KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Digital transformation is increasingly affecting all types of organisations including Governments. In order to encourage citizens to adopt digital services, the least expensive channel for governments, it is necessary to support modern connection methodologies and provide user-focussed services. This webinar will investigate the challenges facing government and the opportunity digital transformation affords.
Digital transformation is increasingly affecting all types of organisations including Governments. In order to encourage citizens to adopt digital services, the least expensive channel for governments, it is necessary to support modern connection methodologies and provide user-focussed services. This webinar will investigate the challenges facing government and the opportunity digital transformation affords.
Good morning for those of you in Singapore and Hong Kong. Good afternoon, for those of you in Australia and New Zealand, my name's Graham Williamson, and I have the privilege of participating with Martin Kuppinger on this webinar on digital transformation in government. So we're gonna be talking about citizen identity management. And what does that mean for government quick 30 seconds on CAPA call founded in 2004.
We pride ourselves on the capability in the providing independent Analyst advice in regard to those areas of specialty, which are identity and access management, information security and governance, risk management, and compliance, and all areas of digital transformation and cloud migration strategy. We seek to support companies and users in, in their movement in those areas. KA Asia Pacific was established in 2013 and it's headquartered in Singapore in terms of the business areas. There's three.
If I might use the term legs to the stool, there's the research activity that in which OL's been very prolific, prolific over the many years now, and you could go into the research that's on the website, just click on the report area and browse through the wide depth of, of research documents in that repository. Then there's the events. Talk more about that in a minute, but Kaka call runs premier events in the identity and access management, cloud migration cybersecurity space.
Lastly, there's the advisory services. If we can help you in setting strategy in determining how best approach digital transformation, if you want any advice in that area of digital transformation, please let us know. And we would be most happy to help you terms of conferences, the largest activity that the, the companies involved in this European identity in cloud conference. It's an absolute must. It's been running for over a decade. Now it's run in Munich in Germany in may. And if you are interested in the identity in cloud migration space, you need to be there in terms of consumer.
And what we're talking about here is exactly in that area, the consumer identity world, that was first run in Paris last year, it's coming to Singapore in August, then Seattle in September, back to Paris in November. So I would encourage you to be at one of those locations to get more in depth in terms of consumer and citizen identity, in terms of the guidelines for the webinar everybody's muted, because it's just impossible to, to have interactive activity there.
We will have a question and answer session at the end to address a couple of the issues that have come up in the preparation of this webinar. And of course the webinar is being recorded and you will be able to get it from the website shortly part one. Then Martin is going to be giving us a background in terms of the history where we're coming from, in terms of this whole know your customer area that we consider to be a major trend.
And it's a trend the government need to adopt because it's so important to organizations these days, I will then go into discussing some of the specifics of the citizen identity management in terms of government services and things that government need to be planned for. And then we will go into the question and answer session.
So Martin, over to you, Thank you, Graham. So let's start sharing my screen. Let's start a little bit with citizen identity and access management. What is it? So when I look at what we did over the past couple of months or years, so we started very much in the enterprise identity management. We are looking intensively at the consumer identity management, but there's also the area and it's around if you're realistic for, for quite a while, which is citizen identity and access management. So what is it?
And I'd like to talk a little bit about this and, and how this is strange and why we also need to have something which we could call citizen identity and access management. So the C I M term Kurt, maybe some, two years ago or so where the consumer moved into the center of attention.
However, there was some foundation of, for, for longer time around, you know, your customer programs. So historically this know your customer programs were more on the compliance side, around anti-money laundering.
However, we also see this transformation towards not only what must we know about a customer and that are we compliant, but how can we enable the customer to do, to do things better? And when we look at it more from a perspective of the citizen, but basically have the same challenge here. So how can governments and government agencies interact better, more efficient with their quote us customers, which are the citizens, how can they do sort of a better business with them for in the mutual interest?
So saving money on the government side, providing more efficient processes to the citizens, all that stuff. And so when we look at it more, the CIM part, so customer data is a rich source of information. There's a lot of stuff here, which is important for the businesses. So they want to learn more about their customers. We might take a little bit of different perspective when it comes to governments, yes, to, they want to learn, but not every citizen wants the government to learn.
I think that might be somewhat different, but basically this way of interacting with customers or citizens to leverage data for better services, to focus on customer experience, user experience or citizen experience is definitely important. And it's a must for the 21st century. It's a must for businesses clearly, because if you don't do it, you will be out of business at some point of time. But it's also a must for governments because that's what they're mobile, they're connected citizens expect. So we are in a, in a world where everything and everyone become connected.
