Paul Laurent, Oracle’s Director of Cybersecurity Strategy, Public Sector, was one of our speakers at the GovDefenders Cybersecurity Virtual Event. He has graciously returned to talk to us about public sector cybersecurity for National Cybersecurity Awareness Month. The following Q&A is part two of a three-part series where we talk citizen privacy and the concept of Identity-as-a-Service. Part one focused on NIST, FICAM, and the Federal and SLED sectors. You can read it here.

DLT: In today’s security environment, agencies now have to be wary about citizens’ privacy concerns. How would you respond to them, especially when talking about centralizing their information?

Laurent: This is a case where the right tools and the appropriate approach can work wonders.

The key to maintaining privacy while going down a path of centralization is to carefully select and control what data we collect and correlate. I like to call this building a “Golden Record” for individuals. The “Golden Record” is the most complete, accurate, up-to-date understanding of who you, as an individual, told state and local organizations you are.

It’s important to note that the Golden Record isn’t a data warehouse or a superset of all citizen data. In fact, requirements behind HIPAA/HITECH, FERPA, IRS 1075, CJIS, etc. provide substantial boundaries for regulated data stewards contemplating such a superset.

What the Golden Record aims to do is give you a “one stop shop” that provides correlations between your identity at different departments and agencies. That correlation helps us better understand your needs from government so we can suggest useful programs and services, reduce waste and fraud, and provide benefits in a more timely and convenient manner.

You can often achieve this vision without ever having to rely on identity attributes that are considered sensitive. Just correlating your public (i.e. “phonebook type”) information from different points of contact with government, we can glean a much better context and understanding for how government can serve you and what your needs are. And we can do this without asking you for new or sensitive information or building a gigantic, risky superset of all your information.

There are many parameters to building a Golden Record correctly, but here are some key notions:

  • Ideally only operates on public, non-sensitive, non-regulated information
  • Achieved just by correlating authentication information (your answer to the question “Who are you?”)
  • For compliance/security reasons, often architected leaving authorization to backend systems. This way, sensitive data and the ability to attest to compliance requirements stays with the backend organization
  • Just involves information gleaned from interactions with individuals in the common course of business. That is, we are not searching out or harvesting new information about people
  • Leverages Master Data Management and Identity Analytics tools

DLT: In your Gov Defenders presentation, you briefly mention the idea of “Identity-as-a-Service.” Can you please elaborate on that?

Laurent: Identity-as-a-Service (IDaaS) can refer to different aspects of exposing identity management capabilities as a shared or managed service. I would contend that in the context of state and local government, IDaaS is best realized as a centralized authentication service with some supporting services to extend its value where desired.

We previously discussed the compliance reasons for leveraging centralized authentication without authorization, but there are additional value propositions to consider when looking at IDaaS.

First, the traditional “siloed” approach to identity management almost immediately begins to reach diminishing returns. Under the siloed approach, every time we stand up a new system that doesn’t leverage a shared identity store, what did we just do? We gave ourselves another identity store to integrate with the rest of our identity and access footprint, another store to administer, track and manage, and if mismanaged, those identities can become security threats to our enterprise and sensitive data.

With authentication, all we’re trying to do is answer the question “Who are you?” Should that answer change from system to system? Should our understanding of whether you are who you say you are change? No. So why build multiple repositories and identity stores that may begin to give different answers to that exact question?

This centralized authentication approach to IDaaS allows us to derive a contextual understanding of identity that we can derive utility and deeper understanding from. IDaaS leads to more accurate identity data, providing robust identity management capabilities to even very small and less mature organizations, more contextual understanding of government’s relationship to each and every person, and the capturing of more opportunities to better serve our constituents.

Tomorrow, we’ll talk with Paul about the private sector, foreign cybersecurity, and the future.