ENTERPRISE APPS IN CLOUD LIMBO

PUTTING THE ‘BIG’ IN ‘BIG DATA’

SECURING IDENTITY IN THE NEW WORLD

ULTRA-SECURE CA TOUR GTR SOCIAL MEDIA AWARDS

MA

Y/J

UN

E 2

014

• IS

SU

E 2

4

GOVERNMENT TECHNOLOGY REVIEW

Social government

is at your door

Will you bite?

cloUD ROUNDTABLE

16

GTRKNOWLEDGE

SERIES

COMMUNICATIONS

BIG D

ATA

COMMUNICATIONS

COMMUNICATIONSBUSINESS CONTINUITY

BROADBAND SERVICES

HARDWARE &

SOFTWARE

INFRASTRUCTURE,

PLATFORMS &

APPLICATIONS

CPM

CRM

CLOUDSECURIT

Y

MOBILE APPS

UNIFIED

COMMUNICATIONS

BIG D

ATADIGITAL SERVICES

FOR GOVERNMENT

DATA CENTRES

VIDEO &

COMMUNICATIONS

SOCIAL

MEDIA

SECURITYCLOUD

APPLICATIONS

MOBILE DEVICES

& SECURITY

MOBILITY /

EDUCATION

BUSINESS CONTINUITY

BROADBAND SERVICES LOCALSTATE

FEDERAL

HARDWARE &

INFRASTRUCTURE,

BI

CRM

CMS

GTR Knowledge Series registrants will:

• Gain access to on-demand video content in the Knowledge Centre, including webinar interviews with keynote speakers that will include CIOs and IT Managers from Government and the Education sector as well as thought leaders from within the private sector, both from Australia and overseas. All content can be sorted and fi ltered by topic to ensure a compelling knowledge experience that is tailored to your interests and needs.

• Have the opportunity to learn more about the products and services that are being o­ ered by leading technology vendors in the interactive virtual exhibition halls.

• Receive regular email updates about new and upcoming content that has been added to the Knowledge Centre.

BIG D

ATADATA CENTRESBI

CPMThe GTR Knowledge Series will The GTR Knowledge Series will The GTR Knowledge Series will cover in-depth the following topics:cover in-depth the following topics:cover in-depth the following topics:cover in-depth the following topics:cover in-depth the following topics:

• E-Government• E-Government• Cloud Services and Infrastructure• Cloud Services and Infrastructure• Cloud Services and Infrastructure• Cloud Services and Infrastructure• Cloud Services and Infrastructure• Mobility• Mobility• Mobility• Mobility• Broadband and Communications • Broadband and Communications • Broadband and Communications

TechnologiesTechnologies• Data and Information Management• Data and Information Management• Security and Privacy• Security and Privacy

The GTR Knowledge Series provides compelling content and thought leadership

for CIOs, IT managers and other senior decision makers from all levels of

government through a dynamic online information portal.

Complete your free registration online at www.gtrknowledgeseries.com.au

GTR MAY/JUNE 2014 | 1

SECURING IDENTITY IN THE CLOUD ERAEffective identity and access management (IAM) has always been a challenge, but with cloud computing distributing identity across a range of systems it's become a completely different sort of pain. Yet as cloud solutions continue to mature, a range of techniques are helping bridge the gap and extend corporate identity controls to cloud and mobile.

ROUNDTABLE: BUILDING THE AUSTRALIAN CLOUDCloud computing's inexorable growth has continued unabated, with new investments and new entrants driving the rapid maturity of Australian cloud offerings. But has the local cloud caught up with overseas competitors? And can the Australian cloud support the growing demands of the public sector?

Special Features

8

30

Cover StorySOCIAL GOVERNMENT IS AT YOUR DOOR: WILL YOU BITE?

REGULARS2 Editor’s Letter

4 News

46 Opinion: Ovum, Esri, ADT, TechnologyOne, Teradata, NextDC, Datacom, Bellridge, Hitachi Data Systems

56 NBN Update

FEATURES14 Symantec Certificate

Authority GTR gets a tour through

Symantec's high-security Melbourne identity-management facility.

21 GTR Social Media Awards

We run down the finalists in GTR's inaugural social media excellence awards.

24 Enterprise business applications

Cloud-first government has become the future – but what do they do in the meantime?

CASE STUDIES13 NSW Fire & Rescue A large-scale identity

platform is helping track volunteers and employees alike.

28 MTC Government-backed

jobs provider overhauls its network and server infrastructure for growth.

Far from the uncertainty of the early days, today's public-sector social-media strategies are more ambitious and far-reaching than ever. Early adopters are turning in strong and significant results, paving the way for other organisations to follow. Citizens will be the winners as social-media intimacy reshapes the way governments operate.

16

Contents

2 | GTR MAY/JUNE 2014

David Braue, EditorE: editor@govtechreview.com.au

Editor'sLetter

READING GTR WILL IMPROVE YOUR SOCIAL LIFE

Things have been busy at GTR headquarters lately, what with the successful completion of two conferences and the launch of a new online venture called the GTR Knowledge Series (GTRKS, at www.gtrknowledgeseries.com.au).

