The Computerworld Honors Program
Honoring those who use Information Technology to benefit society
LOCATION:
Harrisburg, PA, US

YEAR:
2007

STATUS:
Laureate

CATEGORY:
Government

NOMINATING COMPANY:
Deloitte

ORGANIZATION:
Commonwealth of PA Department of Labor & Industry

PROJECT NAME:
Enterprise Identity and Access Management Project

Short Summary
The Pennsylvania Department of Labor & Industry (DLI) Enterprise Identity and Access Management (IAM) is a strategic project that highlights the cooperation of two large agencies of the commonwealth of Pennsylvania to implement a solution that will present a unified “Commonwealth eGovernment” to its citizen and Business Partner users. The project builds on a similar implementation that the Department of Public Welfare (DPW) had in place, enhances technology and processes, and implements a framework for a governance and configuration management making it extensible to other agencies. As it embarked on two large systems modernization initiatives, DLI was presented with a rare opportunity to make substantial changes to its enterprise technology landscape. Faced with the challenge of transforming and integrating many complex legacy systems, DLI embraced service-oriented (SOA) architecture and infrastructure. On the information security front, enterprise IAM framework was one of the first outcomes. The IAM framework will provide authentication and authorization to DLI’s marquee applications: the Commonwealth Workforce Development System and the Unemployment Compensation Modernization System. In the future, myriad smaller agency applications will also be updated to take advantage of the reliable and flexible security provided by the IAM framework. Consolidating a disparate set of identity repositories streamlines access to government services and offers numerous other benefits including improved security for the enterprise, enhanced manageability for staff, and greater simplicity for users. The IAM Project will simplify access to government systems and services for 30,000 commonwealth employees, 250,000 business partners and 2 million public users. A credential branding mechanism called the “Keystone Key, will be incorporated into applications that integrate with the IAM Project framework. The project will help the agencies realize significant operational cost savings due to the efficiencies in user management and shared technology architecture. DLI has already realized a cost savings of approximately $1.8 million.

Introductory Overview
Established in 1913, DLI was initially charged with inspecting the working conditions in factories around the state. Over time, its responsibilities grew to the current mission of improving the quality of life and economic security for Pennsylvania workers and businesses, encouraging labor-management cooperation, and preparing the commonwealth’s workforce for the jobs of the future.
Delivering services in each of these areas is supported by a variety of systems, the largest of which support the Unemployment Compensation and Workforce Development programs. The complex array of systems on which these programs rely is currently undergoing renewal through the Commonwealth Workforce Development System (CWDS) and the Unemployment Compensation Modernization System (UCMS) projects. While moving forward with both initiatives, DLI sought to identify opportunities in which the two projects were faced with similar challenges and might share one solution.
Adopting common infrastructure and sharing business services – central tenets of the service oriented paradigm – can help mitigate risks associated with complexity, lower capital and operating costs, and simplify access to government systems. DLI understood these benefits and noted that the role of identity and access management [within systems] made it an excellent candidate for adoption at the enterprise level. Instead of implementing a solution that served only its own needs, DLI identified complementary systems elsewhere in the Commonwealth. It found them within the Department of Public Welfare (DPW). Agency leaders, the Commonwealth of Pennsylvania Office of Administration/Office of Information Technology (OA/OIT) Chief Technology Officer (CTO)created a plan was created for a shared IAM solution that would not only span project boundaries, but also transcend agency borders. Together, DLI and DPW began the IAM Project that would lay the foundation for the other commonwealth agencies to leverage as they embark upon similar initiatives. The IAM project goals were to:
 Establish a governance model for a shared DLI/DPW IAM solution
 Conduct “As-Is” assessments related to:
- IAM systems and processes within DLI
- Role-based access controls
- User-provisioning processes
 Define future (“To-Be”) IAM systems and process within DLI
 Design and implement the shared DLI/DPW IAM solution
 Establish configuration management processes
 Provide IAM-related training to the staff
 Provide IAM support and knowledge transfer
Exemplary interagency cooperation allowed DLI to build on past success within DPW, speeding the implementation of the IAM solution and extending single sign-on to a larger population of commonwealth staff, citizens and business partners. Furthermore, the IAM Project established a platform from which DLI can extend enterprise authentication and authorization services to other DLI applications identified during the course of the project.


