Employee Authentication Service (EAS)

Document Sample
Employee Authentication Service (EAS) Powered By Docstoc
					Employee Authentication Service (EAS)
Update for SocITM London Branch Meeting
26th February 2009

EAS demo at: http://www.youtube.com/watch?v=rJ5stVy-38I

For more information please contact:
Email: eas.info@dcsf.gsi.gov.uk
Phone: 020 7783 8581

             EAS is a cross-government project delivered through a DCSF led strategic partnership supported by CLG, DWP and Local Authorities
Authentication is key to transformational government

• A secure and trusted environment for information sharing

• Ensures the right people are granted appropriate access to sensitive

• „Two factor‟ authentication is becoming the minimum security standard
  for Government

  This requires the user to have two components in order be granted access:
  • Something they know: i.e. a PIN
  • Something they have i.e. a token or card

                                        PIN         +
EAS delivers clear benefits to local authorities

• It is easy to use and scaleable
                                                                                SECURE                           VALUE FOR
• It is security endorsed and future-proof

• It delivers a solution at the lowest possible                                                    EAS

• It has been designed in collaboration with                                SUSTAINABLE                           SCALEABLE
  local authorities and other service users

     Referenced by the „Local Government Data Handling Guidelines‟ report (2008) as a best practice solution for local authorities in
                  order to ensure that all reasonable steps are taken to preserve and protect the public‟s information.
      Referenced by BECTA as a solution to achieve compliance with the spirit of the „Data Handling Procedures in Government‟
The user’s experience of EAS (fictional scenario)
• Jenny is a Teacher working in Salford. As part of her job, she needs to access ContactPoint and eCAF
• Jenny has been registered onto EAS through Salford City Council and has received a token for which she has
  created her own personal PIN
• Jenny has met the criteria required to access ContactPoint (including proving that she has a valid eCRB and
  completed the ContactPoint training) and has been enrolled onto the application. She has also met the criteria
  for eCAF and has been enrolled onto this application.

                                                                                  She is asked to select her Registration
                                                                                 Authority via the Gateway “where are you
                                                                                            from” (WAYF) page

                                  1                                                  2

                           Jenny goes to the web                             3
                             interface to access
                                ContactPoint               Jenny is asked to enter her username
                                                               and the one-time password
                                                                  generated by her token.
                                                           Having entered these correctly she is
                                                               able to access ContactPoint


                Having been authenticated by EAS she is
                also able to access the eCAF application
Behind the Scenes - How does EAS work?

                  RA   EA
                            EAS Shared

                                                          Quick and simple integration
      service                Provider                                                       DWP –
                  RA   EA
                              Service                                                     Customer
                                (IdP)                                                    Information
                                                                                         System (CIS)

       users      RA   EA                Authentication                                   CLG Data
                                            Broker                                           Hub

      service                LA IdP                                                         Collect
       users      RA   EA    Service

                                                                                         Other service
      service                NHS IdP                                                     providers …
       users      RA   EA    Service

Local Authority

Provided by EAS
Who does what? - Understanding the Trust Model
                                                   4. Pan-government accreditation          5. Authentication
                3. Authentication                   ensures that AB is secure and          Broker issues and
               Broker ensures that                        robustly operated                signs assertions to
               assertions from IdP                                                          Service Provider
                 are appropriate

                                                                                                               6. Service provider
                                                                                                             trusts assertion from
                                              tScheme                                                        AB and makes access
                                                                                                             decision according to
                                                      Pan Government                                        policy agreed with local
  2. tScheme audit
   ensures IdP and
 associated RAs and                                 Governance and Standards
EAs are meeting policy
    / best practice
                             RA                                                               Access
                                                                Trust                         Access
                             EA                              enforcement                       mgmt

1. RAs and EAs verify
      identity and                   RA                                                         No
 attributes according                       IdP                                               access
to Registration Policy               EA                                                        mgmt
What is a Registration Authority (RA)?
                                                                                            Accountability sits with the Chief
                                                                                            Executive / Section 151 Officer or
                                                      Registration Authority                 Director of Children‟s Services

                         Service        Registration & Enrolment
                          Owner         Function                                            Registration Manager: responsible for
                                                                                             ensuring policies are implemented
                                                                                             and managing Registration Agents
     Credential Issuer:                             Registration Manager
responsible for issuing the
 credential to the user and                                                                          Enrolment/Registration Agents:
 lifecycle management of                                                                             responsible for registration and
       the credential              Credential                                   Enrolment          enrolment processes being followed
                                     Issuer               Registration           Agents
                                                                                                              Sponsor: responsible for initiating
                                                                                                              the registration process, ensuring
                                                                                             Sponsor            that policies are followed and
                                                                                                              changes of circumstance are acted
                                                    Sponsor                                            User
                                         User                            User      User               User: responsible for following the
                                                                                                    policies of the scheme and all services
                                                                                                             they are enrolled onto
 An RA „does‟ 3 things:
 1.    Verifies the identify of users and registers them onto the EAS system
 2.    Manages the lifecycle of credentials and attributes within EAS
 3.    Verifies the user requirements needed to access specific shared services, as identified by the
       service owner, and enrols the EAS end user onto these

