NT III - Authentication and Authorisation Service

Transcription

1 Tasmanian Cloud - Networking Tasmania Pre-Tender Consultation NT III - Authentication and Authorisation Service Scoping and implementation approach Department of Premier and Cabinet Office of e

2 CONTENTS 1 Purpose Background What are authentication and authorisation services Existing multi-agency authentication services NT III planning HR Systems Identity Integrated Business Intelligence Platform Proof of Concept Risks of current approach Objectives and scope Implementation risks Implementation approach Sponsorship Services Funding model Related initiatives Implementation timeframe Page 2 of 11

3 1 Purpose This paper summarises the proposed scope and objectives of the implementation of the Networking Tasmania (NT) III Authentication and Authorisation Service (AAS) which is part of the NT III project. For background on the NT III project, please refer to the Tasmanian Cloud Networking Tasmania Pre-Tender Consultation paper. This can be found on the TMD website: 2 Background 2.1 What are authentication and authorisation services Authentication and authorisation services are Information and Communication Technology (ICT) services that: Authenticate Authorise verify a known person (user), ICT service (e.g. application), or device is who/what they claim to be. For people, this is often achieved via the use of a user-id and password. provide access or use an ICT service. For example, allow user to utilise an ICT service. Authentication and authorisation services form part of identity management services. Other elements of identity management include the processes to manage staff changes, registration of new services and devices, provisioning of delegations and authorisations. Implementation of financial delegations in an ICT service, such as a finance system, is an example of identity management. 2.2 Existing multi-agency authentication services The diagram and table below outline current authentication and authorisation services that support the TMD managed whole of government services arrangements. Page 3 of 11

4 Figure 1 Current, disparate AAS arrangements for whole of government services Agency account and/or identity data Active Directory HR system IAM system Other CISCO ICE & Radius FIM View 500 (under NT II agreement) Radius CISCO NT II WiFi GDS NT II Remote Access ConnectV (telephony) Table 1 Current, disparate AAS arrangements for whole of government services Applications Service Technology white pages Directory Service 1 Service provider Data source(s) View500 Telstra Agency HR systems, data files Whole of Connect E Microsoft Forefront Identity Manager TMD Agency Active Directories Whole of telephony Connect V CISCO Anittel Manual process by agencies into a TMD/Anittel system Whole of government Wi-Fi service Wi-Fi CISCO ICE, Radius Telstra Agency Active Directories Remote access Remote access Radius Telstra Agency Active Directories In addition, there are many agency IT applications that routinely need to authenticate and authorise users from multiple agencies. Examples of these services are: 1 The GDS is not used as an authentication service, but is included in the table as its underlying business process to maintain the data and its technology platform are similar or the same as required by an authentication service. Page 4 of 11

5 Motor Registry System used by staff of Department of State Growth, Service Tasmania and Tasmania Police. Budget Management System access by selected staff from all agencies. The List s Common Operating Platform (COP) allows Tasmania s emergency services to collaboratively plan, respond, manage and help communities recover from emergency incidents. All of these services have costs to maintain and operate. This includes costs to maintain and support the IT service, but also the costs in maintaining separate user accounts, and the risk that staff movements may be overlooked. 2.3 NT III planning The planning for NT III proposed changing from a network model that determines network access based on a combination of agency and location to a model where network access is based on who the user, device or service actually is. It is anticipated that the new model will be gradually implemented over the term of the NT III agreements. The proposed model is an evolution of the access model implemented for the NT II Wi-Fi service by: Extending the NT access model to include wired, as well Wi-Fi connections. Creation of service zones that cross agency boundaries. Implementation of the Wi-Fi service required the development of an authentication service (see section 2.2 Existing multi-agency authentication services). Implementation of the NT III model will require additional functionality to this current NT II model. 2.4 HR Systems Identity Integrated Business Intelligence Platform Proof of Concept The Department of Premier and Cabinet undertook an Identity Integrated Business Intelligence Platform Proof of Concept Pilot during The Proof of Concept explored the feasibility of enabling an integrated access-control environment and reporting/analytics platform to give agencies better visibility of data relating to the services provided by TMD. This included exploring alternative reporting tools that provide improved self-service reporting by agencies. The key findings were: Current reporting and filtering arrangement prevents data level security causing high levels of manual management, large numbers of complex reports and filters. Thousands of manually managed reports and filters does not support self-service. Page 5 of 11

6 There is no automated way to link a user account to their current organisation unit, role or cost centre, and hence requires security filters to be placed upon what the user may view. 3 Risks of current approach The current approach has a number of risks and limitations including: Lack of capability and agility to support new cross agency and cross organisation services Increasing numbers of authentication and authorisation services in use across government to support multi-agency services, resulting in: o o o replication of costs replication of business processes increasing risk of poor levels of security controls Growing unsustainability of current services There are a number of drivers that have generated the current situation, these include: No obvious sustainable funding model for a broad government wide authentication and authorisation model. Lack of strategic coordination of service requirements, resulting in project teams implementing services that only meet their own immediate needs and are not extensible for other, like purposes. 4 Objectives and scope The objectives of the AAS are: 1. Provision of a service to enable government ICT services (including NT) to authenticate devices, applications and staff (using a single account or single signon), and to determine what they are authorised to do. 2. Support the authentication and authorisation requirements of cloud computing services purchased by agencies. 3. Ability to extend, or link with other related services. 4. Be extensible with affordable incremental development 5. To be able, where applicable, to include non-staff user accounts within the system and work with other services that authenticate and authorise non-staff accessing government ICT services. The initial scope of a new service includes: 1. A Meta directory to support the various authentication services. 2. Trusted bidirectional linking (for specified data elements) to agency Active Directories, or if an agency elects, alternate data sources. Page 6 of 11

