Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app”...
Transcript of Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app”...
![Page 1: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/1.jpg)
#CTC2019#CTC2019
Identity and Access Management:How Do I Know You Are Who You Say You Are?
Snorri Ogata, Chief Information Officer, Los Angeles County
Tricia Penrose, Director Juvenile Operations, Los Angeles County
Mike Baliel, Chief Information Officer, Santa Clara County
![Page 2: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/2.jpg)
#CTC2019#CTC2019
StrategicContext
Snorri Ogata
CIO, Los Angeles
Identity and Access Management 2September 12, 2019
Source: Gartner
DigitalEco-System
![Page 3: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/3.jpg)
#CTC2019#CTC2019
What is Identity Management?
Identity and Access Management 3September 12, 2019
The management of individuals and principals, their authentication, authorization, and privileges within or across system and enterprise boundaries.
![Page 4: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/4.jpg)
#CTC2019#CTC2019
Identity Management in the Real World
Identity and Access Management 4September 12, 2019
RestaurantReservations
OnlineBanking
FantasyFootball
Online Purchases
Performance Mgmt System
Remote Case Access
![Page 5: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/5.jpg)
#CTC2019#CTC2019
Why Do We Need IAM?
• Protecting the individual and the court
• Improved user experience • Single sign on
• Improved information sharing
• Increased productivity / decreased costs
• Foundation to a digital court eco-system• Courts
• Partners
• Vendors
Identity and Access Management 5September 12, 2019
If the Court is confident it knows who you are, we can create new personalized experiences.
![Page 6: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/6.jpg)
#CTC2019#CTC2019
Digital Court Eco-SystemPowered by: Court + Technology Architecture + Service Providers
• Electronic Filing
• On-line Payment
• On-line Reservations
• Remote Privileged Access
• On-line Document Assembly
• Remote Appearances
• Online Dispute Resolution
• Digital Evidence Management
• Etc…
Identity and Access Management 6September 12, 2019
Identity Matters
![Page 7: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/7.jpg)
#CTC2019#CTC2019
History of Identity Management and the CourtsYear Milestone Endorsing Organizations
2005 Global Federated Identity and Privileged ManagementJustice technology framework for sharing information.
U.S. Department of Justice Global Advisory Committee (incl. COSCA, NACM, NCSC)
2005 OpenID authentication protocol developed Symantec, Microsoft, AOL, Sun Microsystems, …
2006 OAuth begins as an implementation of OpenID Twitter
2007 OpenID 2.0 Yahoo, Microsoft, Verisign, …
2010 GFIPM Implementation Guide v 1.0 Global
2012 Global Reference Architecture v 1.9.1Information sharing guidance
Global
2012 OAuth 2.0Defines protocol for authorizing services for a user
Google, Microsoft, Apple, Facebook,…
2014 OpenID ConnectBuilt on top of OAuth 2.0 and defines authentication
Google, Microsoft, Amazon, …
2018 National Identity Exchange FederationImplementation arm for GFIPM frameworks
Global(Endorses OAuth 2.0 and OpenID Connect)
Identity and Access Management 7September 12, 2019
![Page 8: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/8.jpg)
#CTC2019#CTC2019
What Triggered Identity Management in CA?
CA Rules of Court (CRC)
• Remote Access to Court Records rules were ambiguous for non-public use cases
• CRC 2.515 (et seq) modified to recognize entitled users which includes:• Parties• Attorneys• Legal aid organizations• Government agencies• Designees (delegated access)• A few others
• CRC 2.523 further states courts must:(a) verify the identity(b) (using) a statewide … identity
management … system”
Opportunity• Statewide E-Filing efforts saw benefit of
authenticated users
• Other Service Providers working on integrating identity management:• Remote Appearance• Court Reservations• Traffic Recurring Payments
Identity and Access Management 8September 12, 2019
![Page 9: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/9.jpg)
#CTC2019#CTC2019
Identity in Action: Los Angeles CountyJustice Partner Portal (CA Innovation Grant)
The Pilot
• Privileged remote case access to case information (data/documents) based on a user’s identity and claim.
• Case Types Currently Supported:• Juvenile Dependency• Family Law• Probate
• Adoptions• Traffic
• Mental Health
In the numbers
Number of Agencies/Orgs: >40
Number of Hospitals: >40
Number of Registered Users: >8,000
Active Users per Mo: ~5,000
Monthly Utilization per Mo:Searches (case/name)Document views
>300K>300K
“Off hours”* utilization: * Evenings, weekends and holidays
>15%
Identity and Access Management 9September 12, 2019
![Page 10: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/10.jpg)
#CTC2019#CTC2019
Information Technology Advisory CommitteeIdentity Management Workstream
Policy Track
• Make Recommendations on Implementation Policies
• Provide direction to Technology Track
• Communications and Alignment with key stakeholder groups
• Members:• CEOs, Judges, Operations (incl.
