Drivers, applications and technologies TRENDS IN eGOVERNMENT Drivers, applications and technologies
Global trends in government identity Foreign Fighters Exceeds 30,000 Jan 2016 Unprecedented Refugee Crisis 59.5M displaced by war in 2014 53M+ Lost or stolen travel documents as of November 2015 80% Largest ever Y/Y Growth in Terrorism in 2014 Number of countries up by 8 to 67: Export of terrorism 1 Million Official asylum seekers in Europe in 2015 Mostly from Syria, Afghanistan and Iraq GROWING THREATS
Global trends in government identity Government has a big job Dealing with the broader threats Dealing with the efficiencies and evolution of busi We offer common technologies to address There are two
trends highlight need for trusted digital solutions What Operational Problems Are They Trying to Solve? Digital transactions cost 20% less than phone 30% less than post 50% less than in-person Estimated 10% of benefits spending consumed by fraud $800B annual problem worldwide Elevated expectations Citizens no longer accepting 9-5 access Estimates vary — average 10% in benefit programs Estimated $800B annual problem worldwide 5 EMEA countries: $54B in improper payments annually US Federal Government: $125B improper payments in FY14 (50% in healthcare) US Federal Source: GAO report - http://www.gao.gov/products/GAO-14-737T EMEA data from UK, France, Portugal, South Africa, Spain listed in Accenture report: Fraud, Waste and Abuse in Social Services US Numbers Up 17.9% from FY13 (YoY) Transaction Costs Entitlement Costs Citizen Service Levels
GOVERNMENT environment Global government spending on IT is still rising $476B $431B FOCUSING ON PHYSICAL AND DIGITAL SECURITY WHILE INCREASING CONVENIENCE AND PRODUCTIVITY Digital Workplace Items from the Top 10 List of Government IT Investments 2015-2019 Other top 10 items 3. Open any data 5. Edge analytics 6. Scalable interoperability 9. Web-scale IT Source: Gartner Multi-Channel Citizen Engagement Citizen e-ID E-Gov Platforms Internet of Things Hybrid Cloud
Government environment Digital Workplace Simple access to networks and applications from anywhere, on any device Multi-Channel Citizen Engagement Allowing citizens to interact with their government when and where they need to do so Citizen eID Secure, standard based programs for use in travel, identification and access E-Government Platforms Convenient, self-service interfaces for the delivery of benefits and services Internet of Things Secure and reliable authentication of devices, components and systems Hybrid Cloud Access to robust applications and functions in a low overhead, connected environment
Global Trends in Credential Issuance Volumes and Personalization
Key trends 1.5B Passengers by 2020 BORDER CONTROL AND PASSPORTS Key markets will see growth in the adoption of Gen 2 ePassports with interest in LDS2 International travel increase driving need for faster and more accurate passenger clearance Increase in adoption of ICAO PKD = more countries validating documents at the border DRIVING LICENSE Move toward centrally issued cards to increase program security Issuance of higher security cards gains popularity in new programs Mobile DL programs being piloted HIGH ASSURANCE ID Escalation/globalization of nation state attacks against governments is significant Data breaches exposing sensitive employee information Mobile employees need credentials for access to corporate systems HEALTHCARE Data breaches have exposed sensitive information costing ~$350 per record to remediate Cost and error reductions driven by digital health record initiatives will require trusted interoperable ID Client experience improvement to manage billing 1.5B Passengers by 2020
NID ID1 issuance growth 12%CAGR NID ID1 Personalisation Technology By Annual Issuance Volume
DL ID1 issuance growth 5%CAGR DL ID1 Personalisation Technology By Annual Issuance Volume *Note: Excludes China & Japan
Passport Book issuance growth 5%CAGR Passport Personalisation Technology By Annual Issuance Volume
GLOBAL USE OF SMARTCARD BASED CREDENTIALS
Smart cards in government applications Government IDs help penetrate the unbanked paired with a banking application Internationally recognized standards, such as EMV and ICAO, bring additional functionality to credentials Partnerships and joint vendors to combine resources and expertise to enable and help governments better understand how best to implement secure e-government services Enable secure access to e-government services
Smart cards in Latin America The Smart Card market in Latin America in the Government sector was valued at US$100.4 million in 2014 and is expected to reach US$193.9 million by 2019, growing at a CAGR of 14.1 percent.
