The ROI of Trustable Identities

Agencies Can Save Money, Boost Efficiency While Improving Security
The U.S. government has looked to move many of its services online for quite some time, but the inability to authenticate customers and develop Trusted Identities has kept agencies from making the transition. This is a problem that could soon be resolved, says Mike Ozburn, principal of Booz Allen Hamilton.

Years ago it wouldn't have been possible to go online and receive, say, a tax transcript from the IRS. But now, with hundreds of millions of people online, the opportunity is there, and the government sees it.

Through the implementation of a trust framework, the government can issue credentials to the federal workers under its jurisdiction, and for non-government employees the government will rely on credentials already used by the banking, online and telecommunications industries, Ozburn says in an interview with BankInfoSecurity's Tom Field [transcript below].

"Through this trust framework, [the government] established a model that would allow private companies to issue credentials that are deemed to be comparable to the kind that the government would have issued if it had tried to issue those credentials," Ozburn says.

This year alone has seen great strides forward in reaching the goal of developing a trust framework. The final draft of the National Strategy for Trusted Identities in Cyberspace was announced in April, outlining an ecosystem of companies that can work together to provide the kinds of credentials the government wants. And in the fiscal 2011 budget, more than $1 billion has gone towards projects improving online services.

"These are projects that were already approved ... but were designed at a time before these private credentials were available," Ozburn says. Such projects include putting student loans online and interacting with the IRS, to name a few.

And the return on investment for bringing government services online is very clear: $28 for an in-person transaction, 13 cents for online.

In an exclusive interview about Trustable Identities, Ozburn discusses:

  • The tangible benefits of deploying Trustable Identity solutions;
  • Impediments to be overcome;
  • What agencies need to do now to get started down this path.

Mike Ozburn works within the Booz Allen Hamilton Information Technology team with a special focus on developing solutions for Civil agencies and Commercial enterprises. He is a leader in the Firm's efforts to develop Web 3.0 Trusted Service solutions based on Identity, Trust Management, Data Sharing, and CyberSecurity.

Trustable Identities

TOM FIELD: Let's just tackle this topic right up front. Trustable Identities: what's the problem we're trying to solve with this concept?

MIKE OZBURN: It's a really simple problem and it's one that had been solved for so long in the commercial environment. I think there are many people that would be surprised that it's a problem. But, quite frankly the question is, how can the federal government interact with someone online when they're not able to directly authenticate who that person is or know that they're dealing with the right person on the other end? The inability to authenticate customers, as people would describe it, or authenticate users of a service has been the big blockage that has kept government from moving more services online. It's kept them from being able to take advantage of the digital discipline that's imposed by a process where you can understand who you're dealing with at the front end of an online transaction and then manage that through in a systems environment so you don't have to rely on paper or manual process.

FIELD: Let's put ourselves in the position of someone within an agency that's going to make a case for trustable identities. Give us a sense of what some of the potential hard and soft benefits are of deploying trustable online identities.

OZBURN: Again, the hard benefits are very simple in terms of the reduction in operating costs. There was a GAO [General Accounting Office] report about the IRS a couple years ago and they went through the review and made a determination, on a cost basis, of what it costs the IRS to deal with an individual customer through a variety of methods and methodologies. The cost of an in-person transaction, in essence, was more than $28, while the cost of interacting with that person online was $0.13. At the first instance, the same kind of cost efficiencies that have been so prevalent in the commercial environment for the last 10 or 15 years are cost savings that the federal government hasn't been able to take advantage of because they've not been able to know who they were dealing with. Therefore they couldn't make these online services available. From a hard savings perspective, there's a wide variety of operational costs in that mode.

From a soft cost, though, there's another big target that the government's been focusing on. That's what's referred to as improper payments, and those are just errors. It could be an error where you've been paid too much; it could be an error where you've received too little benefit, but in either case it's an error. There was new legislation last year called the Improper Payments Elimination and Recovery Act that put in some mandates. It put more focus and granular transparency around the kinds of problems that it represents. If you go to that website, PaymentAccuracy.gov, what it shows is in the top 10 programs, the federal government has more than $125 billion a year in errors. Again, the ability to interact online in a digital framework in the way that commercial businesses have been able to do represents a tremendous potential for savings against that $125 billion a year error bucket.

