Identity Summit 2015: 2Keys Canadian Digital Identity

Canadian Digital Identity
May 28, 2015

Overview
Introduction
Digital Canada 150
Digital ID and Authentication Council of Canada (DIACC)
Government of Canada Credential Federation (GCCF)
Pan-Canadian Identity Standards
Proof of Concept – Identity Validation
Canadian Digital Interchange (CDI)
Copyright © Identity Summit 2015, all rights reserved.

Introduction
About 2Keys
• 17 year old employee owned Canadian IT Security company
• Public Sector and Financial Sector
• Managed IAM Security Services
– Systems Integration
– Application Development and Support
– Security Operations Centre
– Service Desk
– Operated under SLA
– On-premise and “in the Cloud”
• Professional Services
– Threat Risk Assessments (TRA)
– Privacy Impact Assessments (PIA)
– Vulnerability Assessments (VA)
– Public Key Infrastructure (PKI)
Digital Trust
Policy
Process
Operations
Technology

Digital Canada 150
Digital Canada 150 is a Federal Government strategy for Canada's
digital future. Based on 5 pillars:
1. Connecting Canadians
2. Protecting Canadians
3. Economic Opportunities
4. Digital Government
5. Canadian Content
The goals of this strategy are to be achieved before Canada’s
150th birthday in 2017.

Digital Canada 150
Connecting Canadians
• Make high speed internet services of at least 5 Mbps available
to 98% of Canadian households.
Protecting Canadians
• New laws and national strategies to protect citizen privacy and
safeguard against cyber bullying and other online threats
(getcybersafe.ca).
Economic Opportunities
• Funding for digital entrepreneurs through the Business
Development Bank of Canada and the Canada Accelerator
and Incubator Program.

Digital Canada 150
Digital Government
• Become a a leader in using digital technologies to interact with
Canadians.
• The Open Data Portal (data.gc.ca) provides a single point of
access to government datasets.
• CODE: Canadian Open Data Experience. A 48 hour Hackathon
to build the best apps utilizing data from Canada's Open
Government portal (canadianopendataexperience.ca).
Canadian Content
• Ensure Canadians have easy online access to Canadian
content that will celebrate their history, arts and culture.
• The Memory Project (thememoryproject.com).

Digital ID and Authentication
Council of Canada

• Started in 2012 as a result of recommendations from the
Federal Government’s Task Force for the Payments Systems
Review.
• Goal is to develop a Canadian digital identification and
authentication framework.
• Non-profit coalition of public and private sectors.
• Initial representation from the Federal Government, the
provinces of British Columbia and Ontario, Bank of Montreal,
Desjardin Group, TD Bank, and Telus.

• Public launch in May 2014.
• Now open to new members.
• Similarities to NSTIC, but not funded by government.
• Dependency on membership fees and private sector funding
handicaps POCs and net new innovation with influences from
specific agendas and existing vendor solutions.
• Membership is growing. More representation from public and
private sectors is required and will stimulate creativity,
innovation, and create value.

Government of Canada
Credential Federation

Overview
• Authentication as a Service to 27 Federal Government Relying
Parties, securing over 80 online services.
• First step to a digital identity ecosystem.
• Separates credential from identity.
• Each government department is responsible for binding the
credential to an identity, as per their specific requirements.
• Leverage the efficiencies and enhanced security of centralizing
authentication today, while working on a solution for managing
digital identity.

Providing Choice
• Users can choose how they authenticate to Federal
Government online services.
• GCKey – Government of Canada Branded Credential
• Sign In Partner – allows the use of an existing credential from a
participating financial institution.

Sign In Partner
• A commercial service contracted by the Federal Government.
• Allows the use of an existing credential from a financial
institution.
• Currently five financial institutions participate.
• Deemed to be a Level 2 Assurance credential.
• Privacy Protecting*. The financial institutions are not aware of
where their credentials are used, and the relying parties are not
aware of which credential provider was used.
• No identity attributes are exchanged.

GCKey
• A voluntary, anonymous, user controlled credential.
• Available to everyone: citizens, non-citizens, and businesses.
• User choice. A single credential for access to online services, or
different credentials for different services.
• User Controlled. Created by the user, and can be revoked by
the user.
• Privacy Protecting. No PII collected. Issues a unique persistent
anonymous identifier to each Relying Party.
• Government accredited Level 2 Assurance credential.

GCKey
• Developed and operated by 2Keys as a Managed Security
Service for the Government of Canada.
• Built on the ForgeRock Platform.
• Operated under SLA of 99.8% uptime with no scheduled login
outages.
• 24 x 7 x 365 Security Operations Centre.
• 24 x 7 x 365 Level 1 and Level 2 Bi-lingual Service Desks.
• Multiple geographically diverse instances.