7 3. Provision of a range of technical services such as Active Directory, LDAP, SAML 2.0, OpenID and OAuth. 4. Support for the requirements of NT III (e.g. general network access, Wi-Fi and remote access) and the -wide Connect service. The AAS must be extensible so that the quality and richness of the identity data held in the system can be improved and the range of services utilising the AAS can be expanded. This requirement extends the scope to include: 1. The ability to extend or populate the meta-directory to support new requirements. 2. The ability to link to more agency sources, such as existing agency HR systems and identity management services to improve the quality of the identity data. 3. Overtime it is expected that additional services will utilise the AAS service, such as the range of ICT services that are accessed by staff from multiple agencies. The scope excludes: 1. Full identity and access management (IAM), agencies will be responsible for providing and maintaining identity information to the AAS, including updating staff and provisioning services. 2. Services that utilise the AAS, noting that- (a) (b) NT III will utilise the service Over time the range of services utilising the AAS is expected to grow 5 Implementation risks Table 2 Risk overview for AAS Risk Impact Mitigation AAS technically too complex to implement. AAS too complex for agencies to provide and maintain data that is fit for purpose. AAS not ready to support initial requirements of the new NT III core. AAS unable to provide appropriate functionality. Initial service, while being extensible, sources the minimum data from each agency to support the initial service requirements. Where possible the initial data should be drawn from a single source from each agency. Have development path to build functionally. Stakeholder engagement and communications plan. Page 7 of 11

8 Risk Impact Mitigation Agencies not willing to utilise the AAS for other services Full business benefits of AAS not realised Ongoing program to build growth in the use of the service. Stakeholder engagement and communications plan. Overlap with proposed Business Intelligence Service initiatives Inability to support current and future emerging technical standards Failure to implement appropriate data standards in the meta directory Duplication of services and effort Service is unable to support current and future business requirements Reduced functionality and capability and/or increased operational costs Work with related projects to identify and capitalise overlaps. Stakeholder engagement and communications plan. Ensure research, specifications and procurement address current technical requirements and flexibility to add new and emerging standards as they emerge Include in implementation and ongoing maintenance a consultative framework and stream of work to establish, maintain and monitor data standards 6 Implementation approach 6.1 Sponsorship The AAS will require high level sponsorship and support. The following sponsorship model is proposed: Strategic business owner Agency ICT Reference Group Initial development business owner NT III Project Steering Committee Initial sponsor Chair of the NT III Project Steering Committee. 6.2 Services The diagram and table below describe how the AAS will be initially implemented and grow over time. Included in the diagram (sections in blue) and table are likely projects to build the service and improve its capability and potential uses of the service. Page 8 of 11

9 Figure 2 Proposed future AAS implementation and potential growth Agency account and/or identity data Active Directory HR system IAM system Other Meta data import engine NT III Authentication & Authorisation Service (AAS) AAS Meta directory Business Intelligence service AAS Services Active Directory LDAP OpenID OAuth SAML 2 NT III (inc Wi-Fi & remote access) ConnectV (telephony) GDS (White Pages) Other servcies Applications and services utilising the AAS Project key: NT III Procurement & Implementation Business Intelligence service Agency initiatives Page 9 of 11

10 Table 3 Proposed future NT III AAS arrangements for whole of government services Applications Service Technology white pages Service provider Data source(s) Whole of Whole of telephony NT III (eg Wi- Fi, LAN, remote access) Cloud services (SAML 2.0, OAuth) AAS Service interfaces include 2 factor authentication, Active Directory, LDAP, SAML 2.0, OAuth, OpenID To be determined, will include a meta directory To be determined To be determined, automatic data feed from agency systems/services. Evolve into IAM regime for government. Others as developed Additional services are able to be added over time. 6.3 Funding model It is intended that the AAS will form part of the NT III core services, as described in the document Tasmanian Cloud Networking Tasmania Pre-Tender Consultation. These core services have existing, established operational funding models. It is proposed that this model will be used to fund the operational costs of the AAS. Note that the funding of any implementation costs are yet to be determined. 6.4 Related initiatives Proposed Business Intelligence Service - the Department of Premier and Cabinet has been working on a pilot of an integrated identity management business intelligence service. The Directory Service (GDS) is a long standing service that has similar attributes as the AAS. Page 10 of 11

11 There are a number of overlaps between the GDS and the proposed Business Intelligence Service and the AAS such as: All three have a similar requirement for importing staff and related information from agencies. The current GDS processes are, for most agencies, cumbersome to manage and are not of a suitable quality to support an authentication and authorisation service. They have similar core meta directory requirements. The proposed Business Intelligence Service and, over time, the AAS will require information to support their particular business requirements. However, the uses of the information required will differ between all three: GDS is primarily a white pages phone directory, but can be expanded to provide other related services AAS is to authenticate and authorise access to government ICT services The Business Intelligence Service is, in the first instance, to assist in HR planning of agencies and government as a whole. 6.5 Implementation timeframe Table 4 Indicative implementation schedule Date Q Q1-Q Milestone Agreement to scope and implementation model Planning and market consultation 2016 Procurement of services 2016 Implementation of initial service requirements, and testing Q Critical milestone service capable of supporting the new NT III core. Page 11 of 11