Bringing Services Online

FIELD: You make a compelling case. I guess my follow-up question for you is: understanding the benefits, how do we get there?

OZBURN: That's probably the most exciting part, from my perspective. For a long time, this has been a really difficult problem. It's not that no one's been trying to work on this. There were programs earlier in the decade referred to as e-authentication. There have been e-gov programs. In fact, I think a lot of people would be shocked to find out that the IRS's first online project, their first online pilot, was 25 years ago. Yet today, it's not possible for me to go online and get my tax transcript directly from the IRS so that I could then forward that on electronically to my mortgage company when I'm trying to refinance my house. While there've been efforts before, no one has really been able to crack the code of how the government authenticates that user. And again, these efforts were based on different technologies and different approaches.

The big paradigm shift, though, that occurred around 2008-2009, is that the leadership in the government looked and said that in a world of hundreds of millions of smart phones and social networks like Facebook, with 600 million people online, everybody is already online. There's a real opportunity for us to take advantage of the things that the consumers or the users are already doing. So they implemented what they call the trust framework. What the trust framework does, in essence, is it represents a fundamental paradigm shift where the government said for their own employees, for the 10- or 20 million people that work for them, they're going to require credentials that they issue. They may be hard tokens, hard cards, smart cards or whatever else. But guess what? For the other 200 million people in America that go online, who they don't interact with on a regular basis, who aren't government employees, the government is going to rely on the kind of credentials that people are already used to using and the technology that they already use with their bank, telephone company or online service providers they already dealing with. Through this trust framework, they established a model that would allow private companies to issue credentials that are deemed to be comparable to the kind that the government would have issued if it had tried to issue those credentials.

The great paradigm shift that occurs is we don't have to worry about a national ID card because the government has basically said they're out of the identity business. They don't want to be involved in it. In fact, we want to see the commercial enterprises lead this effort, and we're looking for a vibrant marketplace of private companies that can issue these kinds of credentials, a vibrant marketplace of a wide variety of those kinds of credentials so that the government can allow individuals to use them in the way that they want to control their relationship. We'll simply rely on what the commercial marketplace can provide and what the users choose to use.

So the "how do we get there" is now a very simple process in 2011 because this trust framework is now part of the federal enterprise architecture and it's been there since 2009. The National Strategy for Trusted Identities in Cyberspace was announced on April 15 with a great deal of energy from the White House and the senior leadership across government. They want to see an ecosystem of companies that can provide these kinds of credentials - and that's pretty exciting. Then, more importantly, on April 15, the other thing that happened was the federal budget for fiscal '11 was finally approved, which means that between now and the end of September, there's more than $1 billion that we've identified for projects to do things like put your student loan online, allow you to interact online with the IRS, things of that nature. These are projects that were already approved, have already been designed, but were designed at a time before these private credentials were available. The great opportunity for agencies today is to look at those projects that they now have been given the money to go pursue and to take advantage of this new private credential model, the trust framework model, as a way to implement those projects, to fulfill them at a lower cost, with lower risk, in a way that's more convenient for the users.

Roadblocks In Getting There

FIELD: It sounds like a clear path, but as we both know, things rarely are. What are some of the obstacles that agencies might encounter or speed bumps they might hit along the way?

OZBURN: Right now today, immediately in this snapshot in time, one of the roadblocks is the full trust framework and the certification of what they call identity providers at all the various levels is not 100 percent complete. The Federal Identity Credential and Access Management subcommittee, what's referred to as FICAM, is still working through the process of certifying what they call trust framework providers. Then those trust framework providers are still working with private companies, like banks, telephone companies, communications companies and online providers. There's work to be done there. But the challenge is that, business being business, without the demand side represented by the government wanting to take advantage of those credentials, it's hard for the commercial players to continue to make progress going forward. There's this potential for a little bit of an impasse if people don't take the advantage in the next four or five months to begin to move forward in this kind of model. That's a potential impediment, but it's one that people are ready to overcome. There's great focus and energy from the White House now to try to solve that issue.

