Get documents about "Employee Authentication Service (EAS)
Document Sample
Employee Authentication Service (EAS)
Update for SocITM London Branch Meeting
26th February 2009
EAS demo at: http://www.youtube.com/watch?v=rJ5stVy-38I
For more information please contact:
Email: eas.info@dcsf.gsi.gov.uk
Phone: 020 7783 8581
EAS is a cross-government project delivered through a DCSF led strategic partnership supported by CLG, DWP and Local Authorities
Authentication is key to transformational government
• A secure and trusted environment for information sharing
• Ensures the right people are granted appropriate access to sensitive
information
• „Two factor‟ authentication is becoming the minimum security standard
for Government
This requires the user to have two components in order be granted access:
• Something they know: i.e. a PIN
• Something they have i.e. a token or card
PIN +
EAS delivers clear benefits to local authorities
• It is easy to use and scaleable
SECURE VALUE FOR
MONEY
• It is security endorsed and future-proof
• It delivers a solution at the lowest possible EAS
cost
• It has been designed in collaboration with SUSTAINABLE SCALEABLE
local authorities and other service users
Referenced by the „Local Government Data Handling Guidelines‟ report (2008) as a best practice solution for local authorities in
order to ensure that all reasonable steps are taken to preserve and protect the public‟s information.
Referenced by BECTA as a solution to achieve compliance with the spirit of the „Data Handling Procedures in Government‟
Report
The user’s experience of EAS (fictional scenario)
• Jenny is a Teacher working in Salford. As part of her job, she needs to access ContactPoint and eCAF
• Jenny has been registered onto EAS through Salford City Council and has received a token for which she has
created her own personal PIN
• Jenny has met the criteria required to access ContactPoint (including proving that she has a valid eCRB and
completed the ContactPoint training) and has been enrolled onto the application. She has also met the criteria
for eCAF and has been enrolled onto this application.
She is asked to select her Registration
Authority via the Gateway “where are you
from” (WAYF) page
1 2
Jenny goes to the web 3
interface to access
ContactPoint Jenny is asked to enter her username
and the one-time password
generated by her token.
Having entered these correctly she is
able to access ContactPoint
4
Having been authenticated by EAS she is
also able to access the eCAF application
Behind the Scenes - How does EAS work?
service
users
RA EA
ContactPoint
EAS Shared
Identity
Quick and simple integration
service Provider DWP –
users
RA EA
Service Customer
(IdP) Information
System (CIS)
service
users RA EA Authentication CLG Data
Interchange
Broker Hub
service LA IdP Collect
users RA EA Service
Other service
service NHS IdP providers …
users RA EA Service
Local Authority
Provided by EAS
Who does what? - Understanding the Trust Model
4. Pan-government accreditation 5. Authentication
3. Authentication ensures that AB is secure and Broker issues and
Broker ensures that robustly operated signs assertions to
assertions from IdP Service Provider
are appropriate
6. Service provider
trusts assertion from
tScheme AB and makes access
decision according to
Pan Government policy agreed with local
accreditor
Departmental
2. tScheme audit
ensures IdP and
associated RAs and Governance and Standards
EAs are meeting policy
/ best practice
RA Access
mgmt
EA
Shared
IdP
RA
Trust Access
EA enforcement mgmt
services
1. RAs and EAs verify
identity and RA No
attributes according IdP access
to Registration Policy EA mgmt
What is a Registration Authority (RA)?
