Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app”...

#CTC2019#CTC2019

Identity and Access Management:How Do I Know You Are Who You Say You Are?

Snorri Ogata, Chief Information Officer, Los Angeles County

Tricia Penrose, Director Juvenile Operations, Los Angeles County

Mike Baliel, Chief Information Officer, Santa Clara County

#CTC2019#CTC2019

StrategicContext

Snorri Ogata

CIO, Los Angeles

Identity and Access Management 2September 12, 2019

Source: Gartner

DigitalEco-System

#CTC2019#CTC2019

What is Identity Management?


The management of individuals and principals, their authentication, authorization, and privileges within or across system and enterprise boundaries.

#CTC2019#CTC2019

Identity Management in the Real World


RestaurantReservations

OnlineBanking

FantasyFootball

Online Purchases

Performance Mgmt System

Remote Case Access

#CTC2019#CTC2019

Why Do We Need IAM?

• Protecting the individual and the court

• Improved user experience • Single sign on

• Improved information sharing

• Increased productivity / decreased costs

• Foundation to a digital court eco-system• Courts

• Partners

• Vendors


If the Court is confident it knows who you are, we can create new personalized experiences.

#CTC2019#CTC2019

Digital Court Eco-SystemPowered by: Court + Technology Architecture + Service Providers

• Electronic Filing

• On-line Payment

• On-line Reservations

• Remote Privileged Access

• On-line Document Assembly

• Remote Appearances

• Online Dispute Resolution

• Digital Evidence Management

• Etc…


Identity Matters

#CTC2019#CTC2019

History of Identity Management and the CourtsYear Milestone Endorsing Organizations

2005 Global Federated Identity and Privileged ManagementJustice technology framework for sharing information.

U.S. Department of Justice Global Advisory Committee (incl. COSCA, NACM, NCSC)

2005 OpenID authentication protocol developed Symantec, Microsoft, AOL, Sun Microsystems, …

2006 OAuth begins as an implementation of OpenID Twitter

2007 OpenID 2.0 Yahoo, Microsoft, Verisign, …

2010 GFIPM Implementation Guide v 1.0 Global

2012 Global Reference Architecture v 1.9.1Information sharing guidance

Global

2012 OAuth 2.0Defines protocol for authorizing services for a user

Google, Microsoft, Apple, Facebook,…

2014 OpenID ConnectBuilt on top of OAuth 2.0 and defines authentication

Google, Microsoft, Amazon, …

2018 National Identity Exchange FederationImplementation arm for GFIPM frameworks

Global(Endorses OAuth 2.0 and OpenID Connect)


https://it.ojp.gov/gist/76/File/GFIPM Implementation Guide 1 0 Final0.pdf

https://it.ojp.gov/gist/76/File/GFIPM Implementation Guide 1 0 Final0.pdf

https://it.ojp.gov/GIST/41/File/GRA Framework 1.9.1.pdf

https://nief.org/nief-specs/

#CTC2019#CTC2019

What Triggered Identity Management in CA?

CA Rules of Court (CRC)

• Remote Access to Court Records rules were ambiguous for non-public use cases

• CRC 2.515 (et seq) modified to recognize entitled users which includes:• Parties• Attorneys• Legal aid organizations• Government agencies• Designees (delegated access)• A few others

• CRC 2.523 further states courts must:(a) verify the identity(b) (using) a statewide … identity

management … system”

Opportunity• Statewide E-Filing efforts saw benefit of

authenticated users

• Other Service Providers working on integrating identity management:• Remote Appearance• Court Reservations• Traffic Recurring Payments


#CTC2019#CTC2019

Identity in Action: Los Angeles CountyJustice Partner Portal (CA Innovation Grant)

The Pilot

• Privileged remote case access to case information (data/documents) based on a user’s identity and claim.

