NC IT Roadmap - Identity & Access Management NC IT Roadmap: Identity and Access Management NC IT Roadmap Technology Foundations Broadband Security Cloud Technologies Identity & Access Management Data & Analytics Applications Digital Transformation We are striving to make as many of our state services available online as possible. Applications and web-based services require user identities to ensure that the right individuals have access to the right resources at the right times for the right reasons. These systems must maintain records corresponding to the individuals who access the information within them. When an action is taken on a resource, it is important to know who performed it. To that end, these systems require authentication, which answers the question “who are you?” and authorization, which answers the question “what are you allowed to do within the system?” Identity and Access Management (IAM) solutions attempt to centralize and unify the concerns of authentication and authorization in a single authoritative system. Having a single authoritative source of identity and access control removes the risks associated with fragmented, redundant, and inconsistently secure authentication and permission systems. Fragmented sources of identity provision create security and procedural risks: Sensitive information stored in many systems increases the attack surface that could allow malicious actors to gain unauthorized access to information. Identity and authorization control sources spread across many systems make it difficult to revoke access when necessary, such as when an employee leaves a position. The state currently runs multiple identity solutions. We are working to create a single IAM solution that the entire state can leverage that will be more agile and cost effective. We will begin by consolidating two of the state’s largest IAM services – NCID and NCEdCloud – into a single cloud managed service (IDaaS). NCID will be replaced as the first phase of this consolidation. The solution will also replace existing multi-factor authentication (MFA) solutions. The new service will be on a modern, user-friendly, cloud-based platform with a robust self-service portal. After the initial implementation, future efforts will focus on updating legacy applications to use standard integration methods and on customer identity and access management features that make it easier for North Carolinians to manage their online identities. Looking to the Future: Blockchain While the most notable applications of blockchain technology today are tied to cryptocurrency, there is significant potential for improving the delivery of government services. Blockchains are inherently resistant to data modification and can be securely linked. As a result, blockchain has the potential to significantly improve transactional services, such as vital records or exchange of property, by reducing the burden of providing proof of identity or of a previous transaction. North Carolinians would no longer need to provide documents in person, which would reduce the amount of time and potential for error in each transaction. In the fall of 2018, we piloted a blockchain initiative as part of the State Emergency Response Application (SERA) project. It was our first foray into this disruptive technology, and was a success. We will explore other opportunities to leverage blockchain technology going forward, including incorporating blockchain-enabled identities into the IAM solution to improve identity trust, management, and experience.