I've been sitting down with a range of public-sector CIOs to hear their thoughts on their roles, on the industry as a whole, and the ever-changing challenges facing them in the public sector. They make for fascinating viewing and we already have interviews with not one but two former US government CIOs as well as the CIOs for the Department of Defence, Treasury, and more.

We have recently begun expanding the content into the education space as well as the public sector, giving us insight into the unique characteristics of an industry where scale and ever-demanding users present even more challenges than usual.

I encourage you to drop by the site and watch some of the interviews – and let me know what you think, or who you'd like to hear from in the future.

While we'll be featuring the in-depth interviews and other content online, we'll continue to fill each printed issue with the same features, case studies, roundtables, and other content that you already know and love.

For example, our cover feature focuses on public-sector social-media success stories, but there are many more: the great lineup of speakers at May's Social Media for the Public Sector conference, which I had the privilege of chairing, all had very interesting stories to tell about their own transformations.

The mood at the event was at once more vibrant and optimistic than its 2012 predecessor. Back then, discussions were generally couched in terms like 'but my CEO won't let me...' or 'we are banned from using social media' – but now it is clear that the early-mover advantage is long gone. If you're not building social media into your everyday planning and execution, you're already behind the curve.

Also in this issue, we look at the security challenges posed by identity and access management (IAM). This increasingly important and complex capability is being complicated by the rise in use of cloud-based applications whose relative informality poses new challenges for CIOs working to develop and enforce consistent access-control policies.

Elsewhere in the issue, we look at public-sector finance applications, catch up with the latest in printing technology and catch up with the finalists in the inaugural GTR Social Media Innovation for Government & Public Sector Award. Read about their projects in the magazine, then get the story from these innovators in their own words as you watch my GTRKS interviews with each.

As always, I welcome your thoughts on this issue, the GTRKS, or your own challenges in public-sector ICT.

EDITOR

David Braue

e: editor@govtechreview.com.au

NATIONAL SALES MANAGER

Yuri Mamistvalov

e: yuri@commstrat.com.au

Tel: 03 8534 5008

ART DIRECTOR

Annette Epifanidis

e: annette@commstrat.com.au

Tel: 03 8534 5030

DESIGN & PRODUCTION

Nicholas Thorne

CONTRIBUTORS

Kelly Mills, Kevin Noonan, Adam Turner

MELBOURNE OFFICE

Level 8, 574 St Kilda Rd. Melbourne Vic 3004

PO Box 6137, St Kilda Rd Central 8008

Phone: 03 8534 5000 Fax: 03 9530 8911

Government Technology Review is published by

CommStrat

ABN 31 008 434 802

www.commstrat.com.au

All material in Government Technology Review is copyright.

Reproduction in whole or in part is not allowed without written

permission from the Publisher.

To subscribe to GTR magazine

phone: 03 8534 5009

email: subs@govtechreview.com.au

or go to www.govtechreview.com.au/subscribe

SUBSCRIBE NOW

IN DEPTH INFORMATION TECHNOLOGY COVERAGE FOR

THE PUBLIC SECTOR

Subscribe to GTR magazine at iSubscribe Go to http://bit.ly/1kIPq7n

GTR Magazine incorporates technology reviews and experience from all levels of government and includes news, case studies, opinion and

roundtable discussions.

4 | GTR MAY/JUNE 2014

Government CIOs are more likely to expect their IT budgets will drop than CIOs in general and over a quarter of them expect budget decreases in 2014, new research from Gartner has found.

The firm's 2014 CIO survey, which involved interviews with 228 government CIOs and 2339 respondents in total, found that 26 percent of government CIOs anticipated their IT budgets would decrease in 2014. That was roughly equal with the 27 percent who expected budgets to decrease in 2013.

With strong pressure to cut programs and services, government bodies have faced disruptions from mandates to embrace lower-cost, high-scale commercial alternatives – a trend that is complicated by the finding that at least one-third of IT expenditures are now being made by business units outside the authority of the IT organisation.

This 'shadow IT' trend was creating its own headaches for CIOs and needed to push them to rein in such casual spending, Gartner research director Rick Howard said in a statement.

“Regardless of how much IT spending happens outside of the IT organisation, CIOs must address the presence of shadow IT by affirming their position as the designated and recognised point of IT responsibility,” Howard said.

“Accountability for the information assets of a government agency cannot be distributed, and governance will ensure a corporate officer, the CIO, is at the table whenever or wherever an IT investment is being considered.”

Implementing that organisational change will require the establishment of clear boundaries between the CIO, chief digital officer, and CTO, Howard said - yet the transformation also requires a different approach to sourcing technology.

Fully 75 percent of government CIOs indicated they are already working on changing their sourcing approach, with 60 percent currently managing a 'mixed model' of providers, 26 percent depending on a primarily insourced approach and 13 percent preferring an outsourced model.

