National RA WebEx 17 April 2018– 2pm presented by CIS Team
Agenda Structure of the session: Strategic Authentication Update Long term vision Strategy for identities Strategy for methods of authentication Priorities for 2018/19 RA Audit GDPR and CIS Databases RA101 Data Quality RA positions ESR Interface transactions System Generated Positions Predecessor Positions Outsourcing RA 08 Smartcards RA Incidents
New Authentication Services Update (NHS Identity)
Connected Services Applications Connected Devices Digital Identity Interoperability Platform Next Generation Health Identity Platform PKI Authentication Authorisation Federation Registration Management User Self Service Role Management Digital Signing Digital Identity is not just about security it is a mechanism by which to link Devices and their capabilities to individuals (e.g. Location of an individual via a mobile device) and utilise this relationship and the capabilities of the device seamlessly in applications and cloud services. Also preferences, sites visited, contact mechanisms, and when combined with IOT – biological information (heart rate, blood sugar levels etc.) It allows continuous profiling but also provides control to the user by requesting consent (This is built into the security). Analytics Attribute Exchange IOT Consent Dashboard
Enhanced Strategic Authentication: Options Stop/Do Nothing Leave CIS ‘as is’ MVP+ Beta Live release to support mobile access and existing smartcards Maximum Modernise Full Identity Stack to provide full end to end service Close the project: - Not an option Mobile, Platform Agnostic sign-on, not catered for No Authorisation capability to protect Smartcards + limited add-ons such as Google OTP (one time password) Minimum Viable Product: Live Service Support SSO Support initial Smartcard alternatives e.g. OTP for Data Landing Platform Support current smartcards but built on recognised standards Support protecting some of the 2020 API’s Support Internet Access Support multi-platform clients Abstract National Authentication outside the client application Support service by service access rules Add FIDO option to allow local choice of proof Do all (planned): Revise Clinician Registration Assurance Service Revise Identity Management to be more self service orientated, bring in more data sources of identity GMC, Bank Staff. Revise Role Management (can do better than a spreadsheet) Add Remote Signature Service Add Risk Analytical Engines to detect anomalies Add Medical IOT Management
NHS Identity Components 3 New national services will be built: National Care Worker IDP – Will provide logon services at various levels depending on the organisation scenarios requirements. Initially Smartcard, OTP and Push Notification on service go live followed by FIDO based biometric support. Platform agnostic (e.g. ChromeOS) National Access Gateway – Will protect national API’s and services referencing a granular rules and policies set National Federation Service – Will allow the national signon to be used to access 3rd party national services such as NHSMail, O365 and ESR.
Long Term Roadmap Themes Simplifies Process Increases Security Benefits Saves Time Simplifies Process Increases Security Benefits Long Term Roadmap Themes Increases Security Single trusted digital identity signature Saves time Increases Security Saves Money Benefits Benefits Saves time Simplifies Process Increases Security Benefits IOT Management Single trusted digital identity Saves time Simplify Logon Increases Security Enables Mobility Benefits AI Continual Risk Analytics User & Role Management Remote Signature Simple Registration Next Gen Access Control 2017/2019 2018/2019 2018/2019 2018/2020 2019/2020 2019/2020
Strategy for Digital Identities Currently a high bar (e-Gif Level 3) exists for creating a digital identity – whatever the use. Is it really needed to access e-learning or to upload data the organisation owns? Lots of guidance around as e-Gif has been deprecated for a number of years: UK: GPG 43, 44, 45 US: NIST All talk about different levels of identity for different needs Plan is to cater for 2 levels of identity in the future: Level 1 – access to non person/sensitive/clinical information Level 3 – access to person/sensitive/clinical information New authentication product is piloting Level 1 identity with Data Landing Portal – a web submission portal to send data in a secure and consistent way across organisations
NHS Identity: Supported Authentication Methods v0.3 Authenticator Assurance Level 1 Authenticator Assurance Level 3 User ID + Password One Time Passcode via Email Time-based One Time Passcode Smartcard + PIN Push + Bio/PIN/ Pattern FIDO2 Device + Bio/PIN Wearable + Bio/PIN ForgeRock iOS FIDO2 Module + Bio/PIN Yubikey + Bio/PIN Authentication Method: Smartcard + Smartcard Reader NHS Digital Identity Agent & Mini-drivers Email Client iOS or Android Smartphone / tablet (with Authenticator installed) iOS or Android Smartphone / tablet (with Authenticator installed and N/W connected) Wearable Device + NFC or Bluetooth Reader ForgeRock FIDO2 module installed on the tablet Yubikey Additional Authentication Component(s): NHS Identity: Supported Authentication Methods v0.3 Works with: Windows PC Windows PC Windows PC Windows PC Windows PC Windows PC Windows Laptop Windows Laptop Windows Laptop Windows Laptop Windows Laptop Windows Laptop Win10 Tablet Win10 Tablet Win10 Tablet Win10 Tablet Win10 Tablet Win10 Tablet iPad iPad iPad iPad iPad Macbook/iMac Macbook/iMac Macbook/iMac Macbook/iMac Macbook/iMac Android Tablets Android Tablets Android Tablets Android Tablets Android Tablets Chromebook Chromebook Chromebook Chromebook Chromebook FIDO2 Device
The Next 12 Months Priorities Transition plan – develop, consult and agree timelines Mobile SCRa Pilot – via an iOS device Federation of identity with NHS Mail Open ID Connect standard for Smartcard Authentication
Longer Term Priorities Redesign of Registration process Redesign of RBAC – user and role management Digital signing (non-repudiation) Enhanced analytics These priorities mean no significant investment beyond performance and maintenance in current system
Poll #1 What 3 things would you like to change about the current authentication and registration service?