So if you look at the situation today, it's basically that we, as people are acting on behalf of organizations, or we are part of organizations, or we are interfacing to organizations and you could just exchange organizations with governments and it would be the same or governmental agencies. We using a broad variety of devices. We are using more and more connected things. And all these things are connecting connected to each other in some way or not all to everyone. But many of these things are connected to other things or things are communicating with devices.
So it's a, it's a different world today. When we are used to communicate in an electronic way, we want a seamless experience and we want it with everyone. We want to have this opportunity. So things are changing. And this is part of this overarching theme of the digital transformation. And a while ago, I started creating a picture which looks at the major aspects of the digital transformation and how it changes. And while this again was more derived from an enterprise perspective, a lot of these things are relevant and hold true for governments as well.
So when we look at the main external drivers, while the competitive landscape not really changes for government agencies, obviously there's the connected things. There's the ever increasing assets. And there are to some extent also different types of partnerships. So for instance, in the country, I come from I'm from Germany, we see far more public private partnerships. On the other hand, we also have the expectation that different government agencies work together in a better way than they formerly did.
So there are requirements, there are also changes sometimes in regulations around privacy, which might or not might not affect the government agencies, but we see a lot of change here. And that means also that organizations have to change. And when we look at the key capabilities, there's agility, so we expect that new types of interactions are available rather quickly. It's more change, which requires innovativeness. And that's an expectation we have to everyone, including government agencies, which also includes an organizational flexibility.
So this traditional rather let's say first positive stable environment in government also becomes or mass change. It must become more at trial to serve the changing requirements of the citizens. So what are the key topics in the business world? Clearly there's smart manufacturing everywhere. There's the internet of things. To some extent, connected things become relevant everywhere. So you might say, okay, where, where in the government does it become relevant? Look at traffic control, which is a non-citizen facing area, but obvious at, at first glance, but it's obviously very important.
And there are some interesting scenarios and use cases showing for instance, how that information from various elements in the traffic control becomes available to the citizens or which at some point might interact with the GPS in your car to optimize traffic flow and all that stuff. And then there's the know your system part or better. And that's where I would like to change the term and to know, and surf your customer know and serve your citizen with the emphasis on the serve and not that much on the no side.
So yes, we know need to understand what our citizen wants to serve. And well, there are a couple of key enabling technologies. If you look at these key enabling technologies, yes, there's big data where we always have to be careful because that's also a lot about privacy there's identity. Yes. We need to understand the identity. We need to understand also complex relationships. And I think this is, this holds true for both businesses and governmental agencies.
Because if you look at, at, at businesses, you sometimes depending on the business you are, if you're more, let's say in the TV business or automotive industry, you need to understand that not only one person, but there are complex complex relationships behind it. So in front of the TV, there might be the parents and their children. So different persons. You need to understand maybe at some point, which identities are these, or if it's the car, the vehicle, which is used by different persons, complex relationships. And it's the same for citizens.
We have security and privacy is an important area. We have blockchain coming in, also around the KYC scene. So we have a lot of change here. And while this at first class seems to be more something for businesses.
In fact, governments, can't just stay other side and look at it. They have also to think about what is the new role they are taking in future. And some of these, these things, when, when we look at what are technologies that are interesting, because they are potentially increasing the business value, which of them are mature, which of them are relevant and consumer I am and identity relationship management play an important role.
So identity relationship management in fact is the discipline of relating identities to other identities, relating identities to the devices they own or use the things they own or use and all that stuff. Understanding these relationships becomes more and more important. And so what we see in, in the business and what we in some form also should see in the governance base, this is a shift from IM to CIM, to KYC. So IM the traditional identity, access management use lifecycle, access governance, access management, Federation, privilege management, all that stuff.
Usually very much internally facing very much employee or MPA focus. It's three more debt perspective. And so right now we've seen that emerging CIM landscape. So the consumer identity management, which we also should see as an citizen identity access management, where things come into place, such as the customer journey. So how can a customer or citizen register himself? What is the life cycle dealing with? If you look at the business side with consent, managing the relationships, providing adaptive education at the end, everyone wants to use a convenient way to authenticate.
