Saturday, November 01, 2003
No more US Government Gateway
GCN says its no more centralised authentication for the USA. How weird is that? The new CIO says E-Authentication is moving in a new technical direction that is not centered around the development of a gateway," said Karen Evans, the Office of Management and Budget’s administrator for e-government and IT GCN also say, though, that there was a recent, scathing audit report (show me one that isn't) and some enquiries from lawmakers. I'll have to hunt that audit report down. And then there's this: “According to GAO, essential activities, such as developing authentication profiles for the other 24 initiatives, have not been completed,” Davis said. “GSA also eliminated a step in the acquisition process to award a new contract for the operational systems. This action could mean the GSA will miss an opportunity to explore other potential solutions for designing the gateway.” And, the audit folks say # Establish policies for consistency and interoperability among different authentication systems and develop technical standards # Finish defining user authentication requirements for the 24 other e-government projects. GSA said 12 have been completed # Deal with funding, security and privacy problems. GAO does not believe the development work has been mishandled, but the agency should take the time necessary, said John de Ferrari, an assistant director in GAO’s Office of Information Management Issues. Developing policy and achieving interoperability are GSA’s main hurdles, he said. The tone of the article leads one to think there were flaws in the handling of the project and it's not until that last paragraph that you get the message that the issue is where it always has been with online government - interoperability. I'm intrigued that the response to a difficult project is, apparently, to choose to decentralise it - an solve problems around consistency, interop, policy on authentication and funding, security and privacy (can you think of a longer, harder list?) 1001 times rather than once. That just doesn't make a lot of sense to me. These are just some of the hardest problems to face up to, and trying to think of a clean way forward is hard, brutally hard. Why would you pick a federated model to do that now? There will, in time, be federated models - one day Liberty, its successor or some other project of its kind, will make the difference that is needed, but it's unlikely to be anytime soon nor is it likely to be adopted in a security minded environment like government for much longer still. Of course, I would say that it should be done centrally, wouldn't I. In fact, I'll happily sell a Gateway to the US if they're interested - I have one that works (well, the UK government has one that works, it's not mine per se). In my musings on Enterprise Architecture which still aren't drawing to a close (there are one or two other things going on now that keep getting in the way), I've constructed a pyramid of things that need to be built or borrowed: there are some that you build only once, a few that you allow to be built several times and a few more still that you build many times. Right at the top of the pyramid, sitting on the capstone, is an authentication engine (closely followed by a web services broker for web services outside of the firewall).
Posted by Alan at Saturday, November 01, 2003