Directory in Government

The Challenge

Traditionally, as organisations have grown, individual applications or systems have had their own databases or directories for tracking who users are and what they are permitted to do. With different user IDs and passwords on each system, management and updating has been done individually - tasks that have often require dedicated administrators. The process of requesting resources is also disparate and, in many cases, has remained paper-based.

Organisations are beginning to recognise that, by automating identity management and service provisioning, they can provide a central source of data that enables them to deliver enhanced services to their customers. This case study outlines a solution implemented within a government agency that was committed to an initiative to have key programmes and services online by 2005. The primary aim was to provide a cost-effective mechanism for enhancing the user experience by delivering more services online.

The Nexor Solution

The agency chose to implement a complete hardware and software solution to provide an e-government environment and enable integrated application development. The new infrastructure provides a central store of information that is easily accessible by all customers, present and future.

The prime contractor was a major systems integrator with extensive experience of managing major global projects. Based on the flexibility, reliability and interoperability of its products, Nexor was selected to supply the directory and messaging services at the heart of the new system.

Within the directory architecture, there are several directory services operating. Each has different users, and different security and service requirements. Distinct communities are served, which form multiple tiers of service:

• An inner tier that serves specific communities of users and information administrators (for example, a department or an application community).
• A government tier that serves federal government workers and applications as a whole.
• A public tier that serves larger communities outside the government, including the general public, businesses and partner organisations.

The Directory architecture comprises two master directory servers, multiple shadow copies and meta services. Using a meta-directory to synchronise servers, Nexor built a homogeneous environment that simulates a multi-mastered system in terms of fault tolerance and high availability. The load of operations within this directory service is balanced using round-robin network routers and other services.

The agency was particularly interested in reducing the risks associated with the central storage of critical information and the two directories provide contingency in the event that one is disabled. The servers are held in highly secure areas at separate locations.

As part of this security delivery, the customer has adopted the classical three-tier approach often used for government directory services:

1. Master Directory Systems Agents (DSAs), containing master data that is accessed and modified only by administrators and applications
2. Shadow copies within the De-Militarised Zone (DMZ), containing replicated data for access by authorised users within the DMZ
3. Shadow copies outside of the DMZ, containing replicated data for access by authorised users outside the DMZ.

Connectivity to other departmental servers is allowed from public DSAs through chaining agreements. This enables government departments to exchange information protected by a public key infrastructure (PKI).

Identity and Access Management

This ensures that people are authorised users of a system (identity) and that they are who they claim to be (authentication). Nexor Directory stores each user’s details so that the system can block unauthorised login attempts.

Privilege Management

This determines what authorised users are allowed to do. Nexor Directory stores each user’s privileges so that the system can check at login which information, services and applications the person is allowed to use.

Single Sign On

This enables authentication and access control to be centralised and applied to all users and applications. The authentication and entitlement management information stored by Nexor Directory is available to the whole system.

PKI Services

These range from a user having an X.509 certificate or a roaming profile to the ability to use TLS, SSL and X.500 signed operations. Nexor Directory can apply all these security mechanisms on data requests.

Software Asset Management

Access to applications is managed centrally rather by each application. This is done using Nexor Directory, Netegrity’s SiteMinder and Marimba. This combination of technology controls access to applications with user login information rather than standard desktop configurations.

Email Services

An online service is available to all citizens, enabling them to calculate any tax owed to them at the end of each financial year. The person’s details and the calculated result are sent through Nexor Mailer, which supports communication between applications running on X.400 (secure) and SMTP (public) networks.

The Result

The agency identified key goals:

• To provide services beyond traditional operating hours
• To enable one-stop access to information
• To customise information and services
• To offer a secure alternative to paper.

Other benefits achieved were:

• Increased operational efficiency, boosting productivity by supplying improved services faster and more efficiently and by reducing the costs of provisioning, user account management and user support
• Improved security, through an enhanced capability to grant access rights correctly and terminate access promptly
• Improved customer service and supply chain integration, through offering a central source of data and having the confidence to expose IT systems and sensitive information to external parties.

These resulted in:

• Increased customer satisfaction
• Reduced overheads.