Strategy for Mobile ID

Transcription

1 Mobile ID Devices Strategy for Mobile ID 20 September 2013 Version 2.1

2 Strategy for Mobile ID Solutions Contents Summary...1 Context...2 Police and immigration services...2 Mobile solutions generally...2 Mobile applications for police and immigration...2 Characteristics specific to police and immigration use...3 e-mobidig...3 Suggested Good Practice...4 1: Take a strategic approach focused on business benefits...4 2: Describe the vision and roadmap...4 3: Mobilise business process not just technology...4 4: A mobile device is a component not a solution...4 5: Smart infrastructure the secure central hub...5 6: Understand connectivity...6 7: Excellence across several technologies...7 8: Pilot and learn...7 9: Test robustly...7 Strategy...8 Your next move: developing a strategy for mobile solutions...8 Self-check: Where is my strategy?...9 Editorial note This is Version 2 of an e-mobidig strategy paper and suggests considerations for police and immigration in developing a strategic approach for mobile identification solutions. It replaces the earlier Version 1 which was more a strategy approach for the e-mobidig group itself. Comments are welcome. Frank Smith, Chair, e-mobidig frank.smith@homeoffice.gsi.gov.uk

3 e-mobidig EU Mobile Identification Interoperability Group Supporting police and immigration use of mobile solutions Strategy for Mobile ID Solutions Summary Mobile technology is improving rapidly. This has important implications for police and immigration officers working away from fixed locations, for example on patrol or at the border, particularly in relation to identification. Participants in the e-mobidig working group are clear that mobile solutions can make a valuable contribution to policing and immigration and border control but that sound principles need to be followed taking account of previous experience and lessons learned. A strategic approach is needed focusing on overall business benefits to the organisation as a whole. This guide suggests good practice to be followed. Strategy on the use of mobile devices is decided at national rather than EU level but this paper presents thinking from e-mobidig which we hope will help Member States in this task. Key suggestions on good practice from e-mobidig, described in this paper, are: 1. Take a strategic approach focused on business benefits. 2. Describe the vision and roadmap. 3. Mobilise business process not just technology. 4. A mobile device is a component not a solution. 5. Smart infrastructure the secure central hub. 6. Understand connectivity. 7. Excellence across multiple technologies. 8. Pilot and learn. 9. Test robustly. Discussion at meetings of the e-mobidig working group have contributed to a series of further papers: (2) Use cases examples of how mobile ID devices could be used. (3) Country examples illustrating projects and developments in particular EU Member States. (4) Technical guide what technologies are relevant to mobile ID devices and key aspects of what is important to consider. (5) Standards examples of agreed standards relevant to this area. 1

4 Context Police and immigration services Each Member State in the EU has operational services responsible for policing and immigration, even though the allocation of responsibilities and legal powers may differ. In doing their work, officers from these services have to distinguish between people who are honest about their identity, and others who try to avoid identification, possibly because they are wanted as suspects for a crime, because they are engaged in unlawful activity and want to conceal their presence, or because they are using false documents or identity. Mobile solutions generally Mobile devices have been undergoing a radical transformation. In the mass market, consumers have been liberated from having to use desktop computing at fixed locations to access the internet: they now can have affordable handheld smartphones and lightweight tablets built for easy use on the move. With these they can book travel, hotels and entertainment, make payments, and message social friends in real-time, keep up to date with the latest news, locate where they are on a map and navigate to another place or search for local information, search the internet globally and download and install new software applications that leverage the high volume of sales to achieve very low price. New and better devices and improved mobile communications such as 4G continue to be developed. All of this is creating a powerful awareness of the technology and its capability, and officers increasingly expect similar technology to be available to them at work to access systems previously only available at fixed locations. This vision is inspiring innovation, though users may be less conscious that particularly for immigration and police, solutions continue to need rigorous security controls to protect confidential core systems from attack, and that bespoke solutions do not benefit from the same very large user base to spread costs and reduce price. Mobile applications for police and immigration Possible applications of mobile technology for immigration and police use: Authenticating travel and identity documents using secure (cryptographic) technology to authenticate a travel or identity document and information held on the chip, such as face images and the holder s name. Fingerprint verification from travel / identity documents EU chipped documents increasingly contain fingerprints of the authorised holder, allowing more secure validation that the right person is presenting the document. Fingerprint search of central systems to confirm identity or search reference systems, watchlists, etc. Biographic checks against central identity systems e.g. to check whether someone is wanted by the police or is a previous offender, or whether a travel or identity document presented to the officer has been reported lost or stolen. Business transactions (casework) at remote locations requiring more conventional desktop services and access to systems, and possibly enrolment of biometrics, decisions, enforcement notices, etc. Capturing evidence written statements, photographs, voice recording, interviews, geo-tagging. 2