• Case Types Currently Supported:• Juvenile Dependency• Family Law• Probate

• Adoptions• Traffic

• Mental Health

In the numbers

Number of Agencies/Orgs: >40

Number of Hospitals: >40

Number of Registered Users: >8,000

Active Users per Mo: ~5,000

Monthly Utilization per Mo:Searches (case/name)Document views

>300K>300K

“Off hours”* utilization: * Evenings, weekends and holidays

>15%


#CTC2019#CTC2019

Information Technology Advisory CommitteeIdentity Management Workstream

Policy Track

• Make Recommendations on Implementation Policies

• Provide direction to Technology Track

• Communications and Alignment with key stakeholder groups

• Members:• CEOs, Judges, Operations (incl.

Tricia Penrose) and me

Technology Roadmap Track

• Establish Technology Standards

• Develop Adoption Roadmaps and provide technical assistance• Courts

• Service Providers

• Justice Partners

• Members: • Court CIOs (incl. Mike Baliel) and

Judicial Council IT


#CTC2019#CTC2019 Identity and Access Management 11September 12, 2019

Policy Implications

Tricia Penrose, Juvenile Director

Superior Court of California,

Los Angeles

#CTC2019#CTC2019

Identity Authentication Authority

Alternatives Explored:

Social: Open Table (reservation service provider) and Facebook (Identity Provider)

✓Branch: identity is centrally controlled similar to financial institutions

✓Federated: Enter in agreements with (certain) organizations to authenticate users


Recommendation: The Judicial Branch will be the authentication authority for public facing (B2C) users. MOU partners will be Federated (B2B).

Which seemsmore secure?

#CTC2019#CTC2019

Multi-Factor Authentication

Alternatives Explored

Single Authentication• ID and password only.

✓Multi-Factor AuthenticationID and password PLUS use of a secondary form of digital identity. Can be: confirmation code, authenticator app, text message, email, …


Recommendation: Use Multi-Factor authentication everywhere

#CTC2019#CTC2019

How to Link Digital and Physical Identities?(identity proofing)

Use cases explored:

✓Litigant: Transactional or Physical

✓Attorney: State Bar

✓Government Agency*: Federated AD

✓Other*: Azure B2B* Note: Identity proofing is responsibility of partner through MOU.


Recommendation: Digital Identities (for certain services) should be proofed and/or validated by an external source.

#CTC2019#CTC2019

Who has the Authority to Delegate Identity?

Use cases explored:

✓Litigant: On their authority

✓Attorney: On their authority

Government Agency: No All access controlled by Agency.

Other: No. All access controlled by Organization.


Recommendation: Allow litigants and attorneys the ability to temporarily delegate their access levels to another registered user.

#CTC2019#CTC2019

What Protections should IAM provide to Delegators?

Alternatives explored:

No protections: Caveat emptor.

• Identity based: State Court identity required.

• Time based: Access must be renewed periodically.

• Audit based: Delegate access shall be visible to delegator.


Recommendation: Delegated access should be reaffirmed every six (6) months and Delegator should have visibility of delegee activities.

#CTC2019#CTC2019

What Identity Attributes are Sharable?

Alternatives Explored:

No sharing

Share everything automatically

✓Minimize what is shared

✓User controlled sharing


Minimum Identity Attributes:• name: Personalized experience

• email: Unique identifier

• primary affiliation type: Access control

• primary affiliation authority: Security

• mobile / alt email: Password recovery,

communications

Recommendation: Clearly define minimum identity attributes and empower user to control sharing.

#CTC2019#CTC2019

How to Drive Vendor Adoption?

Use cases explored:

Optional: Vendors encouraged to utilize.

✓Mandatory: Vendors mandated to utilize.

Recommendation rationale:• Vendors are biased to “what’s best for

them.”

• The consumer benefits from their single identity unlocking capabilities to a multitude of services (single sign on)

• Precedent set with statewide E-Filing RFP which required utilization of branch identity solution.

• Superior Court of Los Angeles County including in RFPs with no resistance.