Such models need to be carefully introduced to ensure that the CIO walks in lockstep with other parts of the business, Howard advised.

“To maintain organisational relevance in today's digital industrial economy, CIOs need to work in collaboration with their executive peers to strike the optimal balance of 'grow' and 'transform' with running the business,” he said.

“The most successful government CIOs will relish the opportunity to manage IT effectively in an increasingly diverse ecosystem of vendors and solutions by combining specialised knowledge of government business practices and policies with the executive role, in order to promote architecture standardisation, interoperability, robustness, agility and security.”

BUDGET CUTS HITTING GOVERNMENT CIOS MORE THAN PRIVATE-SECTOR PEERS: GARTNER

News

The state government of Queensland has directed the state's IT procurement policies on a new tack as it institutes a cloud-first policy that will see its ICT operations transformed from service provider to service broker.

The decision was contained in the state's new Cloud Computing Implementation Model (CCIM, at bit.ly/1k6rRuE), which was published in May and outlines the state's expectations from the cloud model. These include cost reduction, debt reduction, sustainability, innovation, faster realisation of business benefits, business agility, improved security, and improved information sharing.

The review, which grew out of a February 2013 Commission of Audit report that recommended the adoption of an ICT-as-a-service strategy and “discontinue ownership and management of significant ICT assets and systems”, runs through a laundry list of problems with the previous model and the ways cloud will improve them.

These include previous “high-cost and bespoke ICT solutions” that will be replaced by “well-defined, standardised and highly-configurable shared services which continue to evolve and innovate based upon the needs of a large and diverse customer base”; aging technology requiring continual refresh and upgrades that will be replaced by an “evergreen

model” where service providers and competitive market forces drive lifecycle management; and an improvement in information security through the shift from resource-limited internal security organisations to cloud service providers with “extensive” security accreditations and “well-established security management processes which undergo regular external audit”.

There are warnings, too: for example, the report warns that consumption of a broad range of cloud services from multiple suppliers “may lead to a high-heterogeneous and distributed ICT environment”. To avoid this complexity, the CCIM recommends the establishment of a “coordinated service brokerage approach” combining technical integration platforms and external cloud brokers to aggregate, simplify, secure and integrate a range of cloud services.

The state government's implementation model includes five key focus areas that will enable and accelerate the government's uptake of cloud-based ICT services: cloud ready, cloud foundations, cloud engagement, cloud accelerate, and cloud governance.

Some 26 recommendations are outlined to help the state government deliver on its cloud-first strategy. The state ICT action plan will be updated to incorporate those recommendations that are to be progressed.

Cloud first policy to reshape Queensland government tenders

GTR MAY/JUNE 2014 | 5

Increased use of biometrics technologies will play a key role in the technologically-supported effort to improve Australia's border security as the newly merged Customs and Immigration departments tap into the technology to realised savings outlined in the recent federal Budget.

With estimated savings of $480m from merging the two massive organisations, both departments will be looking to new technologies to reduce costs and improve security.

With government minister for immigration and border protection Scott Morrison set to headline the upcoming Biometrics Institute Asia-Pacific Conference, the role of biometrics in delivering these efficiencies may soon be better understood.

Morrison outlined the government's views on the use of biometrics in improving border security, supporting a range of systems at the 'super agency' that are anticipated to deliver new efficiencies to the process of border protection.

Improving this process would rely “first and foremost” on biometric data collection and processing technologies, Morrison said in his speech.

“Through the utilisation of these technologies, Australia's border management systems will provide travellers with experience processes that expedite their movement across borders, end to end, but enable the ABF and security agencies to identify external risks long before an individual attempts to enter Australia.”

Clearance information, including biometric authentication details, would be provided by future travellers to automated gates and checked against details stored on their passports. Border protection officers will intervene only where any “match to intelligence or risk” is identified, with all ordinary travellers cleared through the system in less than a minute.

“These systems offer processes that both expedite the legitimate traveller and provide the best possible chance of identifying risk to Australia's security long before it reaches our border,” Morrison said, foreshadowing greater co-operation with other regional governments to improve data exchange processes.

“The Coalition is committed to pursuing data swaps, not failed people swaps, to protect our borders,” he said.

A global concern, the Biometrics Institute maintains offices in London and Sydney and runs networking meetings and training courses in Australia, New Zealand, the UK, Belgium, Singapore and the US. Its constituency of over 130 member organisations is heavily skewed towards Australia, where 50 percent of its members reside.

Its latest annual Industry Survey found strong interest in biometrics usage amongst members, with fingerprint recognition overtaking facial recognition in 2013 as the area most respondents are interested in. Iris recognition was third.

Asked what were the most important recent trends in biometrics, 16 percent of respondents said biometrics at the border

and the adoption of biometrics in everyday activities (15 percent) had been the most important developments in the biometrics industry within the last 12 months.

