• Home
• GOVERNMENT CXO
• E-GOVERNMENT
• CITIZEN ENGAGEMENT
• TAX AND REVENUE MANAGEMENT
• GOVERNMENT PROCUREMENT
• GREEN GOVERNMENT
• GOVERNMENT DATA MANAGEMENT
• GOVERNMENT SECURITY
• GOVERNMENT CLOUD
• GOVERNMENT ANALYTICS
• GOVERNMENT GIS
• CONNECTED GOVERNMENT
• DIGITAL INCLUSION
• EDUCATION IT
• HEALTHCARE IT

Government Security, Policy

The identity management catch-22

By Robin Hicks | 16 March 2009

FutureGov’s research arm has identified ‘ID Management’ as one of the top three priorities for the public sector in 2009. A few years ago, the United Kingdom’s Customs and Revenue admitted to losing the financials details of 25 million citizens.

Photos

View photos

Related Articles

• The Philippines to implement new land management system
• Governments’ data management challenge
• NSW Police installs image management system

Related Categories

• GOVERNMENT SECURITY
• POLICY

From this Section

• FEATURE

As if that wasn’t embarrassing enough, Her Majesty’s Driving Standards Agency lost three million files a few months later. Once is careless. Twice, as Britain’s press were keen to point out, seems incompetent.

Unhappily for government agencies, identity management (ID management) has become synonymous with identity fraud, perpetrators attempt to flout the system for personal gain.

This has taken its toll on government agencies, which are caught in a Catch-22 situation. They are required to collect, retain and safeguard citizen’s information while providing e-services that allow citizens to access the information with ease.

“This issue is controversial, given that the government is invariably required to collect and use data in order to provide people with collective and convenient e-government services, says Dr Jung-hee Song, Chief Information Officer, Seoul Metropolitan Government (SMG) in South Korea. “But e-Seoul is also duty bound to assure security to service users at the same time. We have to balance convenience with protection of personal public data,”

Government’s dilemma Identity management is more than simply permitting a user to log on to an e-government service. It controls what that user can do, similar to putting boundaries on restricted zones in a high-security building.

A typical government agency employs a wide range of personnel with a variety of security clearances in offices across any given country. Add to that a large number of part-time employees, contractors and consultants, and federal IT managers are faced with a daunting task: how to maintain the delicate balance between securing the network and promoting collaboration across a diverse group of workers using a variety of endpoint devices, says Kang Eu Ween, Regional Enterprise Solutions Director of Juniper Networks.

Jacqueline Kwan, Head of the Immigration Department of Hong Kong, is faced with the same conundrum. “Managing user identity is particularly important for government agencies due to the highly sensitive data that could be manipulated if a user is given a higher level of access than is approved for their role. A report released by the Identity Theft Resource Centre revealed that government accounted for one out of five security breaches of private data. Although the number of security breaches that exposed personal identifiable information in government systems in 2008 was far below what the private sector reported, it is still a sign that government has to do more on the thorny issue of authentication.

Of the 656 security breaches reported last year, 16.8 per cent occurred in systems operated by state, local and federal governments, including military networks, according to a compilation of reports released by the Identity Theft Resource Centre (for more go to www.idtheftcentre.org).

To cope with breaches, the Immigration Department of Hong Kong has adopted a non-access approach to citizens. Says Kwan at the Immigration Department: “With regards to immigration services, the citizens of Hong Kong do not have access to their personal data through electronic services. As such, they are not issued a username and password.” This helps to prevent any unauthorised access or the misuse of personal data. Problem solved, surely. At least as far as security is concerned. But other security issues continue to plague government. Some are non-technical. In the Philippines, a highly sociable, family-centric country – even for Asia - there remains the problem of how to prevent users from sharing their own usernames and passwords with others, says Lilia Guillermo, Deputy Commissioner at the Bureau of Internal Revenue in the Philippines.

As of January 2009, the Seoul Metropolitan Government of Korea operates 251 web sites for its citizens. But that has posed problems as the government strives to ensure top-notch security. “The web sites are being taken care of by various divisions of the SMG, and the same personal information is being repeatedly collected by various web site operators. This has created issues,” says Dr Song. “The repetition increases opportunities for data to be invaded or leaked, which has meant that the government has spent more time and money taking appropriate control over each dataset collected. I am there considering creating a platform that would control all the web sites in a systematic manner.”