And that's convenient. You always should think from the customer citizen, not from your business. So it's not what is convenient to you that that one single approach you want to have, or where someone from the security department said, oh, that's the only way we can do it. Used to security reasons. At the end of the day, you have to think from the customer. So what is what a customer or citizens want. That means you will have to support different combinations, different types of authentications.
You need to be flexible because while it might be the fingerprint sensor of your iPhone today, it might be something totally different in three or five years from now, something we are not even can action yet. So what is the next type thing we don't know, be adaptive. We need to understand provide a bigger picture, a complete picture of the customer and maybe of the citizen. As I've said, from a citizen perspective, it might be a little bit more difficult because there are some more complex privacy concerns.
Probably if you compare, compare too much data on the other hand, it's already done anyway. And the KYC part, then in fact adds more in the business side, marketing automation, it might be other services you automate in the government space, more analytics, other stuff. So in in fact, cm is sort so to speak identity management at scale plus customer experience while KYC adds the governments and the customer interaction part to that, that's the shift we see in the, in the business landscape. And I think there's a lot we can transfer to the governmental space at the end to be successful here.
And that holds through for governments, maybe even more, we need to find the balance between trust and usability and provide alternatives. So we need to have options for the citizens as well. And if there are too many alternatives for instance, and I'll touch the national lead ID part in a minute, then people will not go for that.
So we, for instance, in Germany, we've seen some interesting failure in, in making the national E I D real success. Why? Because it's usability maybe say, let's say weak, instead of horrible, there are too many alternatives. It's too complex, no success, and there's a lack of trust. So it means, and that's why we then move a little bit more even to the national E I D part, if we want them to build also that relationship to governments and national IDs frequently are an approach.
It must be trusted and it must be easy to use, easy to understand it needs a broader option, but there's a risk of, of a lack of usability trust for itself is not sufficient. And we also might see that there's a lack of trust. And first and more, if you look at Australia or UK, there never has been a nationally ID card. So it's different than Germany, where we are used to it. It's totally different in, in other countries. So we need us to understand how can we identify, how can we authenticate? How can we manage our citizens? What is the right approach for it? So how can we balance that?
And there's some interesting, you know, there are some interesting examples for on one hand success or failure. So Estonia for instance, is very successful. Having an E I D also available for foreigners. They started a program from scratch crossed beyond governmental use. Etcetera. I see other countries, for instance, in the tic states where in fact, some bank IDs replaced more or less this because they are the trusted and widely deployed thing. So in Germany, on the other end, we have limited support governmental services, not to speak of non-governmental services, difficult to use.
So at the beginning you needed readers right now, there are some apps which support NFC on some smartphones, but if you have to bring an additional reader for the ID card with you, it's absolutely inconvenient. It will never succeed. Step communication issues, expansive, and the trust to determine government such as biggest, probably that's a, maybe a national attitude, somewhat limited. So too many alternatives, lack of trust, lack of visibility. It's at the end, I think to be blind, it's a failure.
So some lessons learned that I think they're important to keep in mind because the, the E D is one important element in citizen identity management. It's not the only one, but it's an important one because it's about how can you authenticate and start working with such services brought support for governmental services, or even beyond that. So support from non-governmental use cases, you need to communicate these things.
Well, they need to be interoperability beyond the national borders. We have it in the EU and the European union right now was the S regulation, which will allow that foster that cheap best even you not even use the national ID or you map it to something we already have, make it convenient. There must be a business value, which is visible to everyone. So instead I hand over back to Graham, who right now will dive far deeper into such services for government Graham. It's true.
Thanks, Martin. I, I do appreciate those comments and it's, it's very useful to make sure that we do focus on now, how we apply this, what we're talking about in terms of the trends. If I might use that term to what does the individual, what, what, what do the individual governments departments now need to do and, and, and where do they go? Okay. So what first off is, why does this matter for the governments here in AsiaPac?
Well, basically they have no choice. The traditional service channels are just, just too expensive. So if you are relying on a call center to, to roll out a service, or if you're relying on face to face to some sort of customer service centers, those are too expensive. And so most governments now are, are focusing on a digital first. That's why CIA M matters so much. Secondly, the up and coming demographic and millennials, they they're basically demanding it.
So, whereas governments have got away with providing us baby boomer services based on, you know, coming into a call center. For instance, that's no longer going to apply millennials, want online services. They don't know how to go into a bank. Let's face it. They don't want to go into a, a government service center.