Mobile identity
BASICS: IDENTIY VS. CREDENTIAL
What is a trusted Identity? A WELL-RESPECTED DEFINITION Governments want policy and law to promote an identity infrastructure that enables them to serve their citizens more efficiently. On the lightweight end, they want to offer citizens an easy way to interact with agencies and departments. On the heavier end, they want to equip citizens with secure electronic identity documents (eIDs) to prove who they are, as a means for facilitating more critical transactions, such as crossing borders, accessing health records, or paying taxes.” Towards a Policy and Legal Framework for Identity Management: A Workshop Report by Mary Rundle, October 2009
Identity vs. credential General set of characteristics that uniquely define a person in a defined environment Physical or logical binding of identity to attributes — privileges assigned by an authority Characteristics More unique Changes infrequently Biometrics data Biographic data Relational data — work history, family, addresses Characteristics Multiple credentials for single identity based on various authorities and processes Allows for transactions & interaction Project specifics and risk dictate form factor — paper, badge, password, smart card, mobile Not always a document — can be mobile National ID Who you are. What the legal authority says you can do Passport Drivers License Mobile
Identity — SIMPLIFIED EXPLANATION Black Hair Brown Eyes
Credential — SIMPLIFIED EXPLANATION Black Hair Brown Eyes
TRENDS IN E-IDENTITY
Four Phases of e-Government CONSTITUENT VALUE Informational Statistics Archives Downloadable forms Environmental awareness 2. Interaction Online forums Opinion polls Blogs Connection to social media 3. Transactional eAuthentication Tax/Utility payments Payment for birth registration Payment for car registration 4. Transformation Integrated Services Intimate G2B, G2C, G2E relations Performance accountability LOWER SECURITY HIGHER SECURITY Another view of this is the delivery of eGov services as discussed int eh UN reference model. Moving from basic services to more transactional services, ID becomes a bigger issue. Citizens interact with e-gov programs at variety of levels, each with unique requirements for identity verification United Nations E-Government Survey 2012 - E-Government for the People
Program risk profiles Privileges People Process Production ALL MUST BE CONSIDERED Privileges Informational Interaction Transactional Transformation People Program staff Approval processes Roll-based access Process Physical security Number of enrollment sites Fulfillment of the credential to the citizen Production Credential design Issuance model Trust infrastructure BUDGET PRIVACY The 4 Ps of program risk assessment. Process Each program should define risk level for program/risk level for types of transactions Balance risk, cost, speed of decision-making, availability of information and sophistication of individuals or organizations posing potential threat Every program is different — deployment model, budget & privacy concerns significantly impact all areas of the risk profile
Deployment models IDENTITY PROVIDER STANDALONE CREDENTIAL PROVIDER Pros: Requires no/limited interaction between authorities Cons: Duplication of effort and data sharing can be challenging security issues
LEVERAGED INFRASTRUCTURE Deployment models LEVERAGED INFRASTRUCTURE IDENTITY PROVIDER CREDENTIAL PROVIDER Pros: Common process for establishing trusted identity; Ministries maintain control Cons: Requires some Ministry agreement
Deployment models ALL IN ONE IDENTITY PROVIDER CREDENTIAL PROVIDER MINISTRY 1 MINISTRY 2 MINISTRY 3 Pros: Can save on infrastructure costs if enough agencies buy in Cons: Complicated to implement and challenging to get agency agreements
TRUSTED IDENTITY
Everything begins with trusted identity ONE TRUSTED IDENTITY ACROSS ALL SECURE CREDENTIALS SECURE ACCESS TO MULTIPLE ECOSYSTEMS Borders Passport Benefits National ID This is how we approach identity programs With a strong identity (trusted identity), it can use across multiple credentialing programs and this is what Entrust Datacard provide which forms part of our major value proposition. ICAO recommends single ID platform to centrally issue documents and we have identity credential management platforms to support this There is also a trend towards multi-purpose ID cards with the main function being an ID but also doubles as a payment card (benefits payments), DL, travel card (in/out of country), access to eGov sites, etc which Entrust Datacard has credible reference in. Driver’s License Healthcare
Everything Starts with Trusted Identity In today’s world – with traditional barriers falling away; trust in every entity on your network becomes crucial The array of network connected smart devices otherwise known only by IP endpoint addresses to be trusted; or could be rogue entities tapping into access IP, confidential customer data, or iother sensitive Users, not only employees but also partners, contractors and possibly customers need to be strongly identified but also differentiated in terms of privilege and perhaps how their identity is managed over time Increasingly applications have autonomous and automatic interactions and transactions to fuel the speed of digital business; Cyber threats at an all time high and all cyber threats fundamentally or originally an attack on identity, whether that be an individual or an application. And you need consistency across the organization for policy and assurance around identity, and a concrete understanding of trust in identity. PKI is the ideal vehicle for the enablement of strong identity across the enterprise.