5 Rapid deployment to respond to an urgent operational need such as many unexpected arrivals at a remote border crossing; a planned operation; or other reasons for urgent deployment of officers away from the office. Others checks against central identity systems e.g. driving licence, vehicle identification Receiving and sending information from/to the central control room Writing reports Contributing to forensic crime scene analysis. Mapping and location-based services using geo-location technology to manage operations, determine current position, log and report position and time, display reference information and intelligence relevant to the location, navigate, and geo-fence operational areas where a device will work. See also the e-mobidig papers on use cases and country examples. Characteristics specific to police and immigration use The police and immigration market can benefit hugely from all of these developments, but perhaps not in standard form. This market needs particularly: Software development to connect to specialist applications for police and immigration including fingerprint matching and the protocols and infrastructure to authenticate secure passport and ID card chips. Support for external devices such as fingerprint readers. A strong emphasis on security so that a mobile device can be locked down to prevent malicious changes to the software; encryption to protect communications, data held on the device; and rigorous control over access to core systems. Many mobile consumer devices are designed to enable software easily to be downloaded and installed by the user this has to be prevented on a device for police or immigration use. Robust physical devices that will stand up to operational policing and immigration use. If needed, use of specialist data networks for emergency services (e.g. Tetra). Development of infrastructure and systems to work with the mobile devices. Although operationally independent, there are strong similarities between police and immigration work in different MSs are there more opportunities for sharing of good practice, solutions? Structures and the division of responsibilities between police and immigration may differ between countries. Nevertheless, there are opportunities to share good practice between MSs, as shown by e-mobidig. Are there also opportunities to share the design of solutions, and perhaps purchasing of common equipment, between MSs? e-mobidig The e-mobidig working group (EU Mobile Identification Interoperability Group) brings together practitioners and experts in police and immigration services, in different Member States, and in industry and government, to understand developments and trends relevant to mobile ID devices; to recommend how to develop good solutions and strategies; and to help others to avoid repeating expensive mistakes that can be made. This paper on strategy should be read with the other reference papers published by the working group. 3

6 Suggested Good Practice The following good practice suggestions arise from discussions and presentations in meetings of the e-mobidig working group. 1: Take a strategic approach focused on business benefits A strategic approach means focusing planning and delivery on solutions that support the primary aims of the organisation as a whole, judging success on the outcomes achieved. It means designing and building ideas that work well operationally, driving out potential benefits rather than just delivering technology. A strategic approach for mobile solutions would also see common technology being planned (devices, back end systems and infrastructure) that can be re-used, not multiple individual solutions, risking duplication, poor interconnection and missed opportunities. What are the outcomes the organisation expects from an investment in mobile technology, focusing on the business benefits? How will evidence be obtained to prove that planned benefits are achieved in practice? 2: Describe the vision and roadmap To show the organisation what a strategic approach would look like and to gain support for co-operating to deliver that, a vision of what that end-state looks like is needed. It may well not be possible to build a full strategic solution from the outset. A roadmap is helpful to show how the organisation can progressively build new applications and infrastructure to work from where they are now towards realising the vision. Piloting and learning (see below) will help to validate expected benefits and decide whether each potential application should be rolled out. 3: Mobilise business process not just technology Developing a good technical solution that works well, away from a fixed location and network is important, but if it is used with the old business process, results may be poor. To achieve full potential benefit from a mobile development, the technical design and the business process design should be considered together. It may be better to work in a new way to take full advantage of a new mobile solution. Change management and user training are important. Planned benefits can be lost if users are under little pressure to use mobile solutions effectively (or at all) effective use may well require consistent management effort to drive out full delivery of planned benefits. 4: A mobile device is a component not a solution New and more capable mobile devices are being produced all the time. A device may enable a solution or help to deliver a good strategy, but no device on its own can be a mobile strategy or complete solution. Some observations: Is there one ideal mobile device? Probably not for a whole police force or immigration service: suitability for purpose can only be judged in relation to particular business needs which are likely to vary between users and business functions. Different users may need a small smartphone for best mobility; some may need the larger screen of a tablet to view more information with limited input required; others may need a larger screen with extensive input and find that a laptop is best for them; and some but not all of these may need multiple peripherals such as camera, fingerprint reader, document reader and/or printer. Some may need long battery life for continuous mobile operation; others will be 4