RA Audit
General Purpose of RA Auditing All RAs should, as a matter of good practice, regularly audit the service they provide to ensure that they are: Making appropriate and effective use of Care Identity Service, and associated guidance, Maintaining Local RA Policy in full compliance with National RA policy, Identifying any lack of adherence to policy requirements, leading to poor/inefficient practice, Identifying any workarounds that have been put in place leading to their removal and adherence to National policy and practices
Prime Purpose of National RA Audit Provide NHS Digital with view whether user organisations appear to follow national RA Policy and Procedures Enable NHS Digital to contact organisations to raise concerns as necessary The launch of the new RA software, Care Identity Service, and the associated guidance, the National RA Policy and user involvement highlighted the variety in RA practice that exists. In some situations this has identified a lack of adherence to policy requirements, in others poor or inefficient practice. The lack of standards around governance and process mean that similar types of organisations provide or receive very different levels of service, with some of this variation potentially leading to unacceptable workarounds being put in place. An Audit process / service would provide both NHS Digital, and end user customers, with a level of assurance that practice was of an acceptable standard. To this end a national extract of RA audit indicators is being developed as a central report. The intention is to publish further information using the wordpress facility at https://careidentityservice.wordpress.com/
RA Audit Report To help organisations undertake their own RA Audit the National RA has been: Developing a central RA Audit Report Testing initial version of the Report Planning a version which RA Hosting organisations can run for their own data to enable the Local RA team to: Improve awareness of issues requiring attention, Enable timely local issue resolution Help form part of local RA self improvement cycle We are testing what can be delivered to organisations with organisations represented on the National Identity & Access Management Board
GDPR and CIS databases
GDPR and CIS databases As with other organisations NHS Digital is mandated to comply with GDPR and as part of that complete a Data Protection Impact Assessment We are in discussion about the data we hold in CIS database, whether to continue to hold the data and what we might hide to comply with GDPR Smartcard Terms & Conditions will need to be updated, and legal advice on the wording obtained When the Smartcard T&Cs are updated all registered users will need to read and accept the updated version
RA Good Practice
RA101 New RA Managers National Policy (September 2014) Future Webex for newly appointed RAM’s Suggested topics welcomed Possible approach via worked ‘show and tell’ via Webex National Policy (September 2014) RA Exec Lead RAM Exec Appointment letters Held by identified RA Manager These do not usually require NHS Digital involvement to be on copy unless ‘seeding’ is required Responsibilities are outlined https://digital.nhs.uk/Registration-Authorities-and-Smartcards
Data Quality RAM’s must be pragmatic in managing the RA service they are responsible for. Regular reporting ~ 3 month cycle Last login reports often show high proportion of card-holders never or not using the access assigned. If access not used then there is not a continued business requirement Continued Misuse of codes e.g. B0272 in RA Positions must be dealt with
RA Positions Regularly contain sensitive, excessive or inappropriate access profiles – or have been assigned to staff groups not suitable Ensure IG involved in ‘signing-off’ the Role Profile? Suitable Sponsorship model implemented and training given – assignment ‘signs’ transaction There have been reports to the ICO and action is being taken on the use of certain codes e.g. B0082 Legal Override of Consent Is volume of users with PDS / SCR access appropriate?
ESR Interface Transactions Regular incidents are being seen when the wrong user has been associated in ESR and pushed to CIS Care must be taken when updating ‘core’ identity HR officers must be trained in their responsibilities RA is required to use ‘due diligence’ This will come into the Request List as ‘source’ ESR The RA MUST compare new with old information before confirming the true identity and granting the change. Use two CIS search windows open to compare This is considered a clear IG breach when a persons data and / or photo is overwritten; will skew audit data
System Generated Positions Also known and seen as ‘00sysposUUID’ - Calendra Access These must be managed out! We deprecated this method from March 2011 These now indicate poor governance of access methodology and is a technical overhead All users must be assigned a substantial PBAC and their ‘00syspos’ is to be correctly closed – not end-dated or deleted. Alternatively a bulk closure can be arranged via the NSD
Poll #2 Do you still have system generated positions? Do you have a plan to close them?
Predecessor Links Facility within the system to link / cascade access to legacy organisations Intended for limited time-frame Useful on mergers of trust Org Codes where system applications rely upon the legacy code To take stock of the scope of the use of these please e-mail access control e-mail address
Outsourcing RA All NHS organisations are required to have an Exec RA lead and RA Manager. Outsourcing can be considered subject to clear contractual arrangements SLA’s require regular audit and reporting The primary organisation remains responsible for RA process and IG compliance
Oberthur Smartcards (08) 08 cards have now been in live service for 29 months. Self-renew options available for end-users RA team workstations require latest SR5; soon to updated to SR8 - in next few weeks (Note: likely to deprecate SR1 and SR5 3-6 months after this release). WordPress site: https://careidentityservice.wordpress.com/ IA clients at: http://nww.hscic.gov.uk/dir/downloads/
RA Incidents Each event would require individual approach Consider local RA policy link to org. policies and procedures Escalation channels Disciplinary Policy and Procedures IT / Physical Security Policy Evidence and impact level will dictate suitable response Preserve data / screen shots / make notes Report or escalate to appropriate authority IG officer / Employer / Security officer / HR CSU / RA service provider for community Will depend on scope of contractual arrangements 3rd party such as pharmacy would require escalation to NHS England local office External reporting (ICO / Police) by an appropriate person Seek advice if unsure