Downloaded 67 times
Uploaded byForgeRock
Identity Summit 2015: 2Keys Canadian Digital Identity
The document discusses the Canadian Digital Identity initiative, initiated as part of the Digital Canada 150 strategy, aimed at improving digital identification and authentication across Canada in line with five key pillars: connectivity, protection, economic opportunities, digital government, and Canadian content. It includes details on the Digital ID and Authentication Council of Canada (DIACC) and the Government of Canada Credential Federation (GCCF), which are working towards a secure, standardized digital identity ecosystem that promotes privacy protection and efficient service delivery. The initiative also emphasizes collaboration among various government entities and private sectors to develop trust frameworks, identity validation standards, and a Canadian Digital Interchange for secure information exchange.
More Related Content
Similar to Identity Summit 2015: 2Keys Canadian Digital Identity
![Governance, Deployment & Methodologies for Agentic Automation [2/3]](https://cdn.slidesharecdn.com/ss_thumbnails/agenticcommunityseries-day2-251112135038-a386476d-thumbnail.jpg?width=640&height=640&fit=bounds)
Identity Summit 2015: 2Keys Canadian Digital Identity
- 1. Canadian Digital Identity May28, 2015
- 2. Overview Introduction Digital Canada 150 DigitalID and Authentication Council of Canada (DIACC) Government of Canada Credential Federation (GCCF) Pan-Canadian Identity Standards Proof of Concept – Identity Validation Canadian Digital Interchange (CDI) Copyright © Identity Summit 2015, all rights reserved.
- 3. Copyright © IdentitySummit 2015, all rights reserved. Introduction About 2Keys • 17 year old employee owned Canadian IT Security company • Public Sector and Financial Sector • Managed IAM Security Services – Systems Integration – Application Development and Support – Security Operations Centre – Service Desk – Operated under SLA – On-premise and “in the Cloud” • Professional Services – Threat Risk Assessments (TRA) – Privacy Impact Assessments (PIA) – Vulnerability Assessments (VA) – Public Key Infrastructure (PKI) Digital Trust Policy Process Operations Technology
- 4. Copyright © IdentitySummit 2015, all rights reserved.
- 5. Copyright © IdentitySummit 2015, all rights reserved. Digital Canada 150 Digital Canada 150 is a Federal Government strategy for Canada's digital future. Based on 5 pillars: 1. Connecting Canadians 2. Protecting Canadians 3. Economic Opportunities 4. Digital Government 5. Canadian Content The goals of this strategy are to be achieved before Canada’s 150th birthday in 2017.
- 6. Copyright © IdentitySummit 2015, all rights reserved. Digital Canada 150 Connecting Canadians • Make high speed internet services of at least 5 Mbps available to 98% of Canadian households. Protecting Canadians • New laws and national strategies to protect citizen privacy and safeguard against cyber bullying and other online threats (getcybersafe.ca). Economic Opportunities • Funding for digital entrepreneurs through the Business Development Bank of Canada and the Canada Accelerator and Incubator Program.
- 7. Copyright © IdentitySummit 2015, all rights reserved. Digital Canada 150 Digital Government • Become a a leader in using digital technologies to interact with Canadians. • The Open Data Portal (data.gc.ca) provides a single point of access to government datasets. • CODE: Canadian Open Data Experience. A 48 hour Hackathon to build the best apps utilizing data from Canada's Open Government portal (canadianopendataexperience.ca). Canadian Content • Ensure Canadians have easy online access to Canadian content that will celebrate their history, arts and culture. • The Memory Project (thememoryproject.com).
- 8. Digital ID andAuthentication Council of Canada Copyright © Identity Summit 2015, all rights reserved.
- 9. Copyright © IdentitySummit 2015, all rights reserved. Digital ID and Authentication Council of Canada (DIACC) • Started in 2012 as a result of recommendations from the Federal Government’s Task Force for the Payments Systems Review. • Goal is to develop a Canadian digital identification and authentication framework. • Non-profit coalition of public and private sectors. • Initial representation from the Federal Government, the provinces of British Columbia and Ontario, Bank of Montreal, Desjardin Group, TD Bank, and Telus.
- 10. Copyright © IdentitySummit 2015, all rights reserved. Digital ID and Authentication Council of Canada (DIACC) • Public launch in May 2014. • Now open to new members. • Similarities to NSTIC, but not funded by government. • Dependency on membership fees and private sector funding handicaps POCs and net new innovation with influences from specific agendas and existing vendor solutions. • Membership is growing. More representation from public and private sectors is required and will stimulate creativity, innovation, and create value.