Technology advances and large-scale national ID deployments were also highly referenced, although with

less frequency than in previous surveys.The 2013 survey was also notable because it saw border

security (which was named as the most-expected technology to be implemented by 11 percent of respondents) lose its long-

running primacy to the use of biometrics in smartphones and mobile devices (20 percent). Government and public-sector agencies comprised 44 percent of respondents.

Other organisations presenting at the conference included the US FBI, New Zealand Immigration, South Australia Police, Queensland Police, and Australian Taxation Office – reflecting the broad interest in biometric technologies across different spheres of government services.

Commstrat, publisher of Government Technology Review, is proud to announce that GTR received two Highly Commended commendations in recent IT industry publishing industry awards.

The annual MediaConnect IT Journalism Awards, known in the industry as the 'Lizzies', are fiercely contested and honour achievements by individual journalists and collective teams in producing the best technology journalism and media across Australia and New Zealand.

GTR was cited as a Highly Commended title in the Best Magazine and Best Business Technology

Coverage categories in the midst of what organisers said was the most competitive field ever.

GTR editor David Braue picked up two individual commendations, winning Best News Journalist and receiving a Highly Commended commendation in the Best Telecommunications Journalist category.

The wins mark a strong year in the history of GTR, with circulation and readership both increasing and the recent launch of the new Government Technology Review Knowledge Series offering exclusive interviews with a broad range of public-sector IT leaders and technologists.

BIOMETRICS KEY TO BORDER-SECURITY EFFICIENCY: MORRISON

GTR recognised in IT publishing industry awards

6 | GTR MAY/JUNE 2014

News

Up to 300 new mobile base stations will be built in outer metropolitan, regional and remote areas by late 2015 as the government fulfils a 2013 election promise http://www.liberal.org.au/mobile-black-spot-programme by injecting $100m into its Mobile Black Spot Programme (MBSP).

The program, which will also rely on co-contributions from states and the private sector, will target major transportation routes, small communities and disaster-prone areas with $80m in infrastructure funding as well as committing $20m to addressing well-known 'black spots' suffering from poor mobile and wireless broadband coverage.

Funding is expected to include between 250 and 300 new or upgraded mobile base stations around the country, with actual numbers based on cash and in-kind contributions expected to be contributed by third parties.

“There are some locations where the economic viability of expanding the existing network may be marginal, but modest

government financial support may tip the balance,” the Liberal Party election policy stated.

Victoria's Government, for one, has already committed $40m to fixing mobile black spots and delivering Wi-Fi on long-haul train services across the state.

Tenders for the new infrastructure will be let in the second half of this year, with chosen providers expected to be announced in the first half of 2015. Base stations are expected to be in place from the second half of 2015.

Mobile infrastructure operators Telstra, Optus and Vodafone will be expected to match the government's investment of $80 million in its Mobile Network Expansion Programme, providing their own investment of $80 million.

The programme copies Western Australia's Regional Mobile Communications Programme, which attracted $39.2m in state government investment and will deliver 113 new or upgraded mobile sites.

MBSP grew from the 2011-12 Regional Telecommunications Review, which found that mobile coverage was the most frequently-raised concern among residents. Blackspots accounted for more than two-thirds of the 222 submissions received by the review and were raised during all of the 20 regional consultations conducted during the course of the review.

GOVERNMENT BUDGET COMMITS $100M TO FIX MOBILE BLACKSPOTS

Phot

o cr

edit:

CC

BY-

SA 3

.0 J

oe R

avi

GOT SOMETHING

TO SAY?YOUR OPINIONS MATTER TO US.Send your commments about an article, this

issue, or GTR magazine in general to editor@govtechreview.com.au

Fullpage297mmx210mm.pdf 1 20/05/14 10:22 AM

I AM WHAT IAM

Security

BY KELLY MILLS

GTR MAY/JUNE 2014 | 9

The legacy of the failed Australia

Card identity scheme has hindered

Australian government agencies from

realising the dream of having a sole

online identity for every citizen.

The reluctance to address the issue means the

government is missing out on big dollar savings

corporates such as the Big Banks are enjoying due to

savings in the call centre.

Many believe government could do better: “There

are loads of ways that we interact with government

that doesn’t need a very high degree of assurance,”

Gartner research director Anne Robins explains.

Banks have services available online as it makes

economic sense, and the convenience is seen as a

benefit.

“People want to participate because it is a benefit

to them, and I think a lot of people would feel the

same way about doing these things online with

government,” Robins adds.

PASSWORDS BY THE DOZENS

Transacting online with government agencies is

far preferred to waiting on the end of the phone or

standing in a queue – yet citizens have become

bombarded with online services from government.

It is not an uncommon scenario when registering

for an online service to input the same information

with every agency. Users often then write down the

username and password, albeit the vast majority of

people use the same password, in a notebook.

Through the my.gov.au portal, the Federal

Government has attempted to create a solution.

Services from Medicare, Centrelink, the

Australian Taxation Office, Child Support, the

National Disability Insurance Scheme and the

Department of Veterans’ Affairs can be accessed

via the secure myGov account with one username

and password.