Tricia Penrose) and me
Technology Roadmap Track
• Establish Technology Standards
• Develop Adoption Roadmaps and provide technical assistance• Courts
• Service Providers
• Justice Partners
• Members: • Court CIOs (incl. Mike Baliel) and
Judicial Council IT
Identity and Access Management 10September 12, 2019
![Page 11: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/11.jpg)
#CTC2019#CTC2019 Identity and Access Management 11September 12, 2019
Policy Implications
Tricia Penrose, Juvenile Director
Superior Court of California,
Los Angeles
![Page 12: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/12.jpg)
#CTC2019#CTC2019
Identity Authentication Authority
Alternatives Explored:
Social: Open Table (reservation service provider) and Facebook (Identity Provider)
✓Branch: identity is centrally controlled similar to financial institutions
✓Federated: Enter in agreements with (certain) organizations to authenticate users
Identity and Access Management 12September 12, 2019
Recommendation: The Judicial Branch will be the authentication authority for public facing (B2C) users. MOU partners will be Federated (B2B).
Which seemsmore secure?
![Page 13: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/13.jpg)
#CTC2019#CTC2019
Multi-Factor Authentication
Alternatives Explored
Single Authentication• ID and password only.
✓Multi-Factor AuthenticationID and password PLUS use of a secondary form of digital identity. Can be: confirmation code, authenticator app, text message, email, …
Identity and Access Management 13September 12, 2019
Recommendation: Use Multi-Factor authentication everywhere
![Page 14: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/14.jpg)
#CTC2019#CTC2019
How to Link Digital and Physical Identities?(identity proofing)
Use cases explored:
✓Litigant: Transactional or Physical
✓Attorney: State Bar
✓Government Agency*: Federated AD
✓Other*: Azure B2B* Note: Identity proofing is responsibility of partner through MOU.
Identity and Access Management 14September 12, 2019
Recommendation: Digital Identities (for certain services) should be proofed and/or validated by an external source.
![Page 15: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/15.jpg)
#CTC2019#CTC2019
Who has the Authority to Delegate Identity?
Use cases explored:
✓Litigant: On their authority
✓Attorney: On their authority
Government Agency: No All access controlled by Agency.
Other: No. All access controlled by Organization.
Identity and Access Management 15September 12, 2019
Recommendation: Allow litigants and attorneys the ability to temporarily delegate their access levels to another registered user.
![Page 16: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/16.jpg)
#CTC2019#CTC2019
What Protections should IAM provide to Delegators?
Alternatives explored:
No protections: Caveat emptor.
• Identity based: State Court identity required.
• Time based: Access must be renewed periodically.
• Audit based: Delegate access shall be visible to delegator.
Identity and Access Management 16September 12, 2019
Recommendation: Delegated access should be reaffirmed every six (6) months and Delegator should have visibility of delegee activities.
![Page 17: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/17.jpg)
#CTC2019#CTC2019
What Identity Attributes are Sharable?
Alternatives Explored:
No sharing
Share everything automatically
✓Minimize what is shared
✓User controlled sharing
Identity and Access Management 17September 12, 2019
Minimum Identity Attributes:• name: Personalized experience
• email: Unique identifier
• primary affiliation type: Access control
• primary affiliation authority: Security
• mobile / alt email: Password recovery,
communications
Recommendation: Clearly define minimum identity attributes and empower user to control sharing.
![Page 18: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/18.jpg)
#CTC2019#CTC2019
How to Drive Vendor Adoption?
Use cases explored:
Optional: Vendors encouraged to utilize.
✓Mandatory: Vendors mandated to utilize.
Recommendation rationale:• Vendors are biased to “what’s best for
them.”
• The consumer benefits from their single identity unlocking capabilities to a multitude of services (single sign on)
• Precedent set with statewide E-Filing RFP which required utilization of branch identity solution.
• Superior Court of Los Angeles County including in RFPs with no resistance.
Identity and Access Management 18September 12, 2019
Recommendation: Include provisions in Digital Court RFPs that mandate use of Branch Identity Management.
![Page 19: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/19.jpg)
#CTC2019#CTC2019
Technology Implications
Identity and Access Management 19September 12, 2019
Mike Baliel, CIOSuperior Court of California,
Santa Clara County
![Page 20: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/20.jpg)
#CTC2019#CTC2019
Why Microsoft Identity Management?
