Identity management (IM) problems faced by governmental IT departments the world over have sometimes been referred to as “Identity Management Mismatch Challenges”. The use of the word mismatch here is telling: traditionally, processes and procedures in municipalities (and other governmental and public sector organizations) are often “mismatched” in relation to the latest technology trends and modern management architectures. Why?
The issue is that IT managers in municipalities, while aware of possible solutions, frequently lack time and money to implement new automation tools and processes necessary to manage identities more efficiently. This can be simply due to a lack of awareness of the options and resources actually available to IT managers and decision makers on the ground, who may not have the opportunity to seek these out for themselves. They’re often facing budgetary constraints and bureaucratic red tape too. To an outsider, bureaucracy is a classic case of the left hand not knowing what the right hand is doing. And so, the public sector is often described as a laggard.
Norway’s public sector is a case in point. Some of the biggest challenges facing Norwegian municipalities include:
- Large variation among ICT goals, strategies, means and measures across municipalities
- Imprecisely stated ICT goals
- Large variation on how ICT projects are described in budgets
- Almost no focus on cooperation and collaboration across sectors, even within the ministerial sector
- ICT to a large extent being conceived as a tool, and not as a service, infrastructure or in collaboration with other stakeholders
- Great variations in the different roles and functions that ICT has across agencies and sectors
IM challenges for IT managers in Norwegian municipalities
IT managers are in charge of several tasks when it comes to managing identities: passwords, encryption and digital signatures, directories, privacy, authentication, provisioning, and data confidentiality agreements. They often face similar challenges in relation to efficient identity management:
Basic level tasks
They spend an inordinate amount of time managing user identities at a very basic level, such as resetting passwords or issuing usernames. This takes up valuable time which could be used to look for ways to maximize efficiency. This is especially relevant during "high-season" after vacation and when school starts up again.
IT managers often coordinate and communicate with disparate systems that are not centralized under one umbrella (e.g. school, health, prison, pension, etc). For instance, a social worker may be responsible for an individual's disability payments but not have legal authorization to access that person's records to confirm their status, or ascertain whether they may be a welfare cheat.
Managing multiple devices
They manage a plethora of devices such as laptops, tablets, smartphones, and more. These don’t just include government-issued devices but BYOD, with some users having multiple devices and many using them off-site too. Unless there is an automated system to manage these devices, the IT manager must rely on trust and manual, paper-based (check-boxed), processes.
Lack of communication between departments
Different departments and sectors often forget to include IT when executing their administrative tasks. As a result, IT managers have to spend a lot of time trying to catch up with identity management-related events in different departments. For instance, Human Resources may create a new user in their system when onboarding or offboarding a new employee, which directly affects identity management for the IT dept who unfortunately never hear about it. This poses a potentially serious cyber security risk.
In short, a lot is done manually, accompanied by reams of paperwork, with a low level of connectivity between different departments and systems.
Barriers to the creation of a common IM platform
62% of respondents in Symantec’s “Identity Management: The Next Generation of Security” survey of state and local government employees were confident in their organization’s IM process. Meanwhile, just 22% said that implementing a cohesive citizen identity management platform was a high or critical priority. The greatest barriers to the creation of a common IM platform included budget constraints, lack of IT personnel, bureaucratic inertia, lack of a coherent identity management strategy and inefficient procurement processes.
The future of IM for the public sector
In order to automate IM, municipal IT departments will need to address a number of issues. They will need to seek a solution for the replication of data across multiple directory server instances and they will have to ensure secure storage of identity data with varying levels of authentication and authorization (including SSL, StartTLS, and certificate-based). This would include the capacity to protect personal passwords using encryption and advanced access control security policies. They will need to develop password schemes that govern not just passwords, but also deal with account lockouts and notifications of status.
A move into IM for the public sector would also entail the ability to delegate authentication to another LDAP directory service, such as Active Directory, incorporating a feature called pass-through authentication. In addition, in progressing towards the automation of IM, municipal IT departments would be able to set up custom alerts to inform administrators of specific directory service events such as password expiration, access controls disablement and backend database corruption detection.
In short, automating IM will streamline operations to allow municipality IT departments to increase their focus on core business.
At Lumagate, we have been working with municipalities for many years to develop an identity management solution specifically tailored to their needs, that solves many of the challenges municipalities and merged municipalities face today: Lumagate One Identity = One user, one password, one Identity.
PS: Movie is in Norwegian.
Read more about Lumagate’s identity solution for municipalities here: https://www.lumagate.com/identity (also in Norwegian)
Thorstein Rinde works as Account Manager at Lumagate Norway and focuses especially on public sector.