1

HSCIC Case Study - Care Identity ServicesOverview

By Adam Lewis - adam.lewis@hscic.gov.uk - @adamylewisNov 2014

Ever wondered?

• Could you build an Identity Management and Smartcard Provisioning system yourself?

• And if you could, how you would turn that system into a service?

Background

4

Where are we today?

• Spine Identity Management Services implemented to support CRS applications began in 2003

• 1.25 Million registered users

– ultimate expectation of 1.8 - 2 Million users

– 2500 registrations per week

– 500 new Smartcards issued per day

• 8k People performing Identity Proofing & Verification, and issuing Smartcards

• Over 40k business sponsors

• >400k authentications a day

– >70k concurrent users

• >1,100 users performing certificate renewals per day

NHS environment

• Highly mobile workforce – thousands of organisations

• No standard use case; single PC, shared PC, roaming users, occasionally connected users must all be catered for.

• No control over the desktop and there is no standard client access device. Devices cannot be trusted - no networks are considered secure.

• IT maturity variable across organisations (e.g. Win xp vs Win 8)

• One size fits all does not exist!

5

The Challenge

Challenge

• Contract expiry– Externally provided managed service

– Ageing Architecture, heavily customised COTS products

– 1 Million active users (big change = big risk)

• Which model?– Prime

– SIAM

– Internally delivered (Devops)

Goals in new service

• Minimise onward cost exposure

• Retain control of information assets

• Ability to rapidly implement change

• User-centric design– Support governance, but not to hinder users

Identity Services System

11

Decision

• Prime– Cost Prohibitive

– Doesn’t resolve existing issues

– Incentives to deliver quality services and keep costs low aren’t there

• SIAM– Insufficient maturity in IAM Services market?

– Necessary suppliers didn’t step up and offer the services we needed?

• Internally delivered (Devops)– Higher risk/reward

– More control, keeps options open

Problem…

Transition Risk

• Brownfield site - but completely new product – 1 Million users could be denied access to NHS IT Systems!

• Tier 1 Services– Authentication (custom)

– Directory Service (ForgeRock)

• Organisational Capability– Traditionally provides ‘assurance’ of external services

Technical Solution

17

Scope

Current System Target

User Identity Manager (Sun java identity manager) Care Identity Service

Spine User Directory (Calendra directory manager) Care Identity Service

Organisations Migration Service (Custom) Care Identity Service (Batch)

Spine Security Broker (Sun Access Manager, Gemalto Access Server)

Care Identity Service (Custom / Legacy Authentication)

Card Management System (Intercede MyID) Care Identity Service (Custom CMS)

Organisation Administration Service (Custom) OSCAR -> Care Identity Service interface

Spine Directory Service (Sun Java Directory Server) Care Identity Service (OpenDJ)

Enhanced Reporting Service (Business Objects) Care Identity Service (Custom / TBD)

Software Used in Description

Microsoft Hyper-V Hypervisor for all CIS components The hypervisor and associated management products (System Centre and Hyper-V Manager) provide and virtualisation for all CIS components

CentOS All CIS components CentOS is the Operating System for all CIS components

Tomcat All CIS web applications Tomcat is the J2EE web application-server for all CIS web applications. The HTTP server capabilities of Tomcat are used throughout.

Java All CIS components Java is the development language for all CIS web applications. Java is also the runtime environment for all CIS components, including the Directory Services

Spring All CIS web applications The Spring Framework and many optional modules of Spring are used in all CIS web application components

jQuery All CIS user interfaces jQuery is used to handle asynchronous JSON requests between the user browser and the CIS user interfaces

Hibernate All CIS business and technical services

Hibernate is used to provide the ORM (Object-Relational Mapping) for CIS

Redis Authentication Services Sessions Redis is used to store all users who successfully authenticate to CIS Authentication Services

PostgreSQL Database components PostgreSQL is used for all relational storage across CIS

Apache Servicemix Integration Engine The Apache Servicemix product is used to provide Integration and ESB capabilities within CIS for messaging-based integration with ESR and OSCAR

OpenDJ Directory Services OpenDJ is the underlying product for all Directory components

OpenIDM Synchronisation Engine The OpenIDM product is used to provide synchronisation between the CIS relational repository and CIS Directory Services

HAProxy Front End termination HAProxy is used across CIS for: SSL termination Load balancing HTTP reverse-prooxying

Jenkins Development/Build Jenkins is used to compile and package web applications as part of daily and release builds

Git Source config-management Git is used for configuration management of application source code

log4j All CIS web applications Log4j is used for sending log messages for diagnostic, performance and error logging

Drools CIS Business Services The Drools product is used for providing the underlying rules evaluation capability within CIS

Apache HTTP server Infrastructure Apache HTTP server is used to provide forward-proxying for outgoing HTTP messages originating from CIS.

Final thoughts

• Has the project been successful?– Application is built and functional

– Effort can be placed where we want, not based on market-driven product roadmaps

– Launch imminent

• Internal delivery means direct relationships are a necessity– Specialists more invested in success

– Greater control over risks

– Better access to experts

– This is great while building a technical solution – but also means complexity in service delivery

Thanks for listening

Care Identity Services Demo(Time Permitting)