• Standards support: OpenID Connect and Oauth 2.0
• Cloud-based + FedRamp blessed
• On the right “lists”:• Gartner Magic Quadrant• Forrester Wave
• Cost:• B2B Use Cases included with O365 subscription (if applicable) FREE• B2C Use Cases very affordable ~$0.0026 / authentication(1M authentications / month = $2,600, first 50,000/mo are free!)
• Flexible: Social or Branch as the Identity Provider
• Existing contracting vehicle (simplified procurement)
Identity and Access Management 20September 12, 2019
![Page 21: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/21.jpg)
#CTC2019#CTC2019
Two Types of Identities
B2B
• Justice Partners
• Federated Identity Management (with O365) – or –Partner Managed through Branch IAM utility
• Authentication Authority:Justice Partner
B2C
• Litigants, Attorneys, Other Parties, Public, Media
• Simple registration process with the Branch
• Authentication Authority:Judicial Branch
Identity and Access Management 21September 12, 2019
![Page 22: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/22.jpg)
#CTC2019#CTC2019
Service Providers
I want to see case 18-FL-012345
Identity Management in Action
Here you go!
Let me confirm you are who say you are.
Please log-in with your
(preferred) identity provider.
Yep! Successful log-in. You currently work for the DA.
You are authenticated. You are an attorney.
Azure Identity Management (AIM)
Authorizations / Privileges
What info can you see?
You can see this data and these documents.
Authentications
Identity Management
Identity and Access Management 22September 12, 2019
![Page 23: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/23.jpg)
#CTC2019#CTC2019
Authentication vs Authorization
Authentication (required)
• Handled by the Branch identity management system.
• Simple ID/password challenge
• Authentication source:• Branch Identity (B2C)
• Federated Identity (B2B)
• Multi-factor requires an additional source (e.g., code, application, device, …)
Authorization (as needed)
• Handled by the Service Provider.
• Typically driven by a “claim” (a set of attributes about a person)
• Sample claim attributes:• Affiliation with an MOU
organization
• Existence of an authorizing code
• Active bar membership
• Active affiliation with a case
Identity and Access Management 23September 12, 2019
![Page 24: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/24.jpg)
#CTC2019#CTC2019
How to Authorize with Justice Partners
• Data Controlled• Micro-service
• Examples:• Party to the Case
• Active association
• Justice Partner Controlled• Graph API
• Interrogate Partner Active Directory• Part of Attorney group
• Part of Juvenile Social Worker group
Identity and Access Management 24September 12, 2019
Court Identity
Gra
ph
AP
I
Virtual CMS Justice PartnerActive Directory
(JP managed authorization)
Cla
im (
dat
a)
Court Access(aka JPP)
Authorization
![Page 25: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/25.jpg)
#CTC2019#CTC2019
On-boarding a Justice Partner
Justice Partners
• Register “app” in Azure
• Grant “app” graph.api access
• Add Users to privileged Groups
• Provide Service Provider with GroupID and Key
Identity and Access Management 25September 12, 2019
ServiceProviders
![Page 26: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/26.jpg)
#CTC2019#CTC2019
On-boarding a Consumer
• Registration with: • Branch identity management (B2C)
• Service Provider (as needed)
• Verification of email address
• MFA preference
• Attorney:• Bar# required
• Identity Proof:• Attorney: lso verify with email of record (CA BAR)
• Identity Proof (driven by Service provider)
Identity and Access Management 26September 12, 2019
RegistrationRequired
![Page 27: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/27.jpg)
#CTC2019#CTC2019
On-boarding a Vendor / Service Provider
Service Provider
• Register / configure the application in Branch Identity Management site
• Modify the app to interact with MSAL (Microsoft Authentication Library)• Code fragments provided by
Branch if desired
Identity and Access Management 27September 12, 2019
![Page 28: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/28.jpg)
#CTC2019#CTC2019
Identity in ContextA Reusable Component
• Identity Management is a foundational element to a Digital Court architecture
• By establishing a statewide capability:• Protect individuals and the
branch• Provide a richer, unified
user experience across providers
• Facilitate information sharing between service providers (user consent)
Identity and Access Management 28September 12, 2019
![Page 29: Identity and Access Management - CourtStack · •Register “app” in Azure •rant “app” graph.api access •Add Users to privileged Groups •Provide Service Provider with](https://reader034.fdocuments.us/reader034/viewer/2022051808/6009520313f4d33d5b0045e4/html5/thumbnails/29.jpg)
#CTC2019#CTC2019 Identity and Access Management 29September 12, 2019 #CTC2019