The other impediment, quite frankly, is that people are busy. The government has issues, from a financial perspective. There's probably more focus on the debt ceiling today than there is focus on how do we take advantage of private credentials. We live in a mindset where agencies feel like they don't have the resources they need to go ahead and pursue projects. This represents a new technology and a new paradigm that was not there two years ago. You have the normal kind of large enterprise organizational issues of how do you get the elephant to dance rapidly. Those are the kind of issues that we're seeing.

But to the credit of the administration, they've continued to have this drumbeat of saying to the agencies we're very serious about this, whether it was the open government initiative in 2008, which was one of the first things that the President did when he came into office. He said that we want to see more transparency in government, we want to provide more access to government services and we want to have a better experience for citizens and users when they come to interact with the government. He said that on day one, and he followed up on that with initiatives out of the federal CIO office, whether that was the broad base of the open government initiative itself, the list of 25 key priorities or the push to move applications to the cloud. The CIO's office has been doing a great deal of work, but as I mentioned before, FICAM put the trust framework in place in the federal enterprise architecture. Even two weeks ago, we saw a new executive order come out of the White House focusing on customer service and pushing agencies to hold themselves up to commercial benchmarks and to use commercial technologies, including these interactive technologies, as a way to provide a better level of service at lower cost to the government and with more convenience to the user.

I think that there's a great deal of effort. There's a great deal of opportunity right now. While there are impediments that people are going to have to continue to work through, they are very minor impediments compared to the significant issues that would have existed five years ago.

Private Sector Credentials

FIELD: There's a couple of related topics I'd like to take up with you, and one of them is private sector credentials. What's the case for private sector credentials?

OZBURN: You can make the case based on security. Every day you pick up the paper and there's another headline of where some hacker has done something, gotten access to people's private information, or there's been a security breach of information. The most recent one was one of the major banks to the tune of a few million dollars. You could come at this from the cybersecurity problem and make the case for why, in the commercial sector, we need something better than a user name and password.

You could pick it up from the perspective of personal convenience. It's not pleasant to have to manage a different user name and password across all the sites that people are now connecting to in 2011, compared to the situation in 2002 when maybe you might have had one or two passwords. We're way past that scenario where user name and passwords make any sense.

You could pick it up from the commercial enterprise side, where you can look at the cost to that business for abandoned transactions. By the time I get all ready to buy something, from an airplane ticket to a pair of shoes, and I realize I've forgotten my password and it's too inconvenient to go back and figure out what to do, I just bail out of that transaction and I move over to a different company because I can remember my password over there, which represents a cost to the first business who has lost that transaction to a competitor.

Or you can pick it up from the standpoint of the government when the government cannot interact with citizens online. The case for private credentials is that it provides a lower risk way to interact with individuals. It provides greater security for the individual, the potential to protect their privacy in ways that they're not able to protect it today, and then a significant reduction in cost to the enterprise, whether that's a commercial enterprise or the federal government, since they're willing to take advantage of the credentials issued by these private entities.

Trust Button

FIELD: Another topic I want to ask you about is the trust button. I've read some of what you've written on this topic and you've discussed the value of trust buttons on a site. Could you outline that for us, please?

OZBURN: Sure. The trust button is a concept that we've come up with in consortium with a variety of other companies that are all working together to try to solve this problem. What it really represents is a simple, generic way to allow the total Internet customer base to move from this user name and password experience to a new, more secure, more trustable experience in a way that is seamless and easy.