It's an ambitious undertaking but not everyone

likes it. “MyGov is trying to give citizens a portal,”

Robins says, “but there is the impression that if you

use myGov you are giving Centrelink or Medicare

information. It all seems like it is mixed in together,

and people are uncomfortable.”

The approach of myGov is misplaced, she says,

in light of the success of New Zealand’s RealMe

government identity service.

Launched in July 2013, the service has centralised

the verification of a person’s identity, but each

agency still maintains their own data.

“I think if you look at these two models,” she says,

“you will see one has gone a long way down the

path of making sure people do feel their privacy has

been protected and that it is all about the control

that they have.

“The myGov model is much more about saying

we are going to force you into this tunnel and you

have to do everything through this point, I am just

not sure people feel comfortable with that.”

SECOND-GENERATION ONLINE SERVICES

Australian government agencies, from all levels,

have been roundly criticised as being slow to adopt

advances in the identity space.

Many agencies are trying to solve the problem on

their own – some, such as the Australian Tax Office,

are looking to do more and offer a richer service – but

there has been no real strong leadership at a whole of

government level about addressing citizen identity.

“A complication of the government’s service

obligation is that they just can’t say 'I’m going to

make it available online and you can like it or not',”

Robins says. “They have to support all of the multi

channels.”

Governments, like the private sectors, are looking

for higher levels of online participation and ways to

reduce overheads on help desks or call centres.

Robins believes the challenge is that government

will solve the problem one agency at a time.

“It’s going to be complicated and expensive,” she

warns, “and people are going to hate it if they have

to do different things for each agency.”

There is the possibility an agency could step out

on their own and show leadership, thereby creating

a bit of groundswell.

“But I think it needs a much stronger push from

the top down,” she says, “to actually put this on the

agenda of department chief information officers.

They are all suffering from cutbacks, keeping

expertise in-house; this is still not a burning problem

for a lot of them.”

MyGov is trying to give citizens a portal but there is the impression that if you use myGov you are giving Centrelink or Medicare information. It all seems like it is mixed in together, and people are uncomfortable.”Anne Robins, Research Director, Gartner

SOCIAL SIGN-ON

Innovators in government are, on the other hand,

really pushing to adopt Facebook or some other

social media sign-on and identity brokering service.

“There is a lot of controversy about whether I want

to cross my personal or Internet identity with my

government identity,” First Point Global co-founder

Jan Zeilinga says, noting that some citizens may feel

this would give government too much visibility into a

person’s private life.

From an Australian government perspective,

Robins adds, there are some circumstances today

where a citizen would like to access a service by

clicking through from Facebook.

“You're accessing fairly basic information,” she

says. “It is good for relatively innocuous transactions

where the convenience outweighs the need for more

security than that.”

As people deem Facebook as “friendly” and

people feel good about using it, she believes it might

be a good way for government to become more

accessible.

On the issue of security, both Zeilinga and Robins

believe Facebook can be more secure than a simple

username and password for first level enquiries as

people put a value on their Facebook profile.

“The reality is I can enter rubbish into a registration

service and create an email account,” Zeilinga says.

The real problem with using a social sign-on is

the government of this moment has not grasped

that there is a risk differentiation between different

transactions, Robins explains: “You should be able to

match the right level of authentication and verification

of the transaction to what you are doing.”

BYO IDENTITY

Using a social media identity as a means of accessing

services online is a trend that government agencies

will need to accommodate going forward.

Whereas the new generation of identity access

solution are able to broker into social media identity

stores to tie the authentication together, current

legacy identity access management systems don’t

have a means of catering for this.

Dimension Data Australia security practice national

manager Jason Ha explains there is technology that

can broker first level social media authentication,

then decide how much of a higher challenge is

required to given citizens access to services.

“Social media brokering can function as a good

first level authentication up to a certain point for

citizens,” he says, “and then if the adaptive context

requires a higher level of privilege, that is when they

can interface into an internal identity construct.”

However, the problem is that most Australian

government agencies have not embarked on a new

platform for this world.

“Most of them are at the strategy and even

architecture stage to determine what the new

software will look like,” Ha says.

HIGHER-LEVEL AUTHENTICATION

Social sign-on is just one way to identify a persona.

The key challenge is taking the persona and

linking it to a real person.

“The actual technologies are quite simple and

services are quite simple,: Zeilinga says. “It is more

about how to upgrade an individual and how much

trust you put in that.”

At the bare bones level, cost savings are driving

government agencies to make sure everyone has an

online account.

“If they can get 90 percent of their online

consumers using a third party for authentication, and

they are pushing out that management of username

and password, that is significant savings in the call

centre,” Zeilinga adds.

At the technology level, agencies realise that

even if they embrace social sign-on, it is the step-up

authentication process that is tricky.

“When you combine risk factors together you get

something very strong,” Zeilinga says. “It is when you

are relying on one method that you start pushing the

boundaries of being over confident.”

