1
HSCIC Case Study - Care Identity ServicesOverview
By Adam Lewis - [email protected] - @adamylewisNov 2014
Ever wondered?
• Could you build an Identity Management and Smartcard Provisioning system yourself?
• And if you could, how you would turn that system into a service?
Background
4
Where are we today?
• Spine Identity Management Services implemented to support CRS applications began in 2003
• 1.25 Million registered users
– ultimate expectation of 1.8 - 2 Million users
– 2500 registrations per week
– 500 new Smartcards issued per day
• 8k People performing Identity Proofing & Verification, and issuing Smartcards
• Over 40k business sponsors
• >400k authentications a day
– >70k concurrent users
• >1,100 users performing certificate renewals per day
NHS environment
• Highly mobile workforce – thousands of organisations
• No standard use case; single PC, shared PC, roaming users, occasionally connected users must all be catered for.
• No control over the desktop and there is no standard client access device. Devices cannot be trusted - no networks are considered secure.
• IT maturity variable across organisations (e.g. Win xp vs Win 8)
• One size fits all does not exist!
5
The Challenge
Challenge
• Contract expiry– Externally provided managed service
– Ageing Architecture, heavily customised COTS products
– 1 Million active users (big change = big risk)
• Which model?– Prime
– SIAM
– Internally delivered (Devops)
Goals in new service
• Minimise onward cost exposure
• Retain control of information assets
• Ability to rapidly implement change
• User-centric design– Support governance, but not to hinder users
Identity Services System
11
Decision
• Prime– Cost Prohibitive
– Doesn’t resolve existing issues
– Incentives to deliver quality services and keep costs low aren’t there
• SIAM– Insufficient maturity in IAM Services market?
– Necessary suppliers didn’t step up and offer the services we needed?
• Internally delivered (Devops)– Higher risk/reward
– More control, keeps options open
Problem…
Transition Risk
• Brownfield site - but completely new product – 1 Million users could be denied access to NHS IT Systems!
• Tier 1 Services– Authentication (custom)
– Directory Service (ForgeRock)
• Organisational Capability– Traditionally provides ‘assurance’ of external services
Technical Solution
17
Scope
Current System Target
User Identity Manager (Sun java identity manager) Care Identity Service
Spine User Directory (Calendra directory manager) Care Identity Service
Organisations Migration Service (Custom) Care Identity Service (Batch)
Spine Security Broker (Sun Access Manager, Gemalto Access Server)
Care Identity Service (Custom / Legacy Authentication)
Card Management System (Intercede MyID) Care Identity Service (Custom CMS)
Organisation Administration Service (Custom) OSCAR -> Care Identity Service interface
Spine Directory Service (Sun Java Directory Server) Care Identity Service (OpenDJ)
Enhanced Reporting Service (Business Objects) Care Identity Service (Custom / TBD)
Software Used in Description
Microsoft Hyper-V Hypervisor for all CIS components The hypervisor and associated management products (System Centre and Hyper-V Manager) provide and virtualisation for all CIS components
CentOS All CIS components CentOS is the Operating System for all CIS components
Tomcat All CIS web applications Tomcat is the J2EE web application-server for all CIS web applications. The HTTP server capabilities of Tomcat are used throughout.
Java All CIS components Java is the development language for all CIS web applications. Java is also the runtime environment for all CIS components, including the Directory Services
Spring All CIS web applications The Spring Framework and many optional modules of Spring are used in all CIS web application components
jQuery All CIS user interfaces jQuery is used to handle asynchronous JSON requests between the user browser and the CIS user interfaces
Hibernate All CIS business and technical services
Hibernate is used to provide the ORM (Object-Relational Mapping) for CIS
Redis Authentication Services Sessions Redis is used to store all users who successfully authenticate to CIS Authentication Services
PostgreSQL Database components PostgreSQL is used for all relational storage across CIS
Apache Servicemix Integration Engine The Apache Servicemix product is used to provide Integration and ESB capabilities within CIS for messaging-based integration with ESR and OSCAR
OpenDJ Directory Services OpenDJ is the underlying product for all Directory components
OpenIDM Synchronisation Engine The OpenIDM product is used to provide synchronisation between the CIS relational repository and CIS Directory Services
HAProxy Front End termination HAProxy is used across CIS for: SSL termination Load balancing HTTP reverse-prooxying
Jenkins Development/Build Jenkins is used to compile and package web applications as part of daily and release builds
Git Source config-management Git is used for configuration management of application source code
log4j All CIS web applications Log4j is used for sending log messages for diagnostic, performance and error logging
Drools CIS Business Services The Drools product is used for providing the underlying rules evaluation capability within CIS
Apache HTTP server Infrastructure Apache HTTP server is used to provide forward-proxying for outgoing HTTP messages originating from CIS.
Final thoughts
• Has the project been successful?– Application is built and functional
– Effort can be placed where we want, not based on market-driven product roadmaps
– Launch imminent
• Internal delivery means direct relationships are a necessity– Specialists more invested in success
– Greater control over risks
– Better access to experts
– This is great while building a technical solution – but also means complexity in service delivery
Thanks for listening
Care Identity Services Demo(Time Permitting)