Featured Interview with the Province of British Columbia

Last December ICF Executive Director Drummond Reed spent a day in Victoria, B.C. with the identity management team in the Office of the CIO for the Province of British Columbia, including Ian Bailey, the Executive Director of Architecture and Standards, Charmaine Lowe, Director of Information Standards, and Patricia Wiebe, Senior Identity Architect. The following interview is based on many of the topics they discussed.

Q: Let’s start with the big picture: when did your office first begin to focus on identity management?

A: Back in 1996 we determined that identity management was going to be key to developing a shared services approach for the delivery of IM/IT services for government and started a program to develop a corporate identity management Technology was a real barrier for us at that point, but with the release of Windows Active Directory in 2000 we were able to consolidate most of our directories into a single centralized domain for government workers.  Also at that time we were building our first version of an authentication service to support government’s interactions with businesses and citizens, and in 2002 we started our BCeID identity provider service.  We learned a lot from those first efforts, particularly that directory centric solutions were not going to work in the long term.

Q: So you’ve been at this a long time. Overall, what are the goals of your IdM program, i.e., what’s your vision for what IdM can do for the BC government and the people of the province?

A:   Our goals for our IdM program are to enable the delivery of high value electronic services to our citizens and businesses and to enable information sharing among the thousands of public and private sector organizations that help to deliver public services, such as Health care, Justice, Education, Social services, and the natural resources sector.  We believe that a federated, user-centric, claims approach will help us reach these goals.

Q: When did you first start to focus on Information Cards as part of the solution?

A: We had learned from our work with our enterprise directory and our BCeID service that this directory centric approach was not going to scale and wouldn’t meet our or our citizens’ expectations of privacy protection.  We couldn’t expect everything to be connected to our directories using LDAP or proprietary SSO technology.  In 2006 we engaged our major software suppliers and the lead architects from our larger public sector organizations in the development of an architecture that met our non-functional requirements around security, scalability, privacy and user experience and our functional requirements relative to the goals our IDM program (services to citizens and information sharing).  In this forum we developed a set of requirements, an architecture that met these requirements, and an analysis of what technologies or emerging technologies might be used in implementing the architecture.  Information cards and the associated protocols were the best fit to  the requirements and architecture.

Q: What was it about Information Cards and IMI (Identity Metasystem Interoperability, the technical protocol) that attracted you?

A: Besides the fit to requirements and architecture noted above, the real world analogy of cards and the card selector to our wallets, the scalability promise with loose coupling, phishing prevention, and its inherent home realm discovery service.

Q: What’s been your experience with Information Cards and IMI so far?

A:  So far we have only used Information Cards and IMI in a few pilots and only internally or with a select few partners – but not citizens yet, so our experience is limited.  Overall I think it’s quite frustrating that we and the industry haven’t moved faster on this....the 10 years we thought it would take is coming up pretty quickly.. 2016.

Q: What products do you use in your deployments?

A: So far we have being using Microsoft’s “Geneva” Server (now called Active Directory Federation Server (ADFS) 2.0), “Geneva” Framework (now called Windows Identity Foundation) and CardSpace through the Microsoft “Geneva” TAP program.  We have enterprise-wide usage of the CA SiteMinder web SSO product, and plan to integrate Information Cards with that.

Q: If the OASIS IMI Technical Committee could grant you just three wishes for IMI, what would they be?

A: We’d like a mechanism to deal with structured claims like address, which has many parts.  Also, the ability to use SAML 2 tokens in IMI, which we hear is in the works right now.  Finally we’d like to encourage work on a web services authentication profile, so we have an Identity Metasystem that can support multi-tiered environments – we think that may require IMI to have support for WS-Trust request security token collection.

Q: You have published some outstanding educational materials online. What are some of the ones you would particularly recommend to ICF members and others reading this article?

A: The best one is the Education Module found here: http://www.cio.gov.bc.ca/cio/idim/index.page.  It is a Flash-style interactive presentation that explains where we’re going and describes our user-centric claims-based architecture.  The IDM forum documents referred to earlier are found here: http://www.cio.gov.bc.ca/cio/idim/idm_forum.page.

Q: What advice do you have for other governments and government agencies who are looking at adopting federated identity management solutions?

A:  Definitely adopt the open standards approach, do some technology proof of concepts and pilots to develop an implementation strategy, and start working on an identity assurance framework and associated standards.

Q: Tell me about your experience with identity assurance what role do you see it playing in BC’s identity management infrastructure?

A: Identity Assurance is foundational for identity federation, as it establishes trust between the organizations, but it is a real challenge given the variability in each organization’s processes, technologies, and policies.   We have made progress in developing our framework and standards, but it remains to be seen how this will play out as we federate amongst our organizations.   We also think that by implementing the identity assurance standards we will start to do a much better job of information classification and risk management as we design and develop new services.

Q: What’s your view of the approach that the U.S. government, and in particular the ICAM Subcommittee of the U.S. Federal CIO Council, is taking with their Open Identity Solutions for Open Government initiative?

A: We really like their approach, but we do have some differences in our thinking.  We think our holistic approach for both citizen services and information sharing amongst public bodies sets us apart from most other approaches. 

Q: Do you think open identity solutions like Information Cards are something that BC citizens will embrace?

A: I think it depends on what services are available for them to use – if there are some compelling high value services for them AND the user experience is familiar then yes I think so.  But, there are some real barriers to this given the high assurance requirements for these high value services, such as identity proofing and strong authentication technology.  If we all had a smart card in our wallets that we could use as easily as we use our drivers license in the real world then we could deploy these services now.

Q: I understand you will be participating in the OASIS IMI Interop at RSA 2010 in San Francisco (March 2-4)? What are your goals there?

A: Yes, we are planning to contribute an identity provider to the interop event.  This helps us inform our thinking to develop our standards and solutions now.  Also we are excited to help others to see how this technology can be applied to help deliver high value e-government services to their citizens and businesses.  We can’t do this “Identity Metasystem model” alone.  We need to figure out how to interoperate across diverse organizations and influence how this needs to be part of the Internet.

Q: Any other final thoughts that you’d like to share with ICF members and the open identity community?

A: We encourage others to consider the holistic approach that we have taken to apply this architecture to both internal and external users and services.