Garry Compton

Manager Government AuthenticationANTA Workshop

05/08/03

Canberra, Australia

An update on An update on Commonwealth AuthenticationCommonwealth Authentication

Authentication‘Establishing as genuine or

valid’

Security‘Policies, plans, procedures,

technologies & infrastructure’

IdentityManagement

‘Customers and Employeesidentity assured’

Interoperability‘Seamless integration’

ChannelManagement

‘Choice of communicationmedium’

Sourcing‘Choice of provider’

Product & ServiceProviders

‘Accredited Products &Providers’

Legal Advice‘Legal assurance’

Privacy Advice‘Personal information &

rights protected’

TRUSTEDONLINE

ENVIRONMENT

throughIMSC PolicyDevelopment

Education& Awareness

‘Distribution of knowledge’

NOIE's role and the Authentication Working GroupNOIE's role and the Authentication Working Group

NOIE provides secretariat services to the Authentication Working Group (AWG) that is currently undergoing a project to develop a framework for whole of government online authentication.

This initiative is to create a trusted online environment and to support the delivery of commonwealth services to individuals and businesses.

NOIE and the AWG support the Chief Information Officers Committee (CIOC) and Information Management Strategy Committee (IMSC) to achieve these goals.

The Information Management Strategy Committee, Chief The Information Management Strategy Committee, Chief Information Officers Committee and Working GroupsInformation Officers Committee and Working Groups

IMSC created to provided shared leadership advice on multi-agency and whole of government information management strategies.

Members of the IMSC are at the Secretary or CEO level and are drawn from agencies that have key central roles in delivering services online.

CIOC was created to support the IMSC.

The CIOC has established a number of working groups, including the AWG.

Authentication - what is it?Authentication - what is it?

To authenticate an assertion - to confirm / establish a degree of confidence that the assertion is valid or genuine.

It is important to differentiate between when it is necessary to authenticate an assertion about identity and when it is adequate to authenticate assertions about data, an attribute or a value.

Attribute authentication involves proving that a person has a certain attribute or qualification.

Value authentication is based on whether a certain amount of money is available.

It is important to only require the authentication of identity when this is necessary to the transaction.

Identity FraudIdentity Fraud

A whole-of-government study to be undertaken to enhance the identification and verification processes for government agencies and to identify other measures to combat identity fraud.

Fraud estimated to cost $4 billion per year.

The use of false or stolen identities provides a means of committing terrorist acts, fraud on government programs, people-smuggling and illegal immigration, and threats to electronic commerce.

One of the aims of the study will be to test the feasibility of an on-line identity verification service to be available to Commonwealth, State and Territory agencies.

Three major policy objectives essential to providing a whole of government approach to online authentication are:

consistency of user experience;

matching authentication options to transaction types and

a fit for purpose approach to the application of technological solutions.

A whole of government approach to authentication is necessary

Individuals undertake very different authentication processes with different agencies in order to access government services.

If standardisation occurred, it would be easier for citizens and businesses to access government services and people would be more inclined deal with government in an online environment.

NOIE Policy ObjectivesNOIE Policy Objectives

A Business CaseA Business Case

For online authentication to be a success it is important that legislation and government policy is based on a sound business case rather than being purely driven by technology.

More important than the technological ability to perform authentication online is the ability to provide a service that benefits both government and business.

Businesses are provided with little to no incentive to interact with government online if it is a costly and time-consuming process.

The Role of PKIThe Role of PKI

It is important to match authentication options to transaction types.

There is a role for PKI and high assurance applications. ABN-DSCs will provide a medium for high assurance business to government and business to business transactions to take place.

HIC and HESA have developed a sector wide digital certificate that is currently in use to protect this type of information and authenticate practitioners and practices.

This type of fit-for-purpose approach ensures you have a trustworthy and functional whole-of-government authentication system.

The Galexia ConsultancyThe Galexia Consultancy Two consultancies have been commissioned by the Authentication

Working Group to help them develop a business case for authentication and to create a trusted online environment.

Galexia consulting produced the first report regarding the use and implementation of Australian Business Number Digital Signature Certificates (ABN-DSCs).

The report found that further methods to promote the use of ABN-DSCs would be required, especially given the absence of PKI applications available in the market.

Continuing concerns about the integration of digital certificates into business processes, legal liability and other risks associated with their use.

The Convergence e-Business Solutions ConsultancyThe Convergence e-Business Solutions Consultancy Convergence report

second report commissioned by the AWG

aims to produce a framework for whole of government authentication in Australia.

The report details the issues around the authentication of assertions relevant to government.

Some of the major issues include selecting the most appropriate authentication technique eg: PKI

Privacy can be a major stumbling block for whole of government authentication because there is often a trade off between levels of identity authentication and privacy concerns.

PrivacyPrivacy Preventing the invasion of personal privacy is an important part of

any authentication solution.

Privacy legislation requires government agencies to only collect and hold personal information that is necessary.

The e-authentication initiative requires a Privacy Impact Assessment (PIA) be conducted to evaluate the potential impact on personal privacy.

The IMSC and CIOC are committed to addressing privacy issues.

NOIE understands the importance of addressing privacy issues in the initial stages of project development.

Thank YouThank You

Garry Compton, Manager,

Government Authentication

NOIE

garry.compton@noie.gov.au

WWW.NOIE.GOV.AUWWW.NOIE.GOV.AU