There is a lot of controversy about whether I want to cross my personal or Internet identity with my government identity.”Jan Zeilinga, co-founder of First Point Global

Security

SECURITY SOLUTIONS WITHOUT COMPROMISE.If you’re responsible for protecting people and property in government or large commercial environments, there is simply no room for compromise. Fortunately ADT Security has got you covered.

With vast experience in the government sector, ADT Security provides electronic security to millions of commercial, government and residential customers across your street and around the world.

Our tailored solutions range from intrusion alarms, smoke detection and life safety through to Closed Circuit Television (CCTV), Access Control, Radio Frequency Identification (RFID) and Wireless Networks.

When it comes to security, we know that one size does not fit all. Combining intelligent technology with vigilant expert security teams, we can design, install, monitor and maintain integrated systems to match your needs.

Master Licences: VIC No. 65201491P | WA No. SA42314 | SA No. ISL152299 | NSW No. 405187443 | ACT No. 17501009 | QLD No. 3258669

TO FIND OUT MORE, CALL 131 238 OR VISIT ADTSECURITY.COM.AU/SOLUTIONS

A Tyco Business

ADT Always There

12 | GTR MAY/JUNE 2014

NEW ZEALAND'S MODEL IDENTITY MODELThe New Zealand’s government identity service RealMe is lauded internationally and has created opportunities for online efficiencies.

Launched in July 2013, the end goal of the service is for citizens to have a single login and password for all secure online services delivered by public and private sector organisations in New Zealand.

This dream is some way from becoming a reality.

Currently New Zealand’s 4.5 million citizens can use RealMe as their single username and password to login to a range of government departments. However, a verified RealMe account, which can securely prove a person’s identity, can only be used with New Zealand banks BNZ and TSB Bank.

RealMe can be used to open a range of BNZ transactional accounts online via their website.

TSB Bank offers the RealMe service to enable a TSB Bank account to be opened via their mobile banking app. Other major banks are expected to be on board during 2014.

RealMe can also be used to order important official documents, like birth, death, marriage and civil union certificates. Other services expected to join in 2014 include life insurance, KiwiSaver schemes and enrolling to vote.

To register people need to visit a NZ PostShop, where they are digitally photographed and their identity is checked against passport records. Citizens need to re-enroll every five years.

The advantage for users of the RealMe service is the high level of security: a code is texted to their mobile phone every time their RealMe identity is used.

The advantage to businesses like banks is that it provides a higher level of identity verification than is currently available, because of the hook up with the government.

Users need to consent before the system will provide their identity information to an organisation. Organisations also have to provide an alternative means of establishing identity.

Gartner research director Anne Robins says the federated model the RealMe system follows is a good approach. “It has a very high proportion of uptake,” she explains.

“They haven’t tried to centralise the delivery of the service; if you want to deal with a welfare issue you go to the department. But they have centralised the verification of the identity so that citizens don’t need to do that with each and every agency.”

Some countries in Asia have what is seen as robust centralised identity systems for citizens.

Jason Ha, national manager of the security practice for Dimension Data Australia, says countries such as Singapore or Korea have quite robust systems.

“In Singapore you can do pretty much everything online, including voting, but most of it is fairly well brokered through the single identity, driven by the concept of the Singapore Identity Card.”

The United States of America is viewed as “exceptionally” conservative on the issue, First Point Global co-founder Jan Zeilinga adds.

“If you look at the United Kingdom government, they are pushing out assurance services to external entities.”

Options for higher-level

authentication could include the

bank’s favourite tool of SMS or a

realm of biometric tools.

Yet despite its growing popularity,

fingerprint scanning is no more

secure than a Facebook login,

Zeilinga warns, noting that it is difficult

to get a fingerprint-based biometric

system to an enterprise-enabled

point.

“Logistically also it is quite hard

to get everyone to go through

a provisioning process for

fingerprinting, which would be like a

100 point ID.”

Robins is also sceptical of the

success of fingerprinting within the

government sphere.

“It may be big brotherish if they say

you can use your fingerprint to lodge

your tax return.”

Voice printing, by contrast, is

easy to do remotely. Robins says a

lot of organisations such as health

insurers and banks are already using

voiceprint biometric scanning.

Social media brokering

can function as a good

first level authentication up to a certain

point for citizens.”

“Voice is not a future technology, government should embrace

it,” Robins says. “It naturally fits into the call centre structure that

they have in operation.”

Whatever road Government chooses to take to provide services

online, the main message seems to be that it is the combination of

risk factors that provides a strong authentication.

“Not only do you do a Facebook sign in, but they also fingerprint

the machine you are coming from and your behaviours, so if your

behaviours are abnormal then the agency might prompt you for a

stronger authentication, a stronger question or something else to

get an assurance level higher,” Zeilinger explains.

“It is when you are just relying on one method, that you start

pushing the boundaries of being over confident.”