                                                                                             Current EAS service offer

EAS Service Offer                                                                            Potential service offer - Product Development

     Children‟s and Educational              Housing and Benefits              Local Organisational Capability

 • ContactPoint: estimated early       • Customer Information System          • CLG Data Interchange Hub:
   adopter “Go Live” using EAS -         (CIS): estimated early adopter “Go     estimated early adopter “Go Live”
   March 2009                            Live” using EAS - 2010                 using EAS - 2010
 • DSG Applications including
   Collect: Board decision pending –
   4th Feb

 • Youth Justice Board: initial        • Other applications tbc               • Small number of local apps will
   engagement meetings taking place                                             be considered on a case-by-case
 • eCAF: decision to be confirmed at
   board                                                                      • Sharepoint applications being
                                                                                developed as R&D project: pilots
                                                                                with DCSF – IWP service and
                                                                                engaging with DCMS
                                                                              • GCSx remote access currently
                                                                                being explored (working with
                                                                                GC) – this could enable single
                                                                                sign on to LA networks
                                                                              • Regional hub RA configuration to
                                                                                be piloted
Comparison of ContactPoint and EAS requirements


 • Level of identity verification required     • Corporate accountability for identity
   (eGif level 3)                                verification process

 • Requirement for defined and auditable       • Formal audit and accreditation process
                                               • User and token management process
 • CMS type and instance accreditation           (slight difference)

                        ADDITIONAL CAPABILITIES OF EAS

 • Re-use for multiple applications: central, regional and local

 • Bulk upload of user data supported

 • Solution driven by local government needs
Product Development

 In addition to the standard service offer, EAS is working with Government Connect to
 develop its product offer. Key developments in Q1 2009 will be:

  • Scoping of work needed to provide remote access to GCSx using EAS

  • Pilot of regional hub configuration

  • Integration with Microsoft IAG and Sharepoint, in response to DCMS and LA

Contact Us:
  • Email: eas.info@dcsf.gsi.gov.uk
  • Phone: 0207 7838581
We have completed a pilot and are going live with a small group of
early adopters

                                                                                                          Early Adopters LIVE on
                                                              Other Service Providers engaged:
                    Early Adopters identified:                                                                     system
                                                            • Customer Information Service (CIS)
                     • Salford and Newham                                                                 • Salford and Newham
                                                                • Collect (DSG applications)
                •   ContactPoint & LA local apps                                                         • ContactPoint & LA local
                                                               • CLG Data Interchange Hub

Apr 2008                   Q2 & Q3 2008                                 Q4 2008                    Jan-Feb 2009 Mar 2009        Apr 2009

                                                                                         EAS Launch:            Identified next wave of
   Key to Success (DCSF                  Collaboration with local
                                                                                    Begin engagement with        local authorities (who
    application) pilot tested          authorities, third sector, and
                                                                                  local authorities who have    have responsibility for
   EAS with over 500 users in          central Government to define
                                                                                       responsibility for            children‟s and
    150 local authorities and               policies and create
                                                                                  children‟s and educational     educational services)
        refined workflow                  implementation guides
                                                                                           services                to implement EAS
EAS costs to local authorities are affordable and competitive

 Local authority set up costs:

 • EAS token: £10 per user (cost may be covered by service provider)
 • Configuration of each Registration Authority on EAS system: £5k
 • Accreditation, licensing and training costs: approx £5k
 • Additional internal costs to manage set up as a project and procure hardware such as
   desktop PC and scanners (varies depending on local authority)

 Local authority annual costs:

 • Token service charge: £3 per user (may be covered by service provider for the first year)
 • Additional internal costs to resource Registration and Enrolment Authorities: varies
   depending on local authority
We are now engaging with local authorities to identify the next
wave of EAS users
On-boarding process:

                                              Letter of                                           Q-Pack
                                                                                                                                                  GO LIVE
                                               Intent                                              MOU

                   Initial Engagement                                Scoping                                       Implementation

                                                                                                            Trstd Roles          Training
                                                              Process                 Tokens
                                                                                                             Populated         Implemented
                Initial Engagement Workshop                 Requirements              ordered
                                                              Technical              Bulk Info             Implemented
                                                            Requirements             Uploaded                                   T-Scheme
                                                                                                            UAT & test

                                        Readiness                                        Readiness                                     Trust Scheme
                                       Assessment 1                                     Assessment 2                                   Accreditation

              Engagement meeting pending             Letter of intent from 3 local authorities:        Completed Q-pack from 1 local authority:
                 with 9 local authorities             Salford, Newham and Milton Keynes                               Salford

Next Steps:
• Let us know if you are interested in arranging an engagement meeting with EAS – we are
  looking to engage now with the next phase of users
• We are also conducting a series of events over the next couple of months. To be updated on
  events email us
            • Email: eas.info@dcsf.gsi.gov.uk
            • Phone: 0207 7838581