They will, they will use an interactive voice response system in Australia. We have the tax office using voice recognition in terms of that.
So that's, that's something where you're providing a good service from a typically a small device. And, and so they'll go for that. It's very important that then government departments understand the identity attributes of people coming in. And that might indeed be as modern suggested the device that they're using. We might use that as an identity attribute too. And then finally, the experience millennials are not focused on value as we have been the baby boomers, they're focused on experience, and if they get a bad experience, they're gonna tweet about it.
So we need to focus on making sure that we optimize their online journey. We don't require them to, to enter lots more of information. We don't require them to, to, if they go between two different services authenticate again, and we provide them a good connected services experience.
Now, Martin provided us a, a European example. So I wanted to provide AsiaPac example of success, not calling it failure, but in terms of where we can point to where governments have done things, right.
I think, you know, from a longevity, Singapore's been doing a very good job of providing electronic identity services. They do have an identity card and that's enabled them to provide a services in the electronic space as well. Important point here is they do also allow foreigners to engage in that too. So if you've got a work permit for Singapore, you will be part of the E I D system and can get government services.
The, the, the, they built it up from, from the ground up. So it's something specifically designed for government services. And the big thing in Singapore is it's fully trusted. It is primarily used by government though. There's to my knowledge, no commercial services using the government ID as authentication device is trusted. And usability generally is quite good in Australia. I suggest our success is pending. Okay. We've got good core facilities with the, my gov service, which has everybody, who's got a, a, a Medicare account or a Centerlink account in it.
We've got a very good document validation services, about 10 different documents. You can get validated via the federal government's DVS service, but in terms of use within government, I think we would have to agree that it's quite fractured. And that comes down some to a degree.
The, the, the division of government in Australia in terms of some services are provided by local government, some by state government and some by the federal government. So we can understand that, but within, within Australia, Queensland, new south Wales, and soon Victoria will have very good online identifier services, hopefully tied into the federal system, but we, the go pass services is pending at the moment. So a lot of work being done by the digital transformation agency in that space.
And we can see some interesting things happening in the not too distant future issues for government I've I've, I I've identified four critical ones. One is how do they put together this identity provider service?
And, and there's basically two options. I begin with a persistence identity provider, or are we going with a transitory system more on that in a minute, in terms of the department slash agency requirements?
That's, I mean, in many cases, government department doesn't provide customer facing services. They will rely on an agency to do that. So the agency requirements must be wrapped into that. And the biggest is relationship management back to that in a minute, data sharing is very important right now, citizens couldn't care less. What department is providing a service. They want a single one stop shop. If you like, whereby the agency, collaboration needs to happen in the background. Okay. So more in that in a minute.
And then there's the authentication very important that when government services are being accessed, that there has been a match between the registration process that registered that user to the level of assurance being required by the service being provided. So, first point then is the provider service, okay. In AsiaPac, we've typically gone the persistent ID service. Okay. So the United States has been toying with a, a service. That's what I call transient. It'll be provided by ind commercial operations. The UK UK verify is based on commercial organizations, providing a service.
When you come in to get a UK government service, you will authenticate, and then it's finished. The government maintains centrally no identity provider service in Australia, in Singapore, in Hong Kong. That's not the, and New Zealand. That's not the case. The government has their own persistent identifier services.
Goodness, there's some good things and some bad things about that, which we'll come to in terms of leveraging identity services. We need to make sure that we can do that at multiple levers. I mentioned before in Australia, we basically have a, you know, some states are doing a good job of identity authentication, but it's only for that state isn't, it's not shared. And what the go path system hopefully will do is pull together a good federated environment for, for Australia.
We also need to make sure that we put out the most widely used services and this isn't, the government has tended to not do this. So I'll use a Queensland.
As, as an example, you can go and register for a camping permit using your government ID. Well, I would suggest that not a lot of people, it's not a widely used services. We need to actually focus on tax tax is always a big one. Being able to authenticate yourself to the tax department, your motor vehicle issues, being able to register your motor vehicle. A lot of transactions with government through motor vehicles and driving licenses. Health is another big area, making sure that you can authenticate yourself to services at hospitals, et cetera. And then justice.
Justice is an area where it's not just the department of justice. It'll be the courts, it'll be the police department and potentially other community services organizations that need to combine to provide a ubiquitous service in the justice area. Governments need to focus on those wild, widely used services first. And lastly, we need to make sure that we respond to what the CU customer wants or the user wants. And that is responsive web services. We mentioned before millennials are coming in with a little smartphone. They don't want a standard website.
They want something that's responsive to the screen size that they have. We're seeing Sam as absolutely being mandatory in any sort of federated authentication system. And increasingly we want to have an intelligent API, a restful API that supports the access mode that we require. Okay. In terms of the identity provider services, I'll go over this quickly because we've talked about this already in a persistent ID service. One of the big benefits is being able to pass through to the department information or identity attributes that the department needs.
So for instance, if I, if I am logging on to a government site in order to do, to renew my driver's license, when I'm passed, when my session I'll drive authenticated and I'm passed to the depart to transport, the information in the header should have my driver's license in there. Okay.
Now, if I've, if I've used my driver's license in terms of registering for a persistent ID service, then that can happen. If on the other hand, I'm relying on a transient or the government is relying on a transient ID service. They need to make sure that the commercial services that are providing that service have the requisite information in there so that they can pass authenticated session through with the requisite information. And that might be my passport number.
If I've used the bar passport number to register, then that information, should it be required if I'm, if I'm going to the department of immigration, then the passport number should go in that in head information, same with the police. If I'm connecting to, for a bail application, then the police identify information needs to be passed through one issue on the transient information side of things, we are seeing one of the trends in a certain segment of society adopting life management platforms.
So what this citizen is saying is I want to manage my own identity information and you government department will get the information that I want to provide you. I'm not providing additional information. That's not necessary. And I'm gonna use a life management platform for that. If a government is using a persistent ID system, they need to have some way of federating with the life management platform that's providing that service. Okay. Let's look from an inter between this, between the really requirements here. We've mentioned relationship management.
If I'm requesting a service, I need to make sure that I'm, that when I'm authenticated, that that information is being passed through. If it's a driver's renewal, driver's license information, if it's medical, if I'm coming in to make a, a, a hospital appointment, it's my hospital identifier. If it's justice requirement, I, I need to provide through my police identifier. For instance, secondly, we gotta make sure the level of assurance is right. Okay. So if I'm coming through to get my I'm just paying my registration for a vehicle, that's a low assurance activity.
Generally speaking, you're not gonna have somebody purporting to be you in order to pay your re. However, if I'm coming in to get my driver history, in terms of how many demerit points I have, then the department of transport made better be darn shore, that I am, who I say I am and will need to authenticate me to a higher level. So the level of authentication or level of assurance within an application has got to men, got to match up with the registration process that was used to establish that authentication.
And finally data synchronization is most important that we have the ability to have a single mechanism of updating information. So for instance, department of transport requires me to change my address if I've within three months of actually moving, okay. If I change that address, it's not just a department of transport that needs it. It's other departments two. So there needs to be some mechanism of capturing and synchronizing this information across government, in terms of data sharing. As we mentioned before, citizens want a single point of service.
If they're authenticated and they are enjoying one service, they now need to move to another service. They don't want to have to authenticate again.
Now, if the second service requires a high level of authentication, there might need to be more exchange of data between the, the identity service and the, the application, but the, the, the user wants, wants absolute single sign on capability there. Okay.
So again, that moving between levels of authentication is something that's got to be provided. Privacy regulation is very important and the, they, I suppose, most governments are good because they've set the privacy of regulation. They should be abiding by it. But it's important when we start this data collection, purpose data collection process, that we make sure that if data collected for one purpose is it's, it is being used for that purpose. It doesn't be used for another purpose unless the citizen has said that they can, okay.
It's also important that, that the citizen be provide access to the data that you're holding on them. So that's gotta be provided as well. And obviously the data's gotta be protected adequately in terms of security restrictions. There's a necessity to make sure that resources are secured appropriately. So governments have gotta realize the sensitivity of the information they've got and make sure that it's, it's, it's treated appropriately.
Increasingly information is classified within government, and typically a risk management process should be used to determine what that classification should be. And that should match up with the registration process of a user. So if a user requires access to a piece of sensitive information, the risk management analysis should have said, well, they need to have a level of authentication of a one or a two or whatever.
And, and the authentication levels typically well in Australia and in Singapore, follow the N the N approach to authentication framework N have determined a full level framework. In actual fact, they've just reissued a version three of the N 863 and, and the moving more into an attribute approach. So that'd be worth looking at, but the national electronic access authentication framework used in Australia uses now a full level missed approach. Most governments have added a fifth in terms of privacy legislation.