Jason Ha, Dimension Data Australia security practice

national manager

Security

GTR MAY/JUNE 2014 | 13

Security

Typically large numbers of users makes

management in most public-sector

organisations a special kind of challenge, but

when those users are constantly mobile and

often joined by itinerant employees, the task

becomes positively treacherous.

For Fire and Rescue NSW (FRNSW), one of

the world's largest fire and rescue services,

the task has been made much easier with

the implementation of an identity and access

management (IAM) solution from NetIQ. Use of

that company's Identity Manager has enabled

IT staff to manage user information and access

rights for nearly 14,000 full-time and volunteer

fire fighters across 338 fire stations and 663

firefighting vehicles.

Enforcing access consistency for those

kinds of numbers – especially given the 7000

volunteers with no formal organisational ties to

FRNSW – would normally be a menacing task

for most IT managers. But Malcolm Thompson,

assistant director of IT infrastructure, says the

use of an automated IAM platform has boosted

security integrity and fostered management

autonomy amongst its users.

“Capability is a key concept for us,” he

explains. “We have to be 'can do' people,

and we can't afford to waste time and effort

on administration. Our role in IT is to set up

automated systems that enable the business

to manage its own assets. Identity Manager

enables us to manage a huge set of users with

just a handful of dedicated staff.”

FRNSW has just 10 dedicated employees

managing identities across the organisation's

IAM function, which has expanded over time

from just supporting FRNSW's own users to

support a new role in which they use the same

platform to manage nearly 100,000 identities

on behalf of other emergency-services

organisations.

Those identities are delivered to organisations

like NSW State Emergency Services and NSW

Rural Fire Service, with built-in identity federation

providing seamless links across myriad systems

both inside and outside the organisation.

By positioning itself as a central service

provider, FRNSW has become a “recognised

centre of excellence for IT services,” Thompson

says. “Our IT services depend largely on our

ability ro provision, manage and ultimately

de-provision identities. We have a solid

architecture in place, so provisioning new

users is fast and easy.”

The concept of identity within the organisation

has been expanded to refer to much more than

just people: individual identities have been

created for major assets such as the service's

663 firefighting vehicles. Thanks to integration

with the service's automatic vehicle location

(AVL) system and the turnout systems that alert

fire stations to emergencies, those identities are

also being used to track the status and location

of each vehicle – assisting in optimising the

organisation's response to emergencies.

Broadening of the concepts around identity

is becoming “more and more” common as

organisations consolidate and extend their IAM

deployments, says NetIQ's Asia-Pacific identity,

security and governance product/business

manager Ian Yip.

“Organisations have a long-term view on

this Internet of Things, and they're working

to get frameworks in place to treat their stuff

as objects,” Yip explains. “Objects will need

accounts, permissions, policies, and access.

Policies need to be applied because it can be

difficult to manage, and you don't necessarily

want to lock everything down.”

Despite their capabilities, IAM systems alone

aren't a direct replacement for the large asset

management databases, which Yip said tend to

be “large lookup tables”. Instead, they can be

used to integrate contextual information such

as an identity's location, in order to drive the

execution of related policies and procedures.

A location-based policy, for example, might

allow certain levels of access for a particular

identity when that identity is located in the

company's home state, while restricting access

to other resources when the identity is travelling

overseas.

“The key word is context, and location plays

a big part in it,” Yip says. “Contextual access

control flows on from access control policies

that need to be a bit more dynamic.”

Integration continues to challenge efforts

to manage resources based on identity,

with legacy systems presenting integration

challenges even as the balance steadily shifts

towards cloud-based systems with open, API-

based interfaces.

“It's going to get better,” Yip says. “The more

organisations go to cloud, they're going to need

to expose a lot of the application they've got in

place – the data – to other programmatic bits

and pieces, exposing them to the infrastructure.

When they start to do that, they generally build

more standards into things so they will work out

of the box more easily.”

One area where better integration will play

a role is with the shift towards having social-

media logins become increasingly usable for

corporate purposes: for example, the NSW

Fire and Rescue platform has also enabled the

management of employees and non-employees

who participate in FRNSW-sanctioned programs

such as 'Waste the Waist' – an online-backed

fitness education program through which over

1500 staff lost more than 2177kg in weight and

2391 centimetres off their waists.

Such identities may be tangentially related

to the service's mission statement, but their

integration into the platform reflects the many-

headed approach that is now being taken

towards identity. Social-media credentials will

play an increasingly important role in such

ancillary purposes, but Yip warns that they won't

fully come into their own until there is broad

access to federation standards.

“A lot of the discussions we're having with

government are looking at how they can share

services, and use certain services that one

department has built and potentially leverage

from a technical and commercial standpoints.”

“Federated access controls and identity play

a big part, and the government just needs to

look at that and the open standards around

federation to be able to do that a lot more easily

and quickly.”

IDENTITY THE BURNING QUESTION FOR FIRE AND RESCUE NSW

NSW Fire Brigades Aerial Pumper.

