Cloud Identity – Foundation for “Digital by Default” iGovernment

As part of launching our Canadian chapter, the Canada Cloud Network, we are also starting publication of the Canadian Journal of Cloud Computing Best Practices, being populated via this call for papers.

One of the headline first topics will be Cloud Identity. The editorial process is being set up by David Chartash of the EHealth Research Unit, and his own paper is the first submission to help get the party started.

This is focused on how Identity systems can be implemented in Healthcare.

Digital Government – Me, Myself and I

It talks about the ‘BYOD’ trend, of how staff increasingly want to bring their own consumer device, ie. their iPods and iPads, and be able to use these in work.

Clearly it’s one very obvious way to reduce IT costs, but is it secure enough, really? What happens to patient data downloaded to the device?

A similar theme is discussed in this recent promotional piece: Me, Myself and I, so it’s a growing trend in government overall, which as the article points out is being driven the USA ‘s recent ‘Digital Government‘ strategy.

In a similar fashion Francis Maude recently declared the UK has a ‘Digital by Default‘ strategy as well, so we`re likely to see a huge injection of new innovation and growth in this sector.

Cloud Identity

This sets the scene and requirements for technologies known as ‘Cloud identity’, referring to the extension of Identity Management platforms into Cloud environments.

Our practices are based on identifying the best practice standards groups, in particular the Kantara Initiative, and how these standards intersect with Cloud Computing designs, and also importantly how they can implemented in real-world hosting services.

This ecosystem will take many years to fully evolve and includes core building blocks such as OAuth which enables “Social Sign-on”, a means of joining up web sites via usernames and passwords, that vendors like Janrain cater for.

It then extends from here right through to a sophisticated ‘dataweb’ where these foundations facilitiate sharing of all kinds of personal data. Frameworks for enabling and managing this data flow include the Kantara UMA program, and the OASIS XDI protocol.

These developments will enable all kinds of opportunities for service providers, ranging from simply managing the authentication process as a service, like Verizon, through to “data as a service”, where banks, utilities and other key organizations provide data for online real-time web services.

The types of technologies that can implement this include the VMware Spring PaaS stack, and in this presentation David Syer from VMware describes how this can be achieved via their Spring framework.


The role of Identity in government process is very clearly articulated in this blog from the Whitehouse ID team.

If it exists, the Gov RP should have the ability to use some shared private information as a starting point to establish the link between a citizen’s (credential) identifier (obtained from the credential verifier) and the PID. e.g. Driver’s License Number (DL#) if visiting the Motor Vehicle Administration (MVA) or Social Security Number if visiting the Social Security Administration.

This is following from this critical point about the reason for having this approach:

Especially when it comes to government services, a question that needs to be asked is if the citizen has an existing relationship with the government agency.

demonstrating how the verification of identity is the first step in what would then become an identity-enabled process.

Shibboleth – Cloud Identity best practices

For a good introduction to the how and why of Cloud Identity, a useful starting point is the Shibboleth project.

This is now a very well established and widely adopted program, so it provides a mature view point of what federated identity mechanisms are and why and how to use them.

Also, for a good executive summary of the associated best practices, this article Identity Management and Trust Services: Foundations for Cloud Computing, from the Universities of Maryland and Pennsylvania State is very good.

This provides an overall view that includes the baseline components of username management systems, and then how these relate to a broader Identity ecosystem achieved through collaboration across multiple ‘supply chain’ organizations; universities in this case, but as per the best practices you can simply swap out Shibboleth for your own equivalent and apply the same strategy.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: