Federal-state e-authentication project pays off
Illinois reaps the benefits of a pilot with EPA using Entrust technology
When employees for the City of Chicago file reports on the discharge of wastewater into public waterways, they fill out an online form and press a few keys. Then the document is instantly filed with the Illinois Environmental Protection Agency. No paper changes hands, no personal signatures are required and nothing ever gets lost in the mail.
It seems simple enough. In corporate America, exchanging documents electronically is usually no big deal. But in this age of spoofed e-mail addresses, identity theft and silent hack attacks, state agencies must hew to a higher standard of authenticity.
For its part, the Illinois Department of Central Management Services has built an acclaimed e-authentication platform based on tools from Entrust Inc. of Addison, Texas.
In June, Illinois received a CIO Partnerships Award from EPA for its e-authentication system. The state is part of the Federal Bridge Certification Authority, an information system that facilitates using digital signatures across government entities. FBCA has evolved into the Federal Public Key Infrastructure Architecture.Right people, right time
Illinois’ system uses Entrust’s TruePass and GetAccess software to authenticate users and protect electronic documents in transit. “It all comes down to using technology to deliver services faster and more securely,” said Brian Chapman, chief operating officer for CMS. “With e-authentication, we know that the right people are accessing it in the right time frame.”
Employees’ identities are verified via digital certificates they obtain online or from their agency personnel office. The state issues four levels of certificates, from basic Web access requiring only a driver’s license as proof of identification, to a top-level clearance that involves face-to-face verification, background checks and biometric tokens for system access. More sensitive information requires higher levels of clearance.
When employees need to file a form or access sensitive data, TruePass software installed on the agency’s server sends a Java applet to his or her browser, along with an encrypted copy of their digital certificate. The employee enters a password to decrypt the certificate, which TruePass uses to verify his or her identity. Then Entrust’s GetAccess server software determines what type of access the employee is entitled to have—for example, whether someone is cleared merely for data entry or has the authority to approve documents.
Though Illinois currently issues only about 2,000 new digital certificates a month—representing just a fraction of state employees’ overall workload—the process is already saving time and money, Chapman said. Documents no longer sit on someone’s desk or get lost in the mail, reducing the amount of rework that’s necessary. Payments are processed more quickly, saving the state interest charges. And government employees who’d been caught up in the endless paper chase are now free to do more important work.
“We can put people to higher and better use than shuffling paper,” said Paul Campbell, acting director of CMS. “We can have them solving our constituents’ problems.”State-federal cooperation
The project actually began in April 2004, when the Illinois EPA completed a pilot program for exchanging documents with its federal counterpart.
The Illinois pilot was the first attempt to e-authenticate between state and federal agencies. Eventually, when state agencies file reports with the IEPA, they’ll pass automatically into the federal system as well.
Installing the e-authentication system at the Illinois EPA was relatively painless, said Chris Voice, Entrust’s vice president for technology. The agency used an Adobe forms server to deliver the Web forms, and installed the TruePath and GetAccess software on its Web servers—no desktop software was required.
“The key to success is to make it very noninvasive for end users,” Voice said. “Our technology can be used without people having to install software or deal with gory dialog boxes.”
In fact, the hardest part of the whole process was getting agency staffers to adopt a new way of doing business, said Jay Carlson, deputy director of the state’s computer and communications services bureau.
“It was a huge paradigm shift, and many state employees did not want to change the way they did things,” Carlson said. “We tried to shift gradually at first but found that was just giving staff a mechanism to hold onto their old processes. We finally had success by simply taking the training wheels off. We had to say, ‘As of Sept. 30, the following forms must be filed electronically—no ifs, ands or buts.’ ”
Besides the EPA, Chicago’s Health Alert Network, the State Department of Aging, the Pollution Control Board and several others are now using e-authentication.
The State Police use it to provide encrypted background checks for schools, while Illinois State University uses it to secure its e-mail system.
In the near future, the Illinois Terrorism Task Force plans to adopt the system for identifying and logging first responders to incidents.
The system is also available to taxpayers and state employees, allowing ordinary consumers to interact with government agencies online instead of in person.
Illinois citizens can use an e-auth- entication system to check their Medicare benefits, register a small business or apply for scholarships. Corporations can use it to pay their state unemployment taxes.
In fact, more than 85 percent of digital certificates that have been issued were to citizens for personal or business transactions, said Brent Crossland, senior manager of business development for Entrust.
The Entrust e-authentication system is now part of a larger initiative to re-engineer the state’s overall IT practices and adopt more efficient ways of doing business, said CMS’ Campbell.Trimming the budget
Starting in 2003, CMS began combining and consolidating each agency’s IT funding into a single statewide budget so they could identify and eliminate redundancies. They also reduced the number of data centers from 18 to just four statewide, and moved from 43 e-mail clients and five operating systems to a single OS and e-mail system. These and other changes enabled the state to trim $155 million from its $655 million IT budget in just three years.
“Everyone talks about wanting to have e-government, but nobody wants to have unstable or unsafe government,” Chapman said. “These tools enable us to have the kind of e-government everyone wants to see.”Dan Tynan is a freelance technology journalist and author of Computer Privacy Annoyances (O’Reilly Media, 2005).
Connect with the GCN staff on Twitter @GCNtech.