Trusted Identity = secure transactions AUTHENTICATION DIGITAL SIGNATURE ENCRYPTION PHYSICAL & LOGICAL ACCESS INTEGRITY & AUTHENTICITY COMMUNICATION & DATA CONFIDENTIALITY There’s only one Technology that addresses these requirements in a comprehensive fashion PKI is unique in that the public/private key pair that is generated can be employed in different ways to achieve different effects: auth, digital signature The PKI Certificate Authority (the heart of any Public Key Infrastructure) at registration time attests to the authenticity of that identity by itself digitally singing a certificate. The combination of these technical underpinnings make this a profoundly strong architecture for the digital enterprise. SECURE BUSINESS TRANSACTIONS
Our advantage: designed for scale Security & certificate policy to meet your enterprise or regulatory requirements Manage disparate roles and privilege levels for both internal and external communities Issue, renew, revoke, track and manage digital certificates seamlessly Provide secure and frictionless access to networks, apps, devices The PKI – Authority Security Manager – implements an incredibly rich policy that can adapt Role and priveleges to allow you to segment administration across the enterprise With key and certificate management, especially in the contect of user/human interaction completely automated and under the covers and just responding to the policy set – me at Entrust 16 years
THE GOVERNMENT IDENTITY ECOSYSTEM
The government enterprise
The Government enterprise borders
The government enterprise – CITIZEN
The government enterprise – EMPLOYEE
ENROLLMENT, ISSUANCE AND USE
Government enrollment solutions A RANGE OF OPTIONS
Government enrollment solutions
Government enrollment solutions EMPLOYEE ENROLLMENT
Government issuance solutions
Validation – Government employee
Validation – citizen services
Validation – border applications
Government Citizen use cases
Government employee use cases
Government border use cases
Going forward this is a comprehensive identity ecosystem platform flow and a introduction to our identity and credential lifecycle management platform = Secura.