Benefits
Has your project helped those it was designed to help?   Yes

What new advantage or opportunity does your project provide to people?
Through several mechanisms, the IAM Project will simplify access to government systems and services for 30,000 Commonwealth employees, 250,000 business partners and 2 million public users.
1. A single set of credentials can be used to gain access to systems within DLI and DPW. This creates the potential for other commonwealth agencies to follow a similar model, furthering the goal of one eGovernment for the commonwealth of Pennsylvania.
2. A credential-branding mechanism called the Keystone Key will be incorporated into applications that integrate with the IAM Project framework. In spite of differences between application appearances (look & feel), the visual cue provided by the “Keystone Key” will help remind users that their single set of credentials can be used to access applications bearing the logo.
3. Self-service features allow users to address some of their most frequent problems themselves. For example, forgotten passwords no longer require calls to the help desk; users can now verify their identity and reset their own passwords.
4. Improved Security: Standardization of policies such as password complexity and password history help strengthen security and better protect user privacy when they are applied uniformly across applications. Further, when requirements call for enhanced security, rules are modified from one central system; for instance, when an application needs to use a second form of authentication such as a digital certificate or a “keyfob”, the change can be implemented with little or no modifications to existing applications. In addition DLI and DPW will realize the following benefits:
 Centralized Event Recording. Consolidation of security events simplifies identification of anomalous activity, which can help reduce the time between event discovery and response.
 Administrative Simplification. A shared identity repository reduces the administrative overhead associated with provisioning, managing and deactivating user credentials.

Has your project fundamentally changed how tasks are performed?   Yes

How do you see your project's innovation benefiting other applications, organizations, or global communities?
The commonwealth’s Office for Information Technology (OIT) is pursuing initiatives similar to those of the IAM Project. Although OIT’s scope also includes investigation of meta-directory services and user-provisioning tools, it will be able to use the work of the DLI and DPW teams as a reference as it moves ahead with commonwealth-wide access-management plans. The successes of the IAM Project further demonstrate the value of centralized access management services and facilitated enterprise software license negotiations that avoided approximately $32 million vis-à-vis the cost of independent agencies purchases. The cost avoidance estimated is based on a three-year total cost of ownership and includes licenses (at list price) and recurring annual maintenance.
As other larger agencies in Pennsylvania, the architecture foundation and model will not only help them reduce the cost and time to implement the solution because of the reuse value of the framework, but will also help citizens as they will be able to use the Keystone Key to access more government services.

The model is relevant to other states and other countries serving their citizens and implementing eGovernment services accessible on the Internet. The model can evolve to work with modern authentication methods of using electronic digital certificates and biometrics as they become more widely available for public use.


The Importance of Technology
How did the technology you used contribute to this project and why was it important?
Importance of Information Technology

Although consensus-building, collaboration and training are all integral to the success of the IAM Project, the system is ultimately enabled by commercially available software that incorporates open standards such as LDAP, HTTP, SAML and WSDL. The following describes how information technology is used to deliver the IAM Project:

 Services Oriented Architecture (SOA) - Implementation of the IAM in SOA is important to serve the unique requirements of modern applications such as CWDS and UCMS. Providing the IAM functionality as services enables the applications to maintain their look and feel, yet make use of the IAM through the use of web services.

 Directory services - Enables the creation of three distinct user repositories:
 One for commonwealth employees
 One for business partners/service providers
 One for public users

Having separate repositories for the various user classes enables network partitioning and the application of security policies in a manner appropriate to users' roles. For instance, public users may access the system infrequently, and use credentials that entitle them to manage data related to their roles Business partners, however, may access the system regularly and be privy to more sensitive data. Given the differences between these two user classes, different security policies may be enforced.

 Identity and access-management software - Identity and access management software standardizes the process of granting or denying access to resources provided by Web and application servers. Simple Web interfaces allow security administrators to easily adjust access to application components as development teams deliver new features.

 Relational database - Centralized logging of all security events simplifies security audits and makes it easier to identify and address anomalous behavior.

 Virtualization technology - In nonproduction environments, virtualization software is used to provide more flexible deployment options and maximize technology investments.

Originality
What are the exceptional aspects of your project?
The IAM Project builds upon accomplishments of DPW during its implementation of a similar system. Consequently, insofar as the IAM Project leveraged knowledge and existing investments, it was not new. Neither was the idea of a centrally controlled identity-management framework an original one. Notwithstanding precedents, what made the IAM Project distinct are the very things that made it so valuable. The use of the same login credentials across multiple applications drove the need to trigger the memory of a citizen about their existing login credential; this gave birth to the idea of branding the login credentials using Keystone Key brand, complete with a visual logo.

The reach of the solution will multiply – reaching a citizen and business partner user base of more than 10 times of that which DPW is serving today.
The IAM Project was the first example of an interagency consolidation of identities within the commonwealth and sharing of infrastructure. The negotiations, brainstorming and consensus-building workshops that were part of the IAM Project will serve as examples for other commonwealth agencies that wish to build on this project’s foundation.
Further, the user population served by the project will make it the largest identity and access-management implementation in the commonwealth, and possibly one of the largest in the world. A true product of teamwork, the IAM Project used familiar technology to deliver a unique solution.


How is it original?
Keystone Technology Plan, Commonwealth of Pennsylvania's strategic plan calls for Citizen Centric Processes and Solutions - IT solutions that support unobstructed citizen access to government information and services. Over the past decade, commonwealth agencies have Web-enabled a number of citizen services. To access these siloed applications, a citizen is expected to provide demographics information and choose a new set of credentials every time they access a new Web- enabled service hosted by an agency.
The IAM project aims to reach the goal of unobstructed citizen access by establishing a single credentialing mechanim for the citizens with Keystone Key. Once citizens self-register and get their Keystone Key, they can use the same credentials to access applications integrated with the IAM project regardless of which agency hosts them. The scope of IAM project covers two large agencies DPW and DLI. The following three applications are early adopters:
1. COMPASS (Commonwealth of Pennsylvania Access to Social Services) application that provides citizen self-service for access human services like Medicaid, Food Stamps, Cash Assistance, Long Term Care,Childrens Health Insurance Program (CHIP) and adultBasic benefits,
2. CWDS - Commonwealth Workforce Development System that provides access to citizens to improve search for jobs and enhance their skills to find employment,
3. UCMS - Unemployment Compensation Modernization System that provides access to citizens and businessesto apply and manage their unemployment benefits and taxes.

When citizens of Pennsylvania access these systems, they will use a single credential -- Keystone Key.

The Department of Transportation is evaluating the IAM framework for use on the Driver and Vehicle registration services application modernization effort. Thus, the IAM project lays the foundation for a citizen-credentialing mechanism that not only serves the current and future applications of DLI and DPW, but also could expand to other agency applications.

Is it the first, the only, the best or the most effective application of its kind?   All of the above

Success
Has your project achieved or exceeded its goals?   No

Is it fully operational?   No

How many people benefit from it?   2.3 Mill

If possible, include an example of how the project has benefited a specific individual, enterprise or organization. Please include personal quotes from individuals who have directly benefited from your work.
The IAM project is helping in establishing mechanisms for self service for citizen and business partner users and a delegated administration model for the business partner users. Below are the specific benefits that the Security administration group will derive from the project:

1. User Management Efficiencies: A single, user-friendly interface for user management for managing access to multiple applications. Compared to the pre-IAM model of having to learn individual application-user interfaces, IAM provides significant efficiencies. Single interface to disable user access to all applications improves the overall security.
2. The process improvements in the form of RBAC assessments and recommendations have enabled the use of enterprise- and business-specific roles, helping in the reduction of the number of roles that the team needed to manage for every application. This helps in not only in driving efficiencies in user/role management, but also in improving the overall security.
3. An operational governance model has been established for the IAM infrastructure within the agency using the RACSI model, clearly defining the roles and responsibilities of the various teams managing the infrastructure.
While the phenomenal growth in the number of users to be managed by the security administration group will still bring new challenges, the improvements brought forth by the IAM framework significantly reduces the challenges.
Application Developers: A uniform integration model that is consistent across applications.
Chief Information Security Officer (CISO): The IAM framework improves the overall security posture of the agency. Particularly the availability of an integrated audit trail and an integrated exception-reporting system, helps in complying with internal and external audits.

The CISO of DLI, Pat DiSante says: "This project finally puts us on the path to ending the nightmare of having to administer different security platforms for our many critical L&I applications".

How quickly has your targeted audience of users embraced your innovation? Or, how rapidly do you predict they will?
Application Adoption: CWDS application is the first application integrating the IAM framework with the application. The design and development of the application has been completed and the test phase is underway. The UCMS application has started the integration activities.

User Adoption: The existing COMPASS application had to make a few changes to incorporate the Keystone Key branding. The Keystone Key will be adopted by the COMPASS application in June 2007.
Wider adoption will be attained when the the CWDS system goes live in September 2007. The UCMS application will integrate with this model in 2008.

Difficulty
What were the most important obstacles that had to be overcome in order for your work to be successful? Technical problems? Resources? Expertise? Organizational problems?
 A Long and Winding Road: Succeeding with the IAM Project required extensive cooperation between two large state agencies. It will not work unless it is also approached with dedication, flexibility and boldness. Dedication is required because the path to success is long and often marked by discouraging setbacks. Flexibility is required to accommodate the unique and sometimes divergent requirements of participating agencies. Boldness is required for two reasons: first, it helps teams continue to move ahead in spite of skepticism; second, it drives them to continue even when tempted by other initiatives that offer faster payback and less risk.
 The Hunt for Efficiency: While DLI and DPW moved forward with the IAM Project, the Commonwealth’s OIT pursued related initiatives.
 Connecting the Dots: The IAM Project relies heavily on commercial-off-the-shelf (COTS) software for its foundation. Integrating this disparate set of technologies (many of which were new to participating agencies) required a great deal of learning and patience. In order to make sure the solution was maintainable, additional efforts were required to establish an interagency governance model and a detailed set of configuration control and change management procedures.
 Complexity of the Business: DLI realized through the Role Based Access Control (RBAC) assessment that reaching the Utopic state of one role per user is difficult within an organization as complex as DLI. The myriad job functions performed by DLI employees form the basis for more than 400 job classifications. The RBAC process had to adopt a tiered approach to the Enterprise roles.

Often the most innovative projects encounter the greatest resistance when they are originally proposed. If you had to fight for approval or funding, please provide a summary of the objections you faced and how you overcame them.
The business case for the project was strong and the benefits were evident, including an immediate cost savings of approximately $1.8 million in product license costs. The compelling business case helped gain the agency and the commonwealth leadership sponsorship and support necessary to march forward with the project. We keep the project vision and goal in mind to overcome the challenges that we face on a regular basis as we implement the project. As the project transcends agency boundaries, policy-related challenges are overcome with some good spirited negotiation and agreements. Similarly, teamwork resolved technical challenges of establishing a shared infrastructure that spans agencies. In the future, many of the more advanced features that the IAM platform will have to offer will require funding from outside the individual projects. When the accomplishments of the IAM Project are fully realized by CWDS, UCMS and assorted DPW applications, the value to other applications will be more readily apparent. For instance, if the agencies wish to extend the IAM framework – to offer multi-factor authentication, they may have to look at innovative funding mechanisms to implement the technology. While the IAM Project could seek agency-level funding, it may wish to become a self-funding service through innovative charge-back mechanisms. Working toward this model would free individual projects from bearing a disproportionate percentage of the total cost. Selecting an opportune time to implement such a policy will require a great deal of finesse: too soon, and development teams may reject it (and revert to building their own security framework); too late, and funding shortfalls may constrain the project’s ability to provide new features that development teams demand.
Digital/Visual Materials
The Program welcomes nominees to submit digital and visual images with their Case Study. We are currently only accepting .gif, .jpg and .xls files that are 1MB or smaller. The submission of these materials is not required; however, please note that a maximum of three files will be accepted per nominee. These files will be added to the end of your Case Study and will be labeled as "Appendix 1", "Appendix 2" or "Appendix 3." Finally, feel free to reference these images in the text of your Case Study by specifically referring to them as "Appendix 1", "Appendix 2" or "Appendix 3."

Currently Uploaded Appendices:
No appendices currently uploaded.