7 more intermittent users. The ideal solution may be a range of mobile devices, with good interoperability and the capability to adapt over time. A device agnostic approach is therefore desirable, trying to make the overall strategy more independent from particular devices and suppliers. Standard interfaces may help to make it easier to add new devices and avoid lock in to one solution. Mobile device management (MDM) should be included in a mobile strategy, helping to deliver good control and security, managing users and access rights and tracking who is responsible for every unit, at which location. Cost effective MDM solutions are available e.g. through cloud technology and can increase capacity and help to reduce support and back office costs. 5: Smart infrastructure the secure central hub The need for supporting a range of mobile devices and of back end systems accessed by mobile users argues for an architecture based on some form of central, secure hub supporting the service for mobile users. This would connect to multiple devices and to multiple back end solutions to orchestrate complex transactions using middleware. The relationship between mobile devices, the hub, and reference systems is shown in this figure (see also the e-mobidig Technology Guide). Mobile device A Mobile device B Mobile device C Mobile device D Security Firewall, VPN Middleware Secure integration Connections Services Presentation, orchestion, data sharing, control, audit, software re-use System 1 e.g. fingerprint system System 2 e.g. watchlist system System 3 e.g. ops management system System 4 e.g. PKI central source An example of a complex, orchestrated search possible with this architecture would be a fingerprint search to identify someone. Once the fingerprint system had returned an identity, the hub could use this to search other reference systems, to locate further information on that person, and then prioritise and arrange the information to present it concisely on screen. A hub can help in re-use of services so that a new device can readily make use of existing reference systems and workflows, and a new reference system can more easily be made available to existing mobile devices. A smart design of infrastructure can help to manage complexity to deliver an effective, secure and adaptable strategic solution serving multiple device types and connected to multiple back end systems. It is however important to set and manage realistic expectations about what can and cannot be achieved. 5

8 Such a solution, though strategic for mobile users, may however not be implemented in isolation from broader strategic considerations for the organisation as a whole. Solutions for mobile users may only be one example of a broader, enterprise-wide approach the organisation wants to implement. For example the hub shown above may be one example of an enterprise-wide shared messaging and workflow approach often described as an Enterprise Service Bus; federated searching and identity management / resolution, and a common data platform providing a single version of the truth and shared links to external partner organisations may all be shared solutions of which mobile devices and users are only one of many users. A broader, enterprisewide solution for immigration may look like the following (illustrative only): Mobile users and devices Internal desktop users International / external partners (proven / trusted) Customers : public, business (unknown status?) Security Firewall, VPN different security rules for different classes of user Enterprise Service Bus Integration, messaging Presentation, orchestion, data sharing, control, audit, software re-use Limited security zone Confined area for lower trust users e.g. customer selfservice accounts Common Data Platform Biometrics Case management Border / travel Reporting / data warehouse 6: Understand connectivity Mobile communications can be a powerful enabler for access to business functions on the move, and continues to improve. However, connectivity can also be problematic and will not always be perfect (or even available), in every location. Even though fixed and mobile communications are increasingly converging, mobile communication is not (yet) a universal replacement for a fixed networks. It is important to understand why mobile communications can be problematic, where there are limitations and how improvements may be achieved (see further explanation in the Technical Guide). A solution needs to be mobile aware it needs to be built with a good understanding of where mobile solutions differ from their fixed equivalents. Are communications always necessary? Can a device operate some or even all of the time with no communications? If all the reference data needed to do a job can be loaded onto a device before an officer starts duty, and all data collected be transferred from the device after the duty (example: enforcement tickets?), communications may not be needed for that task, resulting in a lighter device with more battery life because radio is not used. If a device can operate some of the time with no signal (example: fingerprint enrolment from several people?) and then be moved to where the signal is good to resume connection, to send the data and obtain a result, the device will be more tolerant of poor and interrupted connectivity. 6

