Integrated services: Creating a secure future for eGov databases

Integrated services: Creating a secure future for eGov databases

The United Nations, a leading proponent of online government services, conducts periodic surveys to gauge regional progress in eGovernment deployments. Their most recent report, dated July 2016, finds higher levels of eGovernment development across all regions, and identifies an important evolution toward what they refer to as “integrated public services.”

Integrated public services give citizens a single point of entry to a range of services and, as a result, make it “easier for people to interact with public administration and get adequate holistic responses to their queries and needs.”

At NXP, our work on eGovernment projects confirms this trend toward integration. A number of the organizations we work with around the globe have taken a more platform-based approach, creating one login that provides access to multiple government services and databases. What they’ve found is that integrating public services improves citizen satisfaction, and also increases uptake while boosting security.

Integrated services in Canada
One such example is the Canadian province of British Columbia. They converted a program for secure driver’s licenses into an online “BC Services Card” that uses a common framework across all online service channels. Citizens no longer have to assign, remember, and maintain a unique username/password combination for each service. Now they access multiple online services using a single credential, embedded in a smartcard, and can use a mobile app for authentication.

A total of seven ministries use the online authentication service, and the setup is also used for elections. By consolidating the credentials, British Columbia anticipates they could save an estimated CAD 100 million over the next five years.

The integrated services deliver another cost savings, too, by helping to eliminate healthcare fraud. When the project began, British Columbia estimated that there were more than four million fraudulent healthcare cards in circulation. The new credential, which is nearly impossible to counterfeit and uses strong, secure authentication to confirm identity, essentially eliminates fraud and is expected to save the government-run healthcare system as much as CAD 1 billion per year.

Widespread benefits
By making it easier to access the data and services of various agencies, integrated public services can provide significant benefits to citizens, and can increase collaboration across governmental organizations. Integrated services enable easier sharing of information, which can, for example, help law enforcement prevent terrorism and find criminals, and can make government-funded studies in science and medicine more comprehensive. Integration can also simplify the way state and local agencies access federal programs, and can make it easier to add services, such as insurance, billing, or reservations, supplied by NGOs or corporations.

The question of security
Security is, of course, of paramount importance with integrated public services. Granting any kind of access to a database always entails a certain amount of risk, since the potential for misuse increases as the number of people access data goes up. Government databases are particularly vulnerable to attack, since they contain private or confidential information that identity thieves and other cybercriminals work hard to obtain.

What makes matters worse, though, is that hackers now have access to remarkably sophisticated tools. In recent years, it’s come to light that certain government agencies, especially those involved in national security, have developed effective techniques for penetrating foreign and domestic targets. The strings of code used by these agencies have, from time to time, been leaked or stolen. As a result, the average hacker can now add, without too much trouble, those same sophisticated spying and hacking tools to their own arsenal, for the potential to attack just about any database out there.

The simple truth is that no database is completely immune to attack. There is no such thing as 100% security, and government agencies can, understandably enough, be reluctant to increase their exposure to risk by expanding access so as to become part of an integrated public service.

Adding key pieces of data to credentials
There are, however, ways to reduce risk when considering an integrated approach to eGovernment services. Consider, for example, the authentication process. When accessing most government services, there’s usually a small amount of data, be it your place and date of birth, your tax ID number, a vehicle identification number, or some other identifier, that is used whenever you access or request a service.

With a healthcare service, for instance, each time you want to check your records, see test results, make an appointment, or register in a waiting room, you usually have to provide your medical ID number and, perhaps, your date of birth. The online service or person you’re interacting with will typically compare the information you supply with what’s stored in the backend database, to see if it’s a match. When this process is multiplied across the thousands, if not millions, of people accessing services at any given moment, the result is an exceptionally high volume of database queries, and a relatively high degree of exposure to risk.

By changing this process, and reducing the number of queries to the database, you’re also limiting access and thereby lowering risk. A system that uses secure authentication, with secure elements and cryptography, can make this possible. When issuing a credential, those small, frequently used pieces of information can be added to the credential itself. The credentials can be encrypted, can be protected with a digital signature and can use multiple ID factors, including biometrics.

Now, when you log into an online service or go to a brick-and-mortar location, the credential includes a copy of the key details, and the sign-in process can authenticate those details without querying the backend database. You, as the citizen, save a step by not having to provide the same details over and over, and the service you’re using sends one less query to the database. The process is more user friendly, and, because there are fewer backend queries, the database is more protected.

Placing the authentication step at the beginning of the request process reduces queries on the database, and, at the same time, can help confirm eligibility for a given service. It’s not always clear that the requesting party is actually entitled to the service they’re asking for. A central authentication hub makes it possible to confirm eligibility from the beginning, and limits the risk of mistakenly granting services to the wrong people.

What’s more, this new approach to authentication, which copies small amounts of data onto the credential, also reduces the impact of any potential hacks since, in the unlikely event that a hacker does gain access to the credential, the hack only yields information for one person, and not the millions of identities stored in the backend database.

An important step for integration
Deploying any kind of eGovernment service can present a number of security challenges, and these challenges only grow more serious when you add in the interoperability, cross-sector collaboration, and other factors associated with integrated services. Effective use of secure authentication, with next-generation credentials that are embedded with pieces of information copied from the backend database, can help address some of these security challenges, and can make integrated services easier to use, safer to deploy, and more viable overall.

Join the conversation
Have you or your government service ever been affected by a cyberattack? What do you think about using next-generation credentials to minimize backend access and thereby strengthen security?

Related links
United Nations e-Government Survey 2016
Article about BC Services Card
NXP SmartMX2-P60 product family

Julien Vintrou
Julien Vintrou
Julien is Secure Identity Marketing Manager and has more than 10 years of experience in the security industry. He started as a software engineer, where he was responsible for the deployment of complex security infrastructures. In the following years, Julien specialized in smart card technology and worked as a technical consultant on projects linked to Smart Identity Documents. Then, as an eGovernment Product Manager, Julien was in charge of the whole life cycle of eID Document products for almost three years.

1 Comment

  1. […] Michael Edwards considers the benefits of government service integration and looks at secure authentication as a […]

Buy now