- 11. Government of Canada CredentialFederation Copyright © Identity Summit 2015, all rights reserved.
- 12. Copyright © IdentitySummit 2015, all rights reserved. Government of Canada Credential Federation (GCCF) Overview • Authentication as a Service to 27 Federal Government Relying Parties, securing over 80 online services. • First step to a digital identity ecosystem. • Separates credential from identity. • Each government department is responsible for binding the credential to an identity, as per their specific requirements. • Leverage the efficiencies and enhanced security of centralizing authentication today, while working on a solution for managing digital identity.
- 13. Copyright © IdentitySummit 2015, all rights reserved. Government of Canada Credential Federation (GCCF) Providing Choice • Users can choose how they authenticate to Federal Government online services. • GCKey – Government of Canada Branded Credential • Sign In Partner – allows the use of an existing credential from a participating financial institution.
- 14. Copyright © IdentitySummit 2015, all rights reserved. Government of Canada Credential Federation (GCCF)
- 15. Copyright © IdentitySummit 2015, all rights reserved. Government of Canada Credential Federation (GCCF) Sign In Partner • A commercial service contracted by the Federal Government. • Allows the use of an existing credential from a financial institution. • Currently five financial institutions participate. • Deemed to be a Level 2 Assurance credential. • Privacy Protecting*. The financial institutions are not aware of where their credentials are used, and the relying parties are not aware of which credential provider was used. • No identity attributes are exchanged.
- 16. Copyright © IdentitySummit 2015, all rights reserved. Government of Canada Credential Federation (GCCF) GCKey • A voluntary, anonymous, user controlled credential. • Available to everyone: citizens, non-citizens, and businesses. • User choice. A single credential for access to online services, or different credentials for different services. • User Controlled. Created by the user, and can be revoked by the user. • Privacy Protecting. No PII collected. Issues a unique persistent anonymous identifier to each Relying Party. • Government accredited Level 2 Assurance credential.
- 17. Copyright © IdentitySummit 2015, all rights reserved. Government of Canada Credential Federation (GCCF)
- 18. Copyright © IdentitySummit 2015, all rights reserved. Government of Canada Credential Federation (GCCF) GCKey • Developed and operated by 2Keys as a Managed Security Service for the Government of Canada. • Built on the ForgeRock Platform. • Operated under SLA of 99.8% uptime with no scheduled login outages. • 24 x 7 x 365 Security Operations Centre. • 24 x 7 x 365 Level 1 and Level 2 Bi-lingual Service Desks. • Multiple geographically diverse instances.
- 19. Copyright © IdentitySummit 2015, all rights reserved. Government of Canada Credential Federation (GCCF) GCKey Key Facts • Go-live date was September 2012. • Over 7 million credentials issued. • Over 6 million active credentials in use. • Over 4 million authentications per month. • When given a choice, users choose the native GCKey credential over 3rd party non-government credentials by a factor or 10 to 1.
- 20. Copyright © IdentitySummit 2015, all rights reserved. Government of Canada Credential Federation (GCCF) Considerations for Public Sector online services: • Protecting user privacy is non-negotiable. – There is no business risk calculation to be made. Any privacy breach will be front page news. • For web SSO of government online services, global logout is an absolute must. – Cannot risk leaving a user unknowingly logged into a service. Must consider the use of shared kiosks at government service centers and shared computers. • With BYOC, providers must be carefully vetted – a credential federation is only as strong as the weakest link. – How secure is the technical solution? The business processes? – How susceptible is the service desk to social engineering? – Is there a natural trust relationship? What’s the tendency for sharing?
- 21. Pan-Canadian Identity Standards Copyright ©Identity Summit 2015, all rights reserved.
- 22. Copyright © IdentitySummit 2015, all rights reserved. Pan-Canadian Identity Standards Pan-Canadian Standards for: • Trust Framework • Identity Validation • Identity Retrieval • Identity Notifications Will ensure that all jurisdictions use consistent terminology and procedures to enable a Pan-Canadian approach to identity services. Leverage trusted processes carried out in one jurisdiction for use by another.