Everything begins with trusted identity ONE TRUSTED IDENTITY ACROSS ALL SECURE CREDENTIALS SECURE ACCESS TO MULTIPLE ECOSYSTEMS Borders Passport Benefits National ID This is how we approach identity programs With a strong identity (trusted identity), it can use across multiple credentialing programs and this is what Entrust Datacard provide which forms part of our major value proposition. ICAO recommends single ID platform to centrally issue documents and we have identity credential management platforms to support this There is also a trend towards multi-purpose ID cards with the main function being an ID but also doubles as a payment card (benefits payments), DL, travel card (in/out of country), access to eGov sites, etc which Entrust Datacard has credible reference in. Driver’s License Healthcare
Trust infrastructure — BORDERS EXAMPLE
First part of the process ENROLLMENT Pre-enrollment — confirm application details Capture processes — photo, fingerprint, signature Breeder document scanning Check for duplicates 1 2 3 4 This is Secura Pre-configured workflows Follow ICAO standards Includes all fundamental elements of identity enrollment and vetting Going forward this is a comprehensive identity ecosystem platform flow: Starting with Citizen Enrollment. The platform should allow input of citizen biographic data & capture quality biometrics based to int’l standards. Enroll breeder documents as part of the applicant’s identity attributes to create a strong identity Vetting the captured data against backend databases to check for counterfeits/duplicates (watch-list, blacklists, etc) Then bind identity to credential establish a Trusted Identity The enrollment process should cater to multiple sites (ie. embassy’s, etc – thus, web-based platform will be an advantage)
First part of the process ENROLLMENT Pre-enrollment — confirm application details Capture processes — photo, fingerprint, signature Breeder document scanning Check for duplicates 1 2 CORE TO THE ECOSYSTEM 3 4 This is how the enrollment fits into the overall solution and interfacing with the credential management component Going forward this is a comprehensive identity ecosystem platform flow: Credential issuance: This is where the system need to perform biographic & biometric enrollment of the citizen applicant and insure the data is in correct formats to be personalized on the physical document and the RFID chip (ie. encode the chip with digital keys from the Certificate authority (CA) Also, the platform should cater to centralized, distributed or hybrid issuance models according to actual program requirements
second part of the process ISSUANCE NATIONAL ID Operator and application verification Download trusted identity file If applicant is applying in-person – Biometric verification of applicant – Sign document Personalization on Datacard® system 1 2 3 DRIVER’S LICENSE 4 This is the core to our capabilities (over 40 years experience) Personalization for passport and ID cards (ie. inkjet, color, laser) with best possible results both on a central and desktop issuance models Our focus is on Security, interoperability & core issuance capabilities PASSPORT
second part of the process ISSUANCE Operator and application verification Download trusted identity file If applicant is applying in-person – Biometric verification of applicant – Sign document Personalization on Datacard® system 1 1 2 3 CORE TO THE ECOSYSTEM 4 Credential issuance: For the digital part of the Credential issuance we need to sign the chip data via a certificate authority and have mechanism to check the authenticity of the cert in the form of backend infrastructure
THIRD part of the process USE AT BORDER Portable scan or read at e-gate Field office conformation — photo and biometrics Adjudication process — validation authorities (PKI) Update identity to reflect travel history 1 2 3 4 What’s important to countries at the borders is the travelers are who they say they are and legal to enter the country (having a valid passport, not on a terrorist, blacklists, watch-list DB, etc) Thus, reader infrastructure is required at the borders as part of the Inspection systems to verify the travel document via eGate, kiosks & manned officer counter readers PKI technology enables the integrity of the data contained on the chip and the document was signed by a legitimate issuing authority ICAO PKD platform acts as a central broker to manage the exchange of digital certificates and certificate revocation lists of contracting ICAO PKD countries – currently around 45 countries The ICAO PKD is used as a platform for exchanging signature certificates of the national Country Signing Certification Authority (CSCA), the signature certificates of the Document Signer Certification Authority (DSCA) and the corresponding Certificate Revocation List (CRL) between participating nations
THIRD part of the process USE AT BORDER 1 Portable scan or read at e-gate Field office conformation — photo and biometrics Adjudication process — validation authorities (PKI) Update identity to reflect travel history 2 3 4 Countries that evolve/upgrade their ePassport programs to include advanced biometrics will require PKI for validation at the borders and backend infrastructure to support it – hence Country Verifying Certificate Authority (CVCA) & Document Verifying Certificate Authority (DVCA). This aims to increase the program security through enhanced protection of the ePassport chip biometric data which will be highly resistant to impersonation/fraud. Chip data cannot be duplicated/cloned, ePassport reader authenticates itself to ePassport, ePassport chip only release advanced biometrics to trusted readers. CORE TO THE ECOSYSTEM
borders ecosystem – HOW IT COMES TOGETHER As articulated previously, this is how Entrust Datacard represent the comprehensive identity ecosystem and the identity and credential lifecycle management system. Starting from enrollment, issuance, credential management to electronic validation at the borders via inspection systems.
