Developing Countries National ICT Identity GovernanceStrategy

Huntington Ventures Ltd.The Business of Identity ManagementMay 2016

This Deck…• Reviews the governance components required to

successfully implement and maintain an e-government strategy:– Identity data governance– Identity infrastructure governance– Laws and regulations governance

• So who am I?

Guy Huntington

Guy Huntington is a very experienced identity architect, program and project manager who has led, as well as rescued, many large Fortune 500 identity projects including Boeing and Capital One. He recently completed being the identity architect for the Government of Alberta’s Digital Citizen Identity and Authentication program.

Identity Governance

• Many people don’t understand the governance requirements to successfully implement and maintain an e-government strategy

• There are several components:– Identity data governance– Identity infrastructure governance– Laws and regulations governance

• Let’s start with identity data…

Birth

Name Change

Gender Change

Death

Address Change

Tel. Number Change

Parent/Guardian Change

Marriage

Divorce

Authoritative Source

Authoritative Source

Authoritative Source

Authoritative Source

Authoritative Source

Authoritative Source

Authoritative Source

Authoritative Source

Authoritative Source

Business Processes

Business Processes

Business Processes

Business Processes

Business Processes

Business Processes

Business Processes

Business Processes

Business Processes

Citizen Tombstone

Identity Directory

National Citizen Identity Lifecycle

Who Has Legal Responsibility?

• For each of the identity data on the left hand side of the previous screen, what government ministry is legally responsible for the data?

• There are some new identity challenges that need to be addressed:– When a biometric is obtained from a person (e.g. infant, child or

adult) which ministry is ultimately responsible for the biometric?– For Parents/legal guardians, which ministry is legally responsible

for establishing this relationship– For citizen addresses and phone numbers, is there one ministry

who will be legally responsible for the collection and management of this?

Legal Vs. Operational Responsibility

• Once the legal governance for each piece of identity data is determined, then there needs to be a determination of who is operationally responsible for the collection of it

• This is the second column in the previous diagram, i.e. business processes

• Here’s a hypothetical example:– When a student goes to school for their first day, they will provide a face

and voice print biometric• The school district or, a specialized identity team, might be the people who

actually collect the biometrics• HOWEVER, the ministry legally responsible for the biometric will likely not be the

Education Ministry

• So regulations and standards need to be created and then audited for the operational governance of each piece of identity data

Shared Services

• About 20 years ago, when large global enterprises began to digitize themselves and centralize operations, it became apparent there was a need for a shared services group to collectively manage IT infrastructure

• Governments began to adopt this too• There needs to be a legal act and regulations

regarding the formation of such an entity

Identity Infrastructure et al

• Shared Services are usually the group who is responsible for the operational management of the identity infrastructure– This includes data centres, clouds, operational data, high

availability, etc. – It may or many not include the security management

• Note that the Shared Services group only has operational responsibility and not legal ownership for each of the underlying identity data components– The legal ownership remains with the ministry

responsible for each identity data

BUT Sometimes Shared Services Is Legally Responsible…

• Sometimes, the shared services group also looks after things like identity phone numbers and addresses, since there usually isn’t one ministry assigned to this

• At the last government client I worked with, their shared services ministry not only managed the identity infrastructure but also was responsible for the centralized citizen telephone numbers and address collection and management– Citizens would go to one place online to change their

addresses and phone numbers

Government Identity Steering Committee

• Many enterprises deploying global identity strategies quickly come to the realization that identity crosses all the enterprise administration silos– It’s thus not only operationally very important, BUT

also politically important• It is not uncommon in large enterprises for them

to form a identity steering committee to oversee identity infrastructure, identity investments, etc.

Laws and Regulations

• If one examines governments who have already successfully deployed national e-identity programs, like Estonia, one finds that a major component to do this is to create and/or change laws and regulations

• The use of things like digital signatures, digital data retention, biometrics et al require well thought out acts and regulations

• So your government will have to do this too• Let’s take a quick look at some of the laws that

Estonia brought into being…

Legal Framework

• Digital Signatures Act - https://www.riigiteataja.ee/en/eli/508072014007/consolide

• Public Information Act - https://www.riigiteataja.ee/en/eli/522122014002/consolide

• Personal Data Protection Act - https://www.riigiteataja.ee/en/eli/529012015008/consolide

• Act on Intellectual Property • Uniform Bases for Document Management Procedures -

https://www.riigiteataja.ee/akt/119062012007 • Archives Act - https://www.riigiteataja.ee/akt/112072014028 • Principles of Estonian Information Policy (1998, 2004)• Action Plan of Estonian Information Policy – (eEstonia) (1998, 1999, 2000,

2001,2002, 2003, 2004, 2005, 2006...)• http://egov2.eu/knowledge-base/an-overview-of-estonian-e%E2%80%91gove

rnment-development-and-projects/

Identity and Credential Assurance

• Your government will have to create two standards; identity and credential assurance

• Identity assurance covers what documents and biometrics are allowable under what type of conditions to establish an identity

• Credential assurance covers what type of credential is allowable for certain types of risk

• There will have to be memorandums of understanding between the national government and local state and municipalities as well as crown corporations

• These documents will also likely be legally referred to in federation agreements with third parties

• As your country begins to work with other countries on recognizing national identities and verification, these documents must then become part of such agreements

Federation Agreements

• Your government’s e-identity strategy will also require the national identity and authentication service to work with third parties like banks, telcos, insurance companies, etc.

• Each of these parties will have to sign a federation agreement with the government

• This covers many things like identity and credential assurance, liability, responsibility for when a session is dropped part way through, etc.

Governance Challenges

• Creating, implementing and sustaining an e-identity strategy IS VERY CHALLENGING because:– Crosses over all ministry silo’s– Extremely public facing– Literally many thousands of decisions to be made as

the systems are all interconnected– The system is prone to attack from organized crime

and foreign intelligence agencies – Large budgets and time cycles involved

Strong, Sustained Leadership

• Therefore, from the top of your government on down, all must be not only aware but take a strong, sustained leadership role

• It’s when times get tough, like a denial of service attack, etc. that the top leaders have to be there to calm the public and ensure the system will be properly maintained

There’s A Lot To Governance

• It has been my own past experience that most enterprises commencing large, global, identity programs don’t understand the implications of governance

• It’s usually tacked on towards the end of the project

• THIS IS A BIG MISTAKE since many projects go over time and budgets as they finally realize governance is complex and must be addressed

Governance Should Be Addressed First

• At the very least, governance should be one of the main project tracks

• Many different government governance initiatives must be launched in parallel to the business process and technical activities of the teams

• Governance work takes time – so plan for it• If you do this, then there is an excellent chance

your identity program will roll out the door on time and on budget

Changing the World a Bit

• Guy wants to change the world a bit by assisting developing countries to leapfrog ahead of most western societies by:– Leveraging citizen’s use of the cell phone and their

voice to then access online government services – Creating a new model for educating students– Leverage existing technology to deliver healthcare

more effectively

If You Thought This Is Thought Provoking

• Then please pass along a link to the presentation to people in your country who might be interested

• You can contact me at:– guy@hvl.net– 1-604-861-6804– Via LinkedIn (https://ca.linkedin.com/in/ghuntington)

• Thanks for your time!