Managing users’ identities online is not merely a peripheral concern, but the foundation both of user experience and cybersecurity, two state technology officials say on the most recent episode of StateScoop’s Priorities podcast.
Pennsylvania Chief Information Security Officer Erik Avakian and Washington Chief Information Officer Jim Weaver each shared their current plans for identity and access management in their states, noting that providing residents with a consistent and convenient online experience is an essential task as their organizations attempt to keep pace with the latest technology trends.
“Identity and access management, especially when we look at it today, it’s really the foundation when you think about it for all other security controls, especially when you move business into the cloud,” Avakian says on the podcast.
Avakian and Pennsylvania CIO John MacMillan were directed by Gov. Tom Wolf in July via an executive order to develop a “citizen-first government” experience. The order extends work that began in 2017 to develop what the state calls Keystone Login, a portal that allows people to access many services offered by the state government with a single log-in.
“They’ll be able to create an account, log in once, and through that log-in they’ll be able to access a myriad of different services and applications without having to create different accounts,” Avakian says, noting that previously the state’s identity management had been “disjointed.”
In Washington, Weaver told a similar story, calling identity and access management “a foundational item.”
“I’m a resident, I’m an employee, I could be a small business owner here in the state of Washington, I could be a first responder in the state of Washington with my National Guard affiliation,” Weaver says. “Is that four different identities or is that one identity with four different attributes associated with that identity?”
Weaver says the goal is to develop a solution that provides users with one identity, developing what he calls “government as a platform.”
In years past, developing a more convenient and streamlined identity and access management solution was more difficult for government, Weaver says, because the third-party technology wasn’t as sophisticated as it is today. With the proliferation of cloud services, states can more easily rely on third-party identity authentication and cloud-based services without overly worrying about their security or legitimacy.
“We can still get to that level of validation or authentication that it is in fact who we are dealing with even though you’re not accessing our services via a government-issued identification,” Weaver says. “I think our residents here in our state would welcome that and appreciate that because it doesn’t have that Big Brother approach that government has to be the one telling me how I engage with government or how I obtain services.”
Beyond today’s solutions, both officials said they’re considering blockchain as a potential technology that could be used to augment their existing identity and access management. Avakian, who says the distributed-ledger technology is “still a morphing area,” could potentially be used to allow users greater control over their online identities.
“We’re actually exploring that,” Avakian says.
Weaver says he’s cautiously optimistic about blockchain, too.
“This is probably screaming of blockchain, but we don’t want to put the technology ahead of the people and process aspects of the equation,” he says, adding that Washington is looking at what other states are doing with blockchain as it decides how it might use the technology.
Weaver says identity and access management could soon also join the ranks of the many other services that governments have taken to outsourcing as cloud-based services have become more accessible, secure and familiar.
“We might be able to get to some kind of an as-a-service model here, as well, where maybe we as the state are not necessarily managing this identity process, we may have a third party doing that for us,” Weaver says.