- 23. Copyright © IdentitySummit 2015, all rights reserved. Pan-Canadian Identity Standards Standardizing Concepts and Terms • Personal Information – Information about an identifiable person • Identity Information – Sufficient to ensure uniqueness within a service – Minimal set of attributes required by the service • Identifier – Minimal set of attributes to uniquely identify an entity • Assigned Identifier • Identity • Identity Resolution
- 24. Copyright © IdentitySummit 2015, all rights reserved. Pan-Canadian Identity Standards Standardizing Data Sets • Personal Information Categories • Associated Data Elements Standardizing Services • Identity Validation • Identity Retrieval • Identity Notifications • Identity Resolution
- 25. Copyright © IdentitySummit 2015, all rights reserved. Pan-Canadian Identity Standards Core Identity Attributes • Name • Date of Birth • Date of Death • Sex, Gender, Documented Sex • Place of Birth • Place of Death • Assigned Identifier • Status • Address • Associated Person
- 26. Copyright © IdentitySummit 2015, all rights reserved. Pan-Canadian Identity Standards Value of Standardized Identity Services • Better delivery of services. – Improved identity-proofing processes, streamline user enrolment. • Increased integrity of programs and services. – Improved data accuracy, real-time validation, fraud detection. • Improved efficiency and reduced costs. – Reduced need for physical document inspection and in-person visits. • Increased velocity of innovation and transformation. – With standardized services in place, focus will be on delivering new value adds.
- 27. Proof of Concept IdentityValidation Copyright © Identity Summit 2015, all rights reserved.
- 28. Copyright © IdentitySummit 2015, all rights reserved. Proof of Concept – Identity Validation Identity Attributes as Entitlements • Attribute Based Access Control. • Utilize Identity Attributes and their Level of Assurance to drive service entitlements. • User asserted identity attributes consider LOA 1. • Utilize the Pan-Canadian Identity Validation Standard to promote user asserted identity attributes to LOA 2. • Attributes validated against existing government authoritative parties or 3rd party services.
- 29. Copyright © IdentitySummit 2015, all rights reserved. Proof of Concept – Identity Validation
- 30. Copyright © IdentitySummit 2015, all rights reserved. Proof of Concept – Identity Validation
- 31. Copyright © IdentitySummit 2015, all rights reserved. Proof of Concept – Identity Validation
- 32. Copyright © IdentitySummit 2015, all rights reserved. Proof of Concept – Identity Validation
- 33. Copyright © IdentitySummit 2015, all rights reserved. Proof of Concept – Identity Validation 2Keys Transaction Verification Service • Real-time user notification and approval to mobile device.
- 34. Canadian Digital Interchange Puttingit all Together Copyright © Identity Summit 2015, all rights reserved.
- 35. Copyright © IdentitySummit 2015, all rights reserved. Canadian Digital Interchange (CDI) An effort by the Government of Canada, along with Provincial and Territorial partners, to create a secure, reliable, near real-time, scalable messaging service to facilitate information exchange (i.e. identity attributes) across jurisdictions. The service will: • Ensure a standardized and comprehensive approach for the protection of personal information and ensure accountability from all partners.
- 36. Copyright © IdentitySummit 2015, all rights reserved. Canadian Digital Interchange (CDI) • Ensure identity information disclosure between jurisdictions is transparent – users will understand how and why their information is shared. • Implement a secure and cost-effective solution that will allow parties to confirm identity information, and provide updated information between relevant jurisdictions and programs where legal authority exists to do so. • Implement a solution without creating any new databases or repositories of personal information.
- 37. Copyright © IdentitySummit 2015, all rights reserved. Canadian Digital Interchange (CDI) Current Status • Request for Information has been issued, responses due by May 29, 2015. • No commitment yet on whether a Request for Proposal will be issued.
- 38. Copyright © IdentitySummit 2015, all rights reserved. Canadian Digital Interchange (CDI) 2Keys Proposal • Distributed Architecture • Based on UMA • CDI Trust Framework – Defines the “rules of the road” • CDI Deployment Profile – Defines the APIs – Defines the messages formats – Defines the data elements
- 39. Copyright © IdentitySummit 2015, all rights reserved. Canadian Digital Interchange (CDI) Jurisdictional Clouds • Identity data in Canada is distributed. • Provinces/Territories are authoritative on Birth and Death events. • Federal Government is authoritative on Immigration status. • Resource owners should have control over their data. • Does not preclude the use of shared resource among jurisdictions.
