
1. Securing Citizen Facing Applications
1. What personally have you seen as lessons learned to get the business on-board
towards EA Security Model?
Edwin Lorenzana
In the public sector space the EA security model is usually dictated by the constraints of
independent agencies with decentralized business objectives, technical initiatives and separate
reporting structures.
This challenge requires a holistic textbook approach to decentralized federation that introduces
governance and standards to reduce business risk and minimize the security breaches.
This governance initiative needs to be supported by technology that can enforce and report
those controls while providing flexibility to the application owners to continue to deliver the
expected service.
Therefore I learned that you have to dedicate time to not only define the owners of each
technology but the owner of each governance section and current business process.
Once you succeed in creating your ownership “org chart” then you need to provide that group
with a realistic roadmap of the prerequisites, a laundry list of “soft” projects to achieve a
federated circle of trust. The initial initiatives should focus on:
• Define governance
• Define /document the business process (the security lifecycle)
• Align the required data to be used to drive security (application security driven by HR
Data)
As you work through these projects you need to set goals that are a balance of the correct level
of security controls, the required compliance and the needs of the individual owner.
With that said I recommend that you dedicate a large amount of your time in the planning
phases and work with your owners to kick off the internal “soft” projects to define the
governance, document the business process and align the required data to automate those
business processes.
The key is that you drive the program and facilitate the projects, but work with them to define
their own procedures as they will own the procedure behind the automation in the long term
(post implementation).
2. – What are the initiatives that would help to define the required business process to correctly
proof an identity along with defining the correct attributes and data points to align the
identities across the various environments?
Eddie Lorenzana
As we discussed our focus is to drive a holistic direction to a decentralized federation model.
This approach needs to be supported by an effort to collect and document the account lifecycle in each
environment, the major ones being:
• The HR account Lifecycle
• The account Lifecycle of the various directories (Oracle Internet Directory, Active Directory etc..)
• The application Lifecycle of the applications to be integrated.
As you define the account lifecycle for each of these, you will need to work with the environment owner
to analyze the state of the user stores. The goal of this analysis is to define a unique identifier that spans
across all the user stores.
In most cases you will find that this will lead you to an initiative usually referred to as ID aggregation and
synchronization. To put it simply you will need to lead an effort to implement a comment unique
identifier across all the environments (emp ID internal users and an assigned ID for citizens).
As you work through be sure to work with the environments to define secure communication options
across the environments, this is in support of future implementations for virtual directories, single sign
on and password sync.
Issue #4: Is a centralized or decentralized approach to authentication and authorization the more
feasible approach?
Eddie Lorenzana
As we have been discussing, in the public sector space the EA security model is usually dictated
by the constraints of independent agencies with decentralized business objectives, technical
initiatives and separate reporting structures and therefore a decentralized federated approach
is the correct approach.
Follow up questions
1. What are the challenges of shared identity ownership?
The challenges of shared identity ownership are:
• Document the account lifecycle
3. • ID aggregation and synchronization
As you define the account lifecycle, you will need to work with the environment owner to analyze the
state of the user stores. The goal of this analysis is to define a unique identifier that spans across all the
user stores. In most cases you will find that this will lead you to an initiative usually referred to as ID
aggregation and synchronization. To put it simply you will need to lead an effort to implement a
comment unique identifier across all the environments (emp ID internal users and an assigned ID for
citizens).
As you work through be sure to work with the environments to define secure communication options
across the environments, this is in support of future implementations for virtual directories, single sign
on and password sync.
To attain that approach I like to work with a proven approach that clearly defines the “soft” initiatives
and maps out how they must be completed to ease the deployment of the technical implementations.
Follow up questions
1. What sort of phased approach works for government agencies?
The Security Enterprise Architecture / Phased Approach model calls for the clear definition of
the Enterprise IT Security Business Service goals in the areas of:
• Enterprise Security Model
• Enterprise Directory Model
• Enterprise Access Control and User Management Model
The details of these goals should be defined by the executive sponsors from both the business
and IT from each independent agency. These details need to clear set direction for a
Federated decentralized model that provides secure access to resources while allowing
flexibility to the technology owners.
These goals should not only be clear, they need to be grounded and realistic. You need to
take special care to not be tempted to oversell goals in order to get the budget approved. As
you work through this process sell the goals but be sure to clearly define the requirements in
the next three phases.
Phase 1 focuses on fostering continued executive support and identifying and developing the
governance & standards teams that will provide the direction and political support to meet the
Enterprise IT Security Business Service goals by developing:
4. • Governance ( CIO’s, CSIO, CFO, IT Director, HR Director, PS Mgr)
• Governance Standards
• Business & IT Policy ( Policy writers for IT, Business , Compliance/Audit, IT Sec, Law dept)
• Data Standards & Procedures (Policy writers, user store owners, HR data entry, PS Mgr)
• Directory Standards & Procedures ( user store owners, IT Sec, Compliance/Audit, Policy)
• Application Standards & Procedures (user store owners, IT Sec, Compliance/Audit,
Policy)
During this phase you need to work on developing high level, industry best practices and get
the proper sign off from each of the members from each agency.
The risk here is that you will get push back to document the procedures before standards are
set. Or you could be asked to use professional services that have experience in this area, if the
budget allows it….do it
If not.. then use best practice templates, and get the sign off from the members. The reason is
that you will not succeed in getting the line managers to work with you if you do not have
support and written guidance from the executive sponsors.
Phase 2 focuses on getting the details from the line managers that are part of the user account
lifecycle. This phase should clearly show the step by step of the user account provisioning and
de-provisioning. This exercise is one of the most important phases as you cannot automate
unless the procedure is clearly defined. As you work through each account lifecycle you may
need to create two sets of documents….current state and future state as described by your
governance documentation.
As you create the future state you will need to clearly document and get sign off from the given
line manager on the requirements in the areas of:
• Composite Identity Management
• Account Matching and DeDuping
• Resource requirements for support & admin in phase 3
• Technical hurdles that will need to be tackled in phase 4
Phase 2 will be the longest and most difficult. As the line managers push back be sure to sell the
cost savings that this will create during the implementation.
5. Once you have completed phase 2, check in with your implementation team and vendor to
ensure your implementation forecast and check in on the required internal support team.
I found that phase 3 is a good time to bring in your vendors technical implementation team for
meeting as you work through defining your long term architecture and support.
Phase 3 should be your time to focus on creating your internal long term support system for
your Enterprise IT Security Business Service Goals. The challenge is that with a decentralized
model you will need to create a core IDM team that works with the individual environments
owners. This is can be done by implementing delegated administration and IDW workflows.
In this phase you will need to work with the various environment owners to architect and
document the new virtual connections (OVD /Federation) and how to maintain them.
This will ease the implementation phases.
Phase 4 is where you can then implement the technology solutions that automate the previous
phases and create the “bridges” to join the various environments. These projects include the
implementation of:
• Virtual Directory
• Password Synchronization
• Role discovery (RBAC)
• Automated provisioning via IDM to directory target systems (OID, AD etc..)
Once you have completed the integration of the directories this opens the doors to enterprise
application access in Phase 6.
If you are starting a new project be sure to implement the early phase before spending the budget for
tech servicers.
If you are in the middle of this project you can still work through this approach to realign your
implementation.
As you do you will be challenged by the constant need to provide ROI for the selected t
To navigate through this balance you will need to carefully select the low hanging fruit , like allowing a
single sign on or password sync implementation in various environments that have met the data
requirements and only require minimal role definition. But be sure to go back and work through the
foundation phases as you work to improve your enterprise.