The best way to understand it is in reference to an alternative way of doing a similar thing, which is what Facebook has done with Facebook Connect, inside of their business, in a proprietary way that they control, which has its own issues associated with security, privacy controls and things of that nature. But, to their credit, they looked at this problem and they said, we've got 500 million or 600 million users, and we're integrated across many other sites and have an ecosystem that we've built up inside of our core business. Maybe we'll just solve this for our own customers. And you may have seen it, in your own experience, across the Internet. What they did is they made it very easy for another website not to pick on anybody or provide any preference to anybody. It makes it very easy for me, if I was a website operator, to say I want to make it easier for you to register at my site. I want to make it easier for you to log into my site. And I, quite frankly, don't even care about managing this whole identity framework anyway. If I can put this Facebook Connect button here at mysite.com, and when you come here, instead of going through the normal registration and login process, you can simply click on that Facebook Connect button. I will reach back to Facebook and ask Facebook to authenticate you and provide me with the information that I need to know who you are and you can get logged into my site.

The trust button idea is, in essence, a similar version of that experience. But it's one that's built on the governmentally-approved control models around identity, which puts in place a security model that is more secure and built to standards that are of a higher degree of security than other proprietary things. And it requires the identity providers to recognize certain privacy controls that aren't generally being adhered to by a commercial site. Think of the trust button as a similar way to register and log in to a new site in a way that's simple and easy, but it also provides greater security, respects your identity and respects your privacy.

By putting that on one of the 24,000 websites that the federal government operates, what it allows an agency to do is then pre-certify. I can pre-select which identity providers I want to do business with here at the Department of Education. I can set up the trust button in a way that when you click on it on my site, you'll be presented with a list of optional identity providers who can give you a credential that I'm willing to accept here at my site. The power of the trust button is that the exact same trust button experience can exist across all 24,000 websites in the federal space, on sites that are operated in more than 1,100 data centers that the federal government operates. Yet, when you as an individual click on it, you're always going to be presented with the right options for the right types of credentials as required by the service that you're trying to take advantage of.

We think there's a great potential for the federal government, particularly at this point, when their real objective is how we make it easier to interact with citizens. How do we reduce our total cost? How do we eliminate these kinds of improper payments? By allowing you to use the same kind of credential, for example the exact same credential that you use at the Department of Veterans Affairs which you could use when you go to the Department of Education to apply for a student loan, that's a real convenience to the consumer. It provides the potential for great cost savings to the federal government, and it provides an experience that generates the same kind of privacy controls and security controls and adheres to the identity standards that are already in place by the federal government.

Next Steps for Agencies

FIELD: We've talked about a lot here. We're talked about trustable identities and private sector credentials, as well as the trust button. If you had to boil it down into next steps, what is it that agencies really need to do now to get started down this path that we've talked about?

OZBURN: The key thing is for the agency to look at the opportunity and understand it in the same way that there was a fundamental paradigm shift when the Cold War ended. It was very easy for us to think about the peace dividend that would become available when we no longer had to think about, "Let's go build a tank, or let's go build a battleship." Because the fundamental nature of the environment had changed, and there were huge savings because we no longer had to do the kinds of things that we did before. In this instance, there's the potential for this trust dividend because we no longer have to think about a paper-based process first. We no longer have to think about the fact that we're going to manually process interactions between the citizens or the users of our services. In fact, we can recognize that in 2011 and 2012, 200 million people go online every single day in America. Two hundred million people already have some aspect of credentials that are perfectly acceptable to commercial businesses who are engaged in the exact same kind of transactions that I would be engaged in within my agency.

The federal government has now made it possible for me to take advantage of those credentials in a similar way, and because I can do that, I can immediately think about new ways to fulfill my mission. I can see my costs of operation be reduced dramatically. I can see the nature of the improper payments that may afflict my organization through all the various paper processes that I have. I can see those being eliminated dramatically. And more importantly, I can begin to think about new ways to interact with my customers to do the things that I really come to work to do every day, which is provide them with certain benefits, to provide them with certain information and engage with them across different transactions that are important to them. And I can do it in a way that's safer, has more security, protects their privacy better and is more convenient to them. That's a pretty big win. The opportunity to go ahead and take advantage of that win really exists between now and the end of September, because the fiscal '11 budget is there, the projects are there, and all I have to do is be able to effectively connect the dots and rethink my projects to take advantage of this great new opportunity with which I've been presented.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.