It typically says that if you are providing access to a service where it's not necessary for a user to identify themselves, you've got to allow them to have an anonymous or a suit anonymous session. So there's typically five levels now that that are supported, is that very important that that authentication elevation happens so that if you've logged on with one level, you can ratchet up to the requisite level for a different, a different service without interrupting the user's session.
Obviously, if they've not identified themselves to the necessary level, if that's not happened as part of their registration process, if they try and access a higher level, you would need to, to, to kick them back and say, well, go in and register for that high level before you go for, before you go over further. But if they've have a registered for instance, at level two and request a level two service, if they've logged on it, level one, the system should look after the elevation to the, the level two that they, they might require. Okay.
In conclusion, the a couple of things are, are obvious. Digital first is absolutely essential now. So for governments to hide their head in the sand and saying, I'm doing nothing, that's not an option.
It won't, it, it, it, governments must have a mechanism to use identity information, to authenticate people to services full stop. It's also important that the, that the identity service requirements are identified and we do, I've used the term later here, the normalizing authentication requirements. So the process to be followed is as the identity services put in place, the authentication services is put in place is necessary for government to look at what the service requirements are and normalize them.
So, for instance, if the department of transport says, I need level two, in order to provide access to driver history, then the department of health say, I need level two. In order to a level, allow somebody to, to make an appointment to the hospital that needs to be normalized and not allow agencies to set or departments to set their own levels there.
We need to have a common authentication capability, and hopefully that's built, built on the, the nest approach in terms of the services to be enrolled for, for countries that do have multiple levels of governments, it's most important that they be looked at together. So for instance, in Australia, we've got a large municipal, very rich identity information at the municipal level, in terms of the property rates, information, property ownership, information that can be used for authentication purposes.
And again, if I'm connecting to my local government for a rates notice op operation, I want to be able to use my government authentication in order to get there. So it's important that we have this ubiquitous approach across all levels of government. And finally, in terms of the access modes, make sure that web services are responsive, please, because that's what millennials want.
Now, Sam is the standard for attribute request authentication for services, particularly in the federated cross border requirement. So making sure that we have that SAML capability is an absolute core requirement and increasingly APIs for managed services that allow a, a management of that user access to the service. And it ma it provides all the security around that APIs are, are, are, are the, the flavor of the market. They're the way to go, to allow the user to get the richness of services that they require. Okay.
In terms of then the part three here in the question and answer sessions, there's a couple of issues that have come out of this webinar in well, as we were preparing it that I think would be worthwhile to just go over. So this is this in Martin. I might ask for your opinion here in the C IDM, like on your previous slide, you said C IDM is IDM at scale. Okay. Most government departments are very familiar with identity and access management because they've done that. They've done that for their staff. They've done that for their contractors.
Increasingly they're doing that for their partners, partners who are providing service. So a lot of government departments now are quite with federated authentication requirements in that space. What difference is there as we approach citizen IDM, what sort of issues do do government departments need to be aware of in this space?
Graham, thanks for the question. I think one issue obviously is scale. So it's different, whether you're talking about a couple of thousands of employees or partners, or maybe tens of thousands, or you're talking about 25 million or 80 million citizens. So it's totally different level of scale. And we shouldn't. So to speak underestimated from, from the complexity, the question also clearly will be, can I scale my existing identity management or do I have to have a, do I need to have a different one for my citizens, for security, for privacy reasons, for technical reasons.
That's, that's an interesting question. On the other hand, clearly, there's also the point that them consumer or citizen anti management is sort of a target when it comes to access rights of employees of the government. So it's an interesting constellation here. So the scale part obviously is one challenge. The other thing is that process are somewhat different.
So if you look at the traditional perspective, so to speak often, enterprise or employee facing identity management, bruises, commonly start at the HR system, or if it's about contractors partners, they also are very well defined, sometimes automated input from a surgeon system for citizens. It's more about self registration. There's some sort in, in, in the business world, we would talk about terms and conditions, and we will find similarities in the government space. So agreeing to certain sets of rules, providing consent as, as you already said, crime.
So that to some extent is little bit of differently, any way I have a very important recommendation that is even if you say I build my, my citizen identity management are different platform, build an overall architecture for your identity and access across all the types of users you have to deal with. Okay, that's a good point. So although it might be a scale as you pointed out we're into the millions, rather than the thousands, it will be a much more shallow. We won't need the hierