NSW's platform-based IAM reinvention

The 160 agencies that make up the New South Wales Government may have been technologically left to their own devices in the past, but the development of an unplanned identity and access management (IAM) framework is helping them find a commonality of purpose that has already proved to have significant transformational effects.

That commonality has emerged over time as the team managing the NSW government’s GovDC program evolved it from its 2012 origins, when it was first envisioned as a mass co-location project. Its current role is as a facilitator of consolidation and broker of hosted services delivered through marketplaces with more than 200 different providers.

“It was not in our plan” to build a marketplace-driven environment, Pedro Harris, executive director of government technology platforms with the NSW Department of Finance, Services and Innovation, told GTR in advance of his appearance at the AC Events Technology in Government 2016 conference.

However, growing demand from industry, and interest from NSW state agencies, pushed the project team to consider whether GovDC’s scope should be expanded.

“When industry started to show interest we thought it was a great opportunity,” Harris recalled. “We started to redesign the whole security environment to allow private providers to co-exist and live with us in the one environment.”

Core to that architecture was the establishment of a far-reaching, consistent IAM framework that would allow for highly granular control over access to resources within the shared GovDC Managed Services Backbone — and outside of it.

This system needed not only to facilitate integration and seamlessly flow credentials between key systems, but to provide self-service capabilities that would address statistics which suggested that nearly half of calls to the service desk related to user password resets.

Consideration of the best way to deliver the IAM platform saw the department’s technology staff pushing into new areas of technology delivery as they realised the need for whole-of-government identities could be best serviced by hosting a central identity as a service (IDaaS) capability. Agencies could subscribe to it and easily link it into their own environments — or those of the third-party providers in the service marketplace.

According to Harris, this is a big step forward from what are often rudimentary LDAP- or Microsoft Active Directory-based access control systems. “Agencies can buy and choose how they want to have their users gain access. All they have to do is turn on the identity connector and it’s available as a service,” he said.

The IDaaS effort dovetailed into the Cloud Connect Broker Service Standard, which was released in March and outlines methods for seamlessly linking agency and department systems with the growing catalogue of online infrastructure as a service (IaaS) capabilities available through GovDC partners.

“We’re creating this ecosystem of different marketplaces that allows our users to find the best workloads and makes it easier for them to go buy and consume what they need,” said Harris.

Every employee and contractor in NSW has now been given a unique GEN (Government Employee Number) built around 16 key identity parameters drawn from core ERP systems that were brought into the evolving ecosystem early in order to facilitate the IDaaS process. This process required extensive integration work that, in turn, pushed department and agency staff to think about building the GovDC effort in new ways.

“Traditionally we would do all of our development internally,” Harris explained, “but this signalled a big push towards platform development. We started with virtual workloads, and then physical workloads into the cloud. Now we’re allowing development to come into place and then linkage with the GEN will track users for life.”

Ubiquitous use of the GEN will enable far easier communication with state government employees, the complexity of which was revealed in troublesome detail when the agency found it had no way to quickly communicate with all state workers during the 2014 Lindt Café siege.

“We now have the ability to use the GEN to communicate with many people” across many systems, Harris explained. “It has allowed us to focus on identity to quickly solve these chestnut problems that we’ve had forever.”

The longer-term capabilities of that platform rapidly became apparent as the project teams worked with state agencies to facilitate their mandatory move to GovDC by 2018. The process has exposed “a lot of common databases that are shared across government”, Harris said.

“The agencies have options now,” he continued. “Rather than having each agency manage their own applications and systems, we allow them to expose that system to the identity app and services; it becomes easier to do the sharing simply by using an SAML assertion to replace their own systems.”

“We’ve solved quite a lot of things by doing identity internally, and we’re looking at ways to break with where we were before. Where everything was controlled by our network in the past, now we have a totally different way of going in.”

You can hear all about this and other government projects at the Technology in Government conference and expo in Canberra, 2–3 August. Pedro Harris will give a presentation on the second day of the event, Wednesday, 3 August, at 2.00 pm. Check out the Technology in Government website for the full line-up of dozens of public sector, academic and industry speakers who will outline their experiences and insights into government ICT.