Print 🖨

Below is the HillCo client report from the May 21 House Technology Committee hearing.

Charge:
Study the feasibility of an integrated identity management program (IIMP) for state agencies. Examine best practices in the deployment of technology to safeguard state data and programs, limit fraudulent or unauthorized access to state hardware and software, and develop a secure state digital infrastructure.  Determine potential savings to the state and make further recommendations on the implementation of IIMP that encompass both logical and physical security.
 
Dr. Suzanne Barber, UT Center for Identity

  • Public private partnership doing research, education and outreach for identity management and protection
  • Authentication of a person is separate from authorization
  • Replicating authentication across all state agencies for services is costly, risky and make personal information more readily available for fraud
  • Need to determine what the riskiest personal attributes are the most valuable to thieves
  • Need secure credentialing
  • Need one authentication process for authorization across all state agencies
  • Elkins – so one identity portal that then redirects to other state agencies?
    • Correct
    • What is the right combination of biometrics needed for authentication?
  • Elkins
    • We know people can duplicate anything they want but we need to make it more difficult for them ex: fake drivers licenses and counterfeit new 100 dollar bills
    • People are sophisticated, now spoofing IP addresses
    • Mac addresses are harder to spoof
  • The right combination for authentication is what you have, what you know and who you are (biometrics)
  • Gonzalez expressed interesting in identifying the cost for an integrated identity management program, and what appropriations would be necessary to implement something like this
    • The Center might have data at the end of the summer to share with the committee on how much fraud costs
  • Elkins – once we identify fraud, we can work backwards to do analytics
  • Reynolds – with new technology comes new ways to commit fraud or steal – we will always be playing defense
    • The center is working to be in a predictive mode where they can identify trends

 
Brain Engel, Information Security Officer, DIR

  • Authentication security is vital against threats
  • Identity Access Management (IAM) is the key component to an integrated identity management program
  • Need interoperability
  • Recommends the federation approach
  • The National Governor’s Association is working on formulating solutions
    • Identity management is a difficulty all states face
  • The types of services, the person, the actions the person is taking are all considerations in what kind of person should be accessing personal authentication information
  • There are encryption requirements at agencies, but the risk is higher during transmission

 
Steve McCraw, DPS

  • Hard to operate anywhere without leaving an electronic footprint
  • From a criminal standpoint, a driver’s license is the document of choice for thieves
  • The question is, how do you verify identity?
  • Button expressed that she thought passports would be more valuable
    • Driver’s licenses give the thief the best access to goods and services as well as transportation

 
Bowden Hight, Information Technology Services, HHSC

  • Goal of a secure and meaningful information exchange to clients via self-service on multiple types of devices. Examples include:
    • Eligibility workers are able to work from multiple locations
    • Providers can validate eligibility for Medicaid and check authorized services
    • Clients verify their identity through self-attestation. Once validated, eligible clients can receive notifications, check status of benefits and report changes in status
    • Clients can access a 36 month history of their personal health records, request medical transportation and search for providers
    • CASA volunteers can access portions of a foster child’s case record for real time information
  • Identity and Access Management (IAM) solutions enable the right individuals to access the right resources at the right times for the right reasons
  • HHS has three initiatives to support automated provisioning/de- provisioning, access authorization and single sign-on services to HHS agencies:
    • Enterprise IAM – supports 23 applications from HHSC and DADS accessed by more than 8,000 users
    • Texas Integrated Eligibility Redesign System (TIERS) IAM – supports integrated eligibility and 12 other applications accessed by more than 16,000 users
    • Enterprise Single Sign-On (ESSO) – supports 6 applications accessed by more than 13,000 users
  • The HHS IAM solution includes:
    • High availability/redundancy
    • Disaster recover support
    • Support of multiple HHS agency applications
    • Support of multiple application architectures
  • Future of HHSC IAM
    • Expand IAM services to all HHS agencies
    • Support for mobile security
    • Support for cloud security
    • Role-based provisioning
    • Support for identity federation and trust
    • Active directory integration with Enterprise IAM
  • HHS would benefit from a statewide solution with the following gains:
    • Increased ability to coordinate and communicate with clients, agents and employees
    • Easy integration with other state agencies and business partners
    • Reduction of costs and work effort, including:
      • Eliminating more than 200 different agency solutions
      • Minimizing time spent on interagency communications
      • Improving security (architected into the solution)
  • Elements of a successful IAM project include:
    • Strong executive sponsorship and governance to manage the scope, prioritize applications and manage risks
    • A project roadmap consisting of multiple “mini” projects that demonstrate an immediate return on investment
    • Experienced, dedicated project management staff or vendors
    • A project team with representatives from each agency, and each organization with the agency, that is being “touched” by the solution, including HR, IT, Help Desk, Training and upper-level management
    • Proper expectations set and communicated with expectation of realistic accomplishments within a reasonable timeframe
    • Realistic understanding of complexity of applications and internal infrastructure support processes
    • Appropriate level of resources dedicated to the project within IT and within business areas
  • Elkins – do you have any example from a state that already has their arms around this issue, or maybe a private enterprise? We don’t want to reinvent the wheel

 
Neville Pattinson, Smart Card Alliance

  • Identity management has been done well, but it cannot be done quickly
  • Smart “Chip” Cards
    • 500M have been issued to employees around the world
    • 4M at the DOD
      • In 2006 the DOD mandated the use of these cards, the next day 46% of cyber security attacks were eliminated
    • 1M to other federal agencies
    • Allow for security in physically entering areas, accessing computers, encryption
  • Elkins – citizens in the state trying to access services wouldn’t have a card – government employees maybe
    • Some countries have given all of their citizens a chip
    • Any in the US?
      • No, but right over the border in Nuevo Leon, MX
      • There is interest in other states
  • Elkins – is there a reader on an iPhone, etc.?
    • Yes
  • Using the multiple question method for authentication is not secure on its own – the information they ask you is private, not secret
  • Smart Cards have yet to be broken because every single one is unique
    • Hardware based solution
  • The US is the last country to move to chip cards for debit and credit cards
  • Magnetic stripe card costs 1 dollar to produce
  • Chip card costs 1.50-5 dollars to produce, based on complexity
  • Laptops already have a device that can read a smart card
    • Having difficulty with Apple
  • Elkins – my debit card that has a chip is still swiped
    • That will change, the US is behind
  • Elkins – if they put a chip on people’s drivers licenses you could program it to include information about what services are available to them? What happens when they lose it?
    • That’s why they recommend using a pin code with the card

 
The House Committee on Technology will hold no other interim hearings this year.