Kwan, however, reveals that the zero log-in rule for Hong Kong’s citizens on immigration services has not compromised security. “The government of Hong Kong has empowered us to obtain citizens‘ data whenever the needs arises. Therefore, encryption is used to store data.”

External threats In wake of recent information leaks in Hong Kong (Kwan won’t go into specific cases), the government has issued guidelines and introduced new requirements in relation to the storage of personal or classified data on portable electronic-storage devices. “For example, officers have to seek authorisation from supervisors before storing data on portable devices such as thumb drives. They are also required to encrypt personal or classified data before storage,” she notes.

Compounding the issue for government is the growing number of employees who work from home, be it under flexible working schemes or part-time contracts. Remote access creates a whole new set of security and authentication challenges for the IT staff tasked with protecting sensitive data and minimising intrusions. “The need for authenticated network access control is increasingly important to ensure that individuals are granted the appropriate levels of access to the tools and information they need to collaborate effectively — around-the-clock and regardless of their location or device used,” say Kang at Juniper.

Korea’s Dr Song points out that SMG’s employees engaged in field work or working from home are assigned jobs strictly within the framework of Government Virtual Private Network, which provides the same administrative environment as their offices. As part of security policies for officials working from home, the officials need to get a certificate endorsed by the Government Public Key Infrastructure (GPKI) to log on to the government site. And the GPKI certificate is saved on to a thumb drive, rather than the computer, to prevent unauthorised access in the event of theft or intrusion of the computer in which work-related programmes are installed, she explained.
When a government employee leaves the organisation, agencies should think about safeguarding the information that leaves with them. “Access to information is granted on a need-to-know basis with confidential information restricted to authorised employees,” says Guillermo. “In its most basic form, resigned employees are required to surrender their IDs and non-employees required to register when they enter the premises. On the systems side, access privileges are revoked and user accounts deleted upon resignation.”

Due to the sensitive nature of the information, the Immigration Department of Hong Kong does not allow its employees to access the system or database outside of the office. “Since security is never entirely fool-proof, we take this approach to minimise the risks that remote access brings with it,” noted Kwan.

In a similar fashion to how the Bureau of Internal Revenue in the Philippines does things, when an employee leaves the Hong Kong immigration department, the access right will immediately be removed to prevent any complication, explains Kwan.

Technology as a gatekeeper When controlling remote network access, government agencies need to employ a holistic security approach that integrates authentication, data encryption and data protection. According to Kang, two critical elements of ID management must be considered: establishing effective authentication policies and deploying appropriate technology gatekeepers.

To establish an effective policy will mean ensuring that only authorised users have access to the applications they need to regulate the flow of information accurately. “The issue of remote working and security concerns has to be associated with the endpoint security of users accessing the network from personal laptops,” says Kang. “Their laptops may not comply with the security policies of the agency’s network.”

Then there’s the issue of employing technology gatekeepers to prevent viruses and other intrusions. For example, the Secure Sockets Layer Virtual Private Networks (SSL VPN) helps to gather user identity and enhance endpoint security, while providing users with the stipulated level of access.

“Coupled with firewalls and intrusion detection and prevention (IDP) solutions, agencies can ensure comprehensive network protection that lends insight beyond just IP addresses into who is actually traversing the network perimeter and what specific applications they are accessing,” says Kang.

In addition, SSL VPN platforms can collaborate with IDP solutions to ensure that malicious users be quarantined and taken off the network, thereby proving end-to-end, real-time network protection. But despite the legions of network security solutions available, there are still threats that cannot be pre-empted.

“What worries me is the information leakage by insiders who have access to confidential data,” said Dr Song. In addressing these concerns, the Seoul government designates one day every month as ‘The Day of Information Security’ to reinforce employee awareness of security issues. The government also provides intensive training courses on security to minimise information exposure by employees. “It is my hope to see the issue of personal data protection examined in more depth,” says Dr Song.

ID management is clearly more important for government than it is for other organisations. Governments in Asia read to understand that what happened in Britain, could easily happen in this part of the world too.