Recommendation: Include provisions in Digital Court RFPs that mandate use of Branch Identity Management.

#CTC2019#CTC2019

Technology Implications


Mike Baliel, CIOSuperior Court of California,

Santa Clara County

#CTC2019#CTC2019

Why Microsoft Identity Management?

• Standards support: OpenID Connect and Oauth 2.0

• Cloud-based + FedRamp blessed

• On the right “lists”:• Gartner Magic Quadrant• Forrester Wave

• Cost:• B2B Use Cases included with O365 subscription (if applicable) FREE• B2C Use Cases very affordable ~$0.0026 / authentication(1M authentications / month = $2,600, first 50,000/mo are free!)

• Flexible: Social or Branch as the Identity Provider

• Existing contracting vehicle (simplified procurement)


#CTC2019#CTC2019

Two Types of Identities

B2B

• Justice Partners

• Federated Identity Management (with O365) – or –Partner Managed through Branch IAM utility

• Authentication Authority:Justice Partner

B2C

• Litigants, Attorneys, Other Parties, Public, Media

• Simple registration process with the Branch

• Authentication Authority:Judicial Branch


#CTC2019#CTC2019

Service Providers

I want to see case 18-FL-012345

Identity Management in Action

Here you go!

Let me confirm you are who say you are.

Please log-in with your

(preferred) identity provider.

Yep! Successful log-in. You currently work for the DA.

You are authenticated. You are an attorney.

Azure Identity Management (AIM)

Authorizations / Privileges

What info can you see?

You can see this data and these documents.

Authentications

Identity Management


#CTC2019#CTC2019

Authentication vs Authorization

Authentication (required)

• Handled by the Branch identity management system.

• Simple ID/password challenge

• Authentication source:• Branch Identity (B2C)

• Federated Identity (B2B)

• Multi-factor requires an additional source (e.g., code, application, device, …)

Authorization (as needed)

• Handled by the Service Provider.

• Typically driven by a “claim” (a set of attributes about a person)

• Sample claim attributes:• Affiliation with an MOU

organization

• Existence of an authorizing code

• Active bar membership

• Active affiliation with a case


#CTC2019#CTC2019

How to Authorize with Justice Partners

• Data Controlled• Micro-service

• Examples:• Party to the Case

• Active association

• Justice Partner Controlled• Graph API

• Interrogate Partner Active Directory• Part of Attorney group

• Part of Juvenile Social Worker group


Court Identity

Gra

ph

AP

I

Virtual CMS Justice PartnerActive Directory

(JP managed authorization)

Cla

im (

dat

a)

Court Access(aka JPP)

Authorization

#CTC2019#CTC2019

On-boarding a Justice Partner

Justice Partners

• Register “app” in Azure

• Grant “app” graph.api access

• Add Users to privileged Groups

• Provide Service Provider with GroupID and Key


ServiceProviders

#CTC2019#CTC2019

On-boarding a Consumer

• Registration with: • Branch identity management (B2C)

• Service Provider (as needed)

• Verification of email address

• MFA preference

• Attorney:• Bar# required

• Identity Proof:• Attorney: lso verify with email of record (CA BAR)

• Identity Proof (driven by Service provider)


RegistrationRequired

#CTC2019#CTC2019

On-boarding a Vendor / Service Provider

Service Provider

• Register / configure the application in Branch Identity Management site

• Modify the app to interact with MSAL (Microsoft Authentication Library)• Code fragments provided by

Branch if desired


#CTC2019#CTC2019

Identity in ContextA Reusable Component

• Identity Management is a foundational element to a Digital Court architecture

• By establishing a statewide capability:• Protect individuals and the

branch• Provide a richer, unified

user experience across providers

• Facilitate information sharing between service providers (user consent)


#CTC2019#CTC2019 Identity and Access Management 29September 12, 2019 #CTC2019

Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app”...

Documents

Transcript of Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app”...