CC

BY-

SA 3

.0 B

idge

e

14 | GTR MAY/JUNE 2014

Models for proving identity online are all built

around the secure distribution of public and

private encryption keys, which are used as

part of the unique digital certificates that are

used to sign all manner of financial and other

transactions.

The importance of those certificates

cannot be overstated: as the basis for the

Secure Sockets Layer (SSL) technology used

within Web browsers, their protection and

integrity are paramount. Hence the furore

earlier this year, when it was discovered

that a bug in the commonly-used OpenSSL

encryption library could have allowed

unknown snoopers to listen in on the

exchange of digital certificates that aren't

normally accessible.

Even as public and private-sector

organisations continue to work through the

implications of that 'Heartbleed' flaw, others

are working to ensure that the mechanisms for

protecting certificates – and the public's trust in

them – remain intact. Importantly, this includes

physical as well as virtual controls to ensure

that carefully defined security procedures are

not violated.

Unbeknownst to many, much of that

physical protection is being managed through

a nondescript Melbourne office building that

is just one of four sites worldwide where

identity-management giant Symantec – the

world's largest issuer of digital certificates

since it bought up industry pioneer VeriSign

– manages and issues new organisational

digital certificates.

The facility is normally tightly held under lock

and key, but GTR recently had the opportunity

to visit its deepest and darkest corners to find

out just how this critical part of the identity

story is maintained and managed.

The site serves several functions, including

the maintenance of an 80-strong contact

centre through which companies wanting

to obtain a digital certificate must work their

way. This is a long and complex process that

involves the secure management of a dizzying

array of documents, as well as layer upon layer

of anti-fraud checks that require sharp-eyed

staff to be on the lookout for discrepancies

in identity-related credentials from dozens of

countries around the Asia-Pacific region.

And there are discrepancies: efforts to

obtain control over certificates through

fraudulent means are commonplace, as

are efforts to get new certificates issued

in legitimate organisations' names. Faxed

passport title pages with incorrect names,

business registration papers with contact

details falsified – in today's online economy,

fraudsters will try anything to infiltrate services

over which they have no legitimate claim.

Beyond the contact centre – where we go

as we wave to the many cameras continuously

recording every movement in this locked-

down site – begins the series of physical

controls through which employees must pass

before they come even close to the heart of

the facility.

Those controls include not only the ubiquitous

cameras, but a series of three ASIO-rated doors

where fingerprint scanning is the norm and

complicated access rules prevent more than one

person from passing at a time. Thermal sensors

in the ceilings continuously count the number

of people in the room and raise the alarm if it

doesn't match the number that have correctly

scanned into and out of the facility.

Forget about trying to force your way into

this facility: vibration sensors in the floors, walls

and ceilings will pick you up well before you

swing the sledgehammer a second time. Not

that it matters: military-grade steel mesh is built

into the ceiling of the facility.

Infrastructure inside the site has been

equally well-considered, with cabling for

security, data and power systems on separate

trays that are out in the open with sensors to

ensure nothing compromises their integrity.

Fibre runs must be intact and unbroken as a

matter of procedure.

Behind those doors is a team of specialists

that work in a windowless room to provide

technical support to customers around

the world. And there, behind two further

securely-locked and alarmed doors through

which nobody can pass without the correct

supervisor joining them, is a data centre in

which several racks of servers stand next to

two thick-walled steel enclosures.

“Don't call them safes,” senior principal

systems engineer Nick Savvides tells us,

although there is no other way to describe

them. Inside are trays of USB keys on which

the certificate authority's master digital

certificates are stored.

THE REAL COST OF TRUSTBY DAVID BRAUE

Security

These are, literally, the keys

to the kingdom that is electronic

commerce – the master certificates

that are used to generate new root

identities for e-commerce operators

whose entire viability depends on

the integrity of these systems.

Simply holding these keys,

however, won't get you anywhere.

The serialised storage devices are

useless without being brought into

yet another room – again, nobody is

allowed in by themselves – where

nondescript white walls and several

computers sit waiting for what

Symantec calls the Key Ceremony

to begin.

Fittingly, the Key Ceremony

requires the attention of the Key

Master – a company employee who

cannot be named – who facilitates

the entire process of adding new

certificates through complex,

painstaking 'scripts' that can run to

600 pages or more and take two

people eight hours or longer to

complete.

Those scripts include specific

actions that must be taken by each

participant in the Key Ceremony.

Food is forbidden in the room,

water is limited, and toilet breaks

require packing up everything in

the room and locking it away before

resuming. If a mistake is made, the

certificate must be revoked and the

process started over.

This procedure is carried out

frequently, although neither

Savvides nor the Key Master will say

when, or even how often. Yet there

they are: buried in that high-security

facility in Melbourne, this team is the

physical face of identity security –

and a cornerstone of the entire idea

of trust on the Internet.

(clockwise from left): New keys are generated in the Ceremony Room, a sparse and non internet-connected room behind five military-spec doors; The thickness of the glass alone confirms the level of security in place; USB keys are authenticated and used to prove identity during a Key Ceremony.