- 40. Copyright © IdentitySummit 2015, all rights reserved. Canadian Digital Interchange (CDI) A Digital Identity Ecosystem • The Canadian Digital Interchange is the beginning of a standardized Digital Identity Ecosystem, defining a common set of Identity Services for the public sector, and possibly the private sector in the future. • Potential for an Identity Marketplace to emerge, providing a source of revenue for governments to sustain their services.
- 41. Thank You John Spicer [email protected] Copyright© Identity Summit 2015, all rights reserved.
Editor's Notes
- #3 I suspect not many of you have heard of 2Keys, so I’ll give a brief introduction, then I thought I would start with the 10,000 foot view of the federal government’s strategy for a digital Canada, followed by details on a relatively new organization aimed and growing the digital identity space in Canada. I’ll also talk about the current state, introduce the emerging Pan-Canadian identity standards, walk through a proof of concept related to identity validation, and finish with an overview of what’s coming next.
- #6 Digital Canada 150 represents a comprehensive approach to ensuring Canada can take full advantage of the opportunities in the digital age.
- #8 Memory Project - Creating a digital online record of the stories from our war veterans.
- #11 Public launch in May of 2014, and opened their doors to new members.
- #15 When a user accesses a protected resource, they are presented the chooser page to select their authentication method.
- #16 You’ll notice the *, while the service is privacy protecting, it does limit the the authentication context at the CSPs. For example, the CSP can still monitor the velocity of authentication requests, but without knowing the source, it can’t tell the difference between a an error at one relying partying causing the use to re-attempt the login, or a compromised account where the attacker is trying to hijack accounts at as many services as he can.
- #20 GCKey is an anonymous credential, where the user has complete control over creation and revocation. There is a sense of ownership. Many users are non citizens without Canadian bank accounts. Users may not be customers of one of the five financial institutions support Financial credentials are not applicable to business related online services such as Record of Employment and eManifest In Canada, there is not a strong relationship between financial institutions and the government, there is a tendency to use native credentials for native purposes -The second reason (my reason) is there isn't a natural trust relationship between the banks and the government. (Some cynics would argue neither can be trusted!) The federation isn't natural, not in the way that InCommon/CAF is natural to higher education. My belief is that there must be a natural circle of trust, perhaps even when the credential is the only thing being federated (and in an anonymous way). This solution is missing that. A more natural federation might be with provincial gov't credentials/identities - and perhaps that is in the works with recent developments in BC. And given that identity proofing must be repeated by each gov't agency, there are insufficient convenience motivations to overcome the lack of natural trust and use the partner sign-in. Getting a GCKey is a mild pain (one time) but once you have it why would you change? Easy recall of the more frequently used credential (from your bank) is the only reason and likely insufficient. 3rd party CSP are susceptible to social engineering breaches. There are many examples of breaches at banks and telcos by social engineering attacks through the service desks. Not sure who this could be done with GCKey, no PII available at the service desk. There is at the department level, but they have no access to the credential.
- #21 There is consideration being given to adding telcos as credential providers. In Canada, the major telcos are also in the television business. To access TV shows online, many networks no require you to authenticate with your providers credential to gain access to premium content. My kids are the biggest users of this, so they know credential, and guess what? So do their friends. So while the technical implementation of the credential provider may meet the LOA 2 requirements, the user’s value attached that credential is very low. You get a mismatch is value. The same is true with banking credentials, except it’s the inverse. I attach more value to the credential, and don’t want to use it for anything but banking.
- #24 Personal Information Information about an identifiable person Identity Information Sufficient to ensure uniqueness within a service Minimal setup of attributes required by the service Identifier Minimal setup of attributes to ensure uniqueness Identity Collection of attributes about a unique entity Assigned Identifier - Generated unique identifier linked to an identity
- #34 The final piece of the proof of concept dealt with real-time user notifications. This utilized the 2Keys Transaction Verification Service and the 2Keys Smart Token mobile application. When a request is received, a real-time push notification message is sent to the mobile app, the user is presented with the details and asked to approve or decline the request. We believe this service will be a great companion for an UMA authorization server. Consider the classic Alice to Bob sharing use case, now Alice does need to pre-provision the sharing policy, she can approve it in real-time when Bob is ready to use the data.
- #40 Distributed does not preclude the use of shared resources among jurisdictions, it does not required full distribution. Jurisdictions can collaborate and share costs. The distributed model will allow the CDI to grow over time. Some jurisdictions will lead, others will wait and watch. Follows the model of the API economy.