Southeast Asia has some of the biggest cities in the world, such as Manila, Jakarta and Bangkok, with close to 47% of the local population living in cities. As governments strive to build future cities, where infrastructure and public delivery are connected and seamlessly enabled by digital advancement, the increased frequency of “bring your own device” practices and use of cloud-based apps services are contributing to a pressing need for better governance of user identity and access.
Identity and access management (IAM) is a framework that grants secure user access across managing increasing amounts of data by approved parties for user engagement and delivery of services, while protecting user identity and minimizing loopholes for breaches.
Proper governance of citizens’ data is fundamental to a thriving and resilient city. IAM is perhaps the last line of defense in the battle against identity fraud – the kind that brings billions of dollars in losses to businesses, or in the case of governments, an irrevocable loss of trust in national systems.
In Southeast Asia, the government agencies are typically audited by independent bodies for their data security practices, such as the Auditor General’s Office Singapore, Auditor General of Malaysia and State Audit Office of the Kingdom of Thailand. Prevalent issues include instances where identities are not removed in a timely manner or accounts having excessive authority to classified information beyond what is necessary. There is a clear opportunity for more stringent access within government organizations to protect confidential user information in this digital age.
Implementing IAM Programs
An IAM program comprises technology solutions interwoven with business processes. For any IT application, the access protocol begins with user authentication and granting appropriate access privileges based on the user’s role. The automation of these procedures is crafted by the IAM program. However, to avoid being saddled with IAM silos in different departments, the IAM program needs to be thoughtfully conceived, incorporating sound IT architectural vision. Aspects such as biometrics, federating identity, risk-based authorization and role management add to the implementation challenges.
To unlock the true business value of IAM, government agencies should start by reflecting on business roles and assessing the current IT architecture and future roadmap. Role engineering allows simplification of IAM program implementation as it maps access privileges to common business roles, identifying dead accounts, excessive privileges and redundant user groups. Considerations should be given to future IT needs as well, such as service-oriented architecture and private and public cloud infrastructure. Auditing requirements also are to be taken into consideration, as these should be fulfilled for compliance with standards, privacy policy and legislation. A governance dashboard will help the management team’s decision-making process.
One of the example governance dashboards that we use for our clients is to benchmark the IAM program components against CMMI capabilities.
Organizations implementing IAM programs can consider these five main priorities as they design what is fit-for-purpose.
The program must first enable proactive regulatory compliance monitoring and enforcement to achieve legal and regulatory compliance. At the same time, organizations should seek to reduce operational costs in generating compliance evidence and efforts. Any IAM program must be aligned to business objectives, with appropriate rules on decision-making and delegation. It should ultimately enable user productivity and not create unnecessary strains or burdens.
Citizens at the Core
It is challenging for the whole of government to have a single consolidated solution for the various hybrid systems with different classification levels, given that no single IAM solution would be able to manage the highly complex requirements.
To encourage innovation and make changes to citizen engagement, governments should seek to understand the needs of their citizens and outline a digital roadmap detailing how their citizens can access government services more easily and securely.
In Southeast Asia, several whole-of-nation digital transformations involving digital access to public services are in progress. The Singapore Personal Access (SingPass) allows users secure online access to a gamut of government services for personal matters. Similar is the corporate digital identity that allows more than one administrator in an organization to execute transactions on Singapore government portals.
In Brunei, the Ministry of Health has created a comprehensive health care information system, the Bru-HIMS System, for healthcare workers’ easy access to citizens’ medical records nationwide.
Efforts to bring secured services to citizens where and when they need them are ongoing at different speeds. What is for certain is that building connected cities and a competitive Southeast Asia region through digital will require new ways of looking at connectivity and governance.