9 7: Excellence across several technologies Excellence in mobile solutions and strategies needs excellence in several technologies and methods, e.g. mobile technology, mobile communications, security, biometrics, secure authentication of documents this needs sufficient expert knowledge in all these subject areas, plus integration of different streams into a single solution. 8: Pilot and learn Mobile solutions cannot just be designed on paper they require a highly practical solution that works for the organisation and its officers, in the actual context. Design and analysis can go a long way, but ideas may need to be tried out and perfected (or even, rejected) in operational use. Piloting on a smaller scale in live operation may be very effective in validating ideas, for example before a larger rollout. Even if the device is right, lessons may still need to be learned about how best to use them in the business process for maximum value, to train users effectively, and so on. Good piloting and learning will improve users confidence in the solution. Make sure that lessons learned are included in user training. How can you deliver a strong mobile solution where there is no existing experience? One suggested framework is to get there in three stages: (1) Proof of concept (PoC) prototyping an initial solution and simulating operational conditions to understand business requirements and demonstrate technical feasibility; (2) Proof of Value (PoV) a trial of the technology and processes with a limited user group in operational conditions to demonstrate that benefits can be achieved; before (3) Full rollout of what is by now a proven solution in which you have confidence. 9: Test robustly There are a lot of ways in which a mobile solution may not be fit for purpose. Functional testing is one aspect does it do what it is supposed to do? Nonfunctional testing is also critical is the device reliable and quick enough in practice? Is it able to be used and understood by real users in real use? If the device encounters a connection problem is it able to recover cleanly and automatically? Is the device secure and able to resist all foreseeable attacks, especially as the integrity and protection of core systems could be at risk? Will the solution work at the full loading of transactions required at peak? The approach taken to all aspects of testing must be robust the device needs to be proved to work effectively in real, operational conditions, not just in the laboratory. Testing must expose and resolve any shortcomings before rollout to large numbers of users, including testing new business processes enabled by the mobile solution. Once the right test approach has been found, define it clearly as a test standard for the organisation so that it can be repeated consistently when needed. 7

10 Strategy Your next move: developing a strategy for mobile solutions We believe that many organisations have still to develop a real, organisation-wide mobile strategy. Several have implemented mobile solutions as a tactical approach to solve a particular business issue. It is clear that mobile solutions will become more significant and pervasive over the next decade and there is therefore an increasing need to progress to a full mobile strategy within organisations. e-mobidig would encourage immigration and police services: To note the developments in mobile technology that are taking place and to consider the strategic opportunities these bring for increasing effectiveness and delivering business benefits. e-mobidig encourages each organisation to investigate potential benefits and to develop a strategy for effective use of mobile solutions. When considering a proposal for the use of mobile technology, this is a good opportunity to consider whether this should be progressed as a tactical or strategic solution. A tactical solution particularly with the opportunity to pilot ideas for further development may still be the right approach, but it is worth considering what is best for the organisation whether a more strategic approach should be adopted. To note the good practice advice set out in this paper and in other working papers from the working group. e-mobidig intends to continue to work to identify and share good practice in this field, but encourages others to recognise that no two organisations are identical and that analysis is still needed for the individual circumstances of each organisation. Potential main areas for business benefit from mobile solutions may include: Clearer, quicker, more certain identification of people away from a fixed police or immigration office. This benefits officers in reducing doubt about someone s identity or possibly their intentions, and where appropriate in alerting the officer to important information. It benefits the genuine person who is correctly asserting their identity. It may increase the possibility of detecting identity fraud or apprehending people who are wanted for some reason by the authorities. Benefits may include: increase in operational success and assurance on identity, decrease in missed identification of wanted persons and those considered likely to engage in criminal activity. This may therefore also generate benefits through saving of time and cost in bringing a suspect to a fixed office to do identity checks, potentially unnecessarily. Benefits may include: increase in productivity, saving of staff time / cost, saving of vehicle / fuel costs, potentially savings in office costs because less office space is required with more officers able to work at full productivity away from base. Clearly, all use of mobile (or fixed) systems for identification or other purposes involving personal information must be in accordance with the law within each country, including privacy and data protection, and with operational guidance issued by the service in question. 8

11 Self-check: Where is my strategy? How would you describe your organisation s strategy in relation to mobile solutions? Level Description Commentary 1: Observing We see potential value but are watching developments before committing. Prudent let others make the mistakes and we can learn. Risk-averse? There is already growing capability, and some learning can only be obtained by operational experience. Time to start piloting and thinking about future strategy? 2: Tactical 3: Strategic We have a mobile device for use in the field that connects to one of our core IT systems and are thinking of some further developments. We have an organisationwide mobile strategy and have embedded mobility in our culture. We exploit mobile technology in a coordinated way using a range of mobile devices in several business functions, accessing several core IT systems. This delivers real improvements to our efficiency and effectiveness in achieving the aims of the organisation as a whole. Tactical solution aims to fix or help a specific problem and set of people within the business. Can be a good way to start. Beware of building multiple solutions that do not interconnect. Encourage a more strategic approach for the whole organisation / all solutions. Strategic approach aims to maximise benefit for the whole organisation. Joined up. Coherent. Please share your good experience and lessons learned with others (including e-mobidig). Targeting substantial benefits at the strategic level should provide greatest advantage for an organisation, but requires a sustained, long-term programme to achieve. It is not a simple solution or a quick fix. But to make a long journey you must take the first step and then many more to follow. 9