eGOV SERVICES EXAMPLES
FEATURES AND FUNCTIONS Estonia BACKGROUND 75% of households have internet Estonia covered with possibility of dedicated links, public internet points 1,100+ public WIFI networks officially registered OUTCOMES “We use information technology as an instrument for increasing administrative capacity and ensuring an innovative and convenient living environment for citizens” Gateway to e-State in place since 2002 68% of internet users know the State Portal In 2010 the state portal was visited 2.65 million times 40% of eID card users actively use Digital ID 140,000 people used eVoting in last election Government issues official e-mail address 30,000 users of mID (mobile) 95% of populations declared their taxes electronically eID is used for public transport eSchool enables electronic communication between teacher, student and parents FEATURES AND FUNCTIONS Identification X Payment Smartcard Travel Public Private Biometrics Photo Example of a limited leveraged infrastructure. Gov’t desire to push services closer to citizen and for distribution of wealth. Social security administration leveraging national ID system for proofing and then managing credential internally. Also tied into local banking infrastructure for payments. China
UNITED ARAB EMIRATES BACKGROUND Strong citizen preference among the majority for traditional access channels – in-person or telephone- based interactions with government Need for fundamental infrastructure development to gain trust of citizens Need to expand outreach and accelerate e-gov diffusion OUTCOMES Identity management infrastructures to play a key role to standardize access information authentication across member states. Legislation – Privacy, digital signature Strong centralized identity management in support of domestic service delivery Mutual recognition and validation of identity documents and land/air border crossing for residents Government services using online authentication and digital signature Source: Presentations of Dr. A.M. Al-Kouri
Asia SOCIAL SECURITY CARD BACKGROUND Physical and electronic verification Access to insurance benefits Instant settlement of medical expenses Access to public services Electronic patient records Social benefit payments OUTCOMES Instant eID issuance issuance solution integrated with social security, bank and police systems for identity verification eID personalized with social security and banking applications Bank accounts linked to Social Security Accounts for deposits and claims Instant issuance systems easily deployed throughout wide network of bank branches 45-day card application process now takes one day FEATURES AND FUNCTIONS Identification X Payment Smartcard Travel Public Private Biometrics Photo Example of a limited leveraged infrastructure. Gov’t desire to push services closer to citizen and for distribution of wealth. Social security administration leveraging national ID system for proofing and then managing credential internally. Also tied into local banking infrastructure for payments. China
Asia government multi purpose card BACKGROUND Government multi-application smart card Contains citizen’s personal data and electronic signature Provides access to government and medical services Other applications include banking, credit, telephone, and transport OUTCOMES 17M+ eIDs issued to citizens 12 years and older Multi-application card replaces current driver license Contains critical health information and hospital visit data Includes passport information and access to auto-gates at airports and other points of entry Verification process linked to watch lists Applications now include electronic purse and ATM Common platform allows for fast, affordable scalability FEATURES AND FUNCTIONS Identification X Payment Smartcard Travel Public Private Biometrics Photo Malaysia
North American Electronic Benefits program BACKGROUND Greater access without stigma Uninterrupted operations Maximum program efficiency Fraud reduction OUTCOMES Move program management functions online to simplify enrollment & utilization Replace paper-based check and voucher programs with pre-paid cards to reduce forgeries, theft and misuse Support transaction processing with major retailers with automated validation of each item as program - eligible right at the cash register Provide EBT ATM access Provide reporting and auditing capabilities that help agencies detect and identify fraudulent activity FEATURES AND FUNCTIONS Identification Payment X Smartcard Travel Public Private Biometrics Pre-paid data we saw earlier.
North American Electronic Benefits card BACKGROUND Social services issuing and mailing checks to recipients Support infrastructure was labor intensive and very expensive Mailing delays/theft left beneficiaries without payments for long periods OUTCOMES In-person issuance of card linked to a review of case management records to ensure eligibility and reduce fraud Debit card issuance established a valid account in the name of the beneficiary Additional funds can be added to the card by case workers as needed Beneficiaries were able to set up their own unique PINs and use the card immediately as they would with any other credit card Significant program savings realized by eliminating printing and mailing of checks FEATURES AND FUNCTIONS Identification Payment X Smartcard Travel Public Private Biometrics This one in Canada Not ID, but proofing similarities in process Efficiency. Theft of checks. Tied to standard banking infrastructure.
THANK YOU