Accountability sits with the Chief
Executive / Section 151 Officer or
Registration Authority Director of Children‟s Services
Service Registration & Enrolment
Owner Function Registration Manager: responsible for
ensuring policies are implemented
and managing Registration Agents
Credential Issuer: Registration Manager
responsible for issuing the
credential to the user and Enrolment/Registration Agents:
lifecycle management of responsible for registration and
the credential Credential Enrolment enrolment processes being followed
Issuer Registration Agents
Agents
Sponsor: responsible for initiating
the registration process, ensuring
Sponsor that policies are followed and
User
changes of circumstance are acted
upon
Sponsor
Sponsor User
User
User
User User User User: responsible for following the
User
policies of the scheme and all services
they are enrolled onto
An RA „does‟ 3 things:
1. Verifies the identify of users and registers them onto the EAS system
2. Manages the lifecycle of credentials and attributes within EAS
3. Verifies the user requirements needed to access specific shared services, as identified by the
service owner, and enrols the EAS end user onto these
KEY:
Current EAS service offer
EAS Service Offer Potential service offer - Product Development
Children‟s and Educational Housing and Benefits Local Organisational Capability
Services
• ContactPoint: estimated early • Customer Information System • CLG Data Interchange Hub:
adopter “Go Live” using EAS - (CIS): estimated early adopter “Go estimated early adopter “Go Live”
March 2009 Live” using EAS - 2010 using EAS - 2010
• DSG Applications including
Collect: Board decision pending –
4th Feb
• Youth Justice Board: initial • Other applications tbc • Small number of local apps will
engagement meetings taking place be considered on a case-by-case
basis
• eCAF: decision to be confirmed at
board • Sharepoint applications being
developed as R&D project: pilots
with DCSF – IWP service and
engaging with DCMS
• GCSx remote access currently
being explored (working with
GC) – this could enable single
sign on to LA networks
• Regional hub RA configuration to
be piloted
Comparison of ContactPoint and EAS requirements
SIMILARITIES IN REQUIREMENTS DIFFERENCES IN REQUIREMENTS
• Level of identity verification required • Corporate accountability for identity
(eGif level 3) verification process
• Requirement for defined and auditable • Formal audit and accreditation process
processes
• User and token management process
• CMS type and instance accreditation (slight difference)
process
ADDITIONAL CAPABILITIES OF EAS
• Re-use for multiple applications: central, regional and local
• Bulk upload of user data supported
• Solution driven by local government needs
Product Development
In addition to the standard service offer, EAS is working with Government Connect to
develop its product offer. Key developments in Q1 2009 will be:
• Scoping of work needed to provide remote access to GCSx using EAS
• Pilot of regional hub configuration
• Integration with Microsoft IAG and Sharepoint, in response to DCMS and LA
requirements
Contact Us:
• Email: eas.info@dcsf.gsi.gov.uk
• Phone: 0207 7838581
We have completed a pilot and are going live with a small group of
early adopters
Early Adopters LIVE on
Other Service Providers engaged:
Early Adopters identified: system
• Customer Information Service (CIS)
• Salford and Newham • Salford and Newham
• Collect (DSG applications)
• ContactPoint & LA local apps • ContactPoint & LA local
• CLG Data Interchange Hub
apps
Apr 2008 Q2 & Q3 2008 Q4 2008 Jan-Feb 2009 Mar 2009 Apr 2009
EAS Launch: Identified next wave of
Key to Success (DCSF Collaboration with local
Begin engagement with local authorities (who
application) pilot tested authorities, third sector, and
local authorities who have have responsibility for
EAS with over 500 users in central Government to define
responsibility for children‟s and
150 local authorities and policies and create
children‟s and educational educational services)
refined workflow implementation guides
services to implement EAS
EAS costs to local authorities are affordable and competitive
Local authority set up costs:
• EAS token: £10 per user (cost may be covered by service provider)
• Configuration of each Registration Authority on EAS system: £5k
• Accreditation, licensing and training costs: approx £5k
• Additional internal costs to manage set up as a project and procure hardware such as
desktop PC and scanners (varies depending on local authority)
Local authority annual costs:
• Token service charge: £3 per user (may be covered by service provider for the first year)
• Additional internal costs to resource Registration and Enrolment Authorities: varies
depending on local authority
We are now engaging with local authorities to identify the next
wave of EAS users
On-boarding process:
Letter of Q-Pack
GO LIVE
Intent MOU
Initial Engagement Scoping Implementation
PROCESS
Trstd Roles Training
Process Tokens
Populated Implemented
Initial Engagement Workshop Requirements ordered
Processes
Technical Bulk Info Implemented
Requirements Uploaded T-Scheme
UAT & test
Accreditation
Readiness Readiness Trust Scheme
Assessment 1 Assessment 2 Accreditation
PROGRESS
Engagement meeting pending Letter of intent from 3 local authorities: Completed Q-pack from 1 local authority:
with 9 local authorities Salford, Newham and Milton Keynes Salford
Next Steps:
• Let us know if you are interested in arranging an engagement meeting with EAS – we are
looking to engage now with the next phase of users
• We are also conducting a series of events over the next couple of months. To be updated on
events email us
• Email: eas.info@dcsf.gsi.gov.uk
• Phone: 0207 7838581
Related docs