GCKey Key Facts
• Go-live date was September 2012.
• Over 7 million credentials issued.
• Over 6 million active credentials in use.
• Over 4 million authentications per month.
• When given a choice, users choose the native GCKey
credential over 3rd party non-government credentials by a factor
or 10 to 1.

Considerations for Public Sector online services:
• Protecting user privacy is non-negotiable.
– There is no business risk calculation to be made. Any privacy breach will be front
page news.
• For web SSO of government online services, global logout is an
absolute must.
– Cannot risk leaving a user unknowingly logged into a service. Must consider the
use of shared kiosks at government service centers and shared computers.
• With BYOC, providers must be carefully vetted – a credential
federation is only as strong as the weakest link.
– How secure is the technical solution? The business processes?
– How susceptible is the service desk to social engineering?
– Is there a natural trust relationship? What’s the tendency for sharing?

Pan-Canadian
Identity Standards

Pan-Canadian Standards for:
• Trust Framework
• Identity Validation
• Identity Retrieval
• Identity Notifications
Will ensure that all jurisdictions use consistent terminology and
procedures to enable a Pan-Canadian approach to identity
services.
Leverage trusted processes carried out in one jurisdiction for use
by another.

Standardizing Concepts and Terms
• Personal Information
– Information about an identifiable person
• Identity Information
– Sufficient to ensure uniqueness within a service
– Minimal set of attributes required by the service
• Identifier
– Minimal set of attributes to uniquely identify an entity
• Assigned Identifier
• Identity
• Identity Resolution

Standardizing Data Sets
• Personal Information Categories
• Associated Data Elements
Standardizing Services
• Identity Validation
• Identity Retrieval
• Identity Notifications
• Identity Resolution

Core Identity Attributes
• Name
• Date of Birth
• Date of Death
• Sex, Gender, Documented Sex
• Place of Birth
• Place of Death
• Assigned Identifier
• Status
• Address
• Associated Person

Value of Standardized Identity Services
• Better delivery of services.
– Improved identity-proofing processes, streamline user enrolment.
• Increased integrity of programs and services.
– Improved data accuracy, real-time validation, fraud detection.
• Improved efficiency and reduced costs.
– Reduced need for physical document inspection and in-person visits.
• Increased velocity of innovation and transformation.
– With standardized services in place, focus will be on delivering new value
adds.

Proof of Concept
Identity Validation

Identity Attributes as Entitlements
• Attribute Based Access Control.
• Utilize Identity Attributes and their Level of Assurance to drive
service entitlements.
• User asserted identity attributes consider LOA 1.
• Utilize the Pan-Canadian Identity Validation Standard to
promote user asserted identity attributes to LOA 2.
• Attributes validated against existing government authoritative
parties or 3rd party services.

2Keys Transaction Verification Service
• Real-time user notification and
approval to mobile device.

Canadian Digital Interchange
Putting it all Together

An effort by the Government of Canada, along with Provincial and
Territorial partners, to create a secure, reliable, near real-time,
scalable messaging service to facilitate information exchange (i.e.
identity attributes) across jurisdictions.
The service will:
• Ensure a standardized and comprehensive approach for the
protection of personal information and ensure accountability
from all partners.

• Ensure identity information disclosure between jurisdictions is
transparent – users will understand how and why their
information is shared.
• Implement a secure and cost-effective solution that will allow
parties to confirm identity information, and provide updated
information between relevant jurisdictions and programs where
legal authority exists to do so.
• Implement a solution without creating any new databases or
repositories of personal information.

Current Status
• Request for Information has been issued, responses due by
May 29, 2015.
• No commitment yet on whether a Request for Proposal will be
issued.

2Keys Proposal
• Distributed Architecture
• Based on UMA
• CDI Trust Framework
– Defines the “rules of the road”
• CDI Deployment Profile
– Defines the APIs
– Defines the messages formats
– Defines the data elements

Jurisdictional Clouds
• Identity data in Canada is distributed.
• Provinces/Territories are authoritative
on Birth and Death events.
• Federal Government is authoritative on
Immigration status.
• Resource owners should have control
over their data.
• Does not preclude the use of shared
resource among jurisdictions.

A Digital Identity Ecosystem
• The Canadian Digital Interchange is the beginning of a
standardized Digital Identity Ecosystem, defining a common set
of Identity Services for the public sector, and possibly the private
sector in the future.
• Potential for an Identity Marketplace to emerge, providing a
source of revenue for governments to sustain their services.

Thank You
John Spicer
jspicer@2Keys.ca

Identity Summit 2015: 2Keys Canadian Digital Identity

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to Identity Summit 2015: 2Keys Canadian Digital Identity

Similar to Identity Summit 2015: 2Keys Canadian Digital Identity (20)

More from ForgeRock

More from ForgeRock (20)

Recently uploaded

Recently uploaded (20)

Identity Summit 2015: 2Keys Canadian Digital Identity

Editor's Notes