ar130405 - Fotolia
Identity is gaining greater prominence in the security debate in Australia as the Digital Transformation Office (DTO) takes the wraps off plans for a national identity system.
Rachel Dixon, head of identity at the DTO, speaking at ForgeRock’s identity summit in Sydney recently, said the verification framework favoured by the Commonwealth identity service needs “well anchored” biometrics to underpin it.
It could be a challenging sell, however, as Dixon herself acknowledged: “People don’t want a national identity – they just want to get stuff done.”
Australia also has a fractious history with government identity systems, following the failure of the proposed Australia Card. Even though the new identity management platform will be an opt-in service, Kat Lane, vice-chair of the Australian Privacy Foundation, said there was a need for comprehensive public consultation, otherwise the government risked a public backlash.
Dixon acknowledged that privacy is an emotive issue: “People freak out a little at the idea of the government knowing anything. One of the interesting things to me was the degree to which people would seize on every little thing in a blog post and say, ‘That’s Orwellian, you can’t do that’. We’re not trying to be Orwellian, we are trying to be completely privacy respecting.”
Joshua Kennedy-White, managing director of security for Accenture in Australia, did not want to be drawn into the privacy debate, but said biometrics were a “fundamental and unchangeable element of security” that could help streamline and secure access to services. But he acknowledged that the issue needed careful handling, as while biometric verification could streamline identification and secure systems access, in the wrong hands “they can deny you that right”.
Read more about cyber security in Australia
- Australian organisations are lagging behind in terms of identity management, which is not lost on Deloitte as the company expands its Australia-focused resources in this area.
- Canberra is strengthening its cyber security response, but there is conflicting evidence about where the main threat is coming from.
- The Australian Cyber Security Centre wants more organisations to take responsibility for protecting their information resources and computer systems.
Accenture has been beefing up its own identity access management and security capability in Australia. It recently signed an agreement to buy Melbourne-based Redcore, through which it will gain technology and 130 people with specialist security skills.
Specialising in authentication, authorisation and administration services, Redcore has deployed multiple large-scale cyber security systems, including multifactor authentication and secure application gateways used by some of the major Australian banks and government agencies.
Kennedy-White said there had been huge growth in demand for security technology and services, though to some extent Australian organisations were playing catch-up in the identity management area.
Near neighbour New Zealand, for example, already has the RealMe identity platform up and running, which can be used to apply for a bank account, take out a student loan, or request a birth certificate.
Rachel Dixon, Digital Transformation Office
More details about Australia’s identity access management framework are expected to emerge soon, but, according to the DTO’s Dixon, it will be based on open standards and is likely to be available initially to federal and state governments, and also banks. She said there would be tightly defined standards associated with use of the system, and participants in the identity federation would be subject to regular audits.
“We want to make sure identity providers in the ecosystem are audited annually so there is absolute trust that this identity player is playing by the same rules as this identity provider and the standard of proofing is consistent,” she said.
To support smaller agencies that want to use the identity platform, the DTO will develop an application programming interface (API) and software development kit (SDK). The DTO is expected to approach a select number of organisations shortly to respond to a request for proposal, with plans for a public beta test of the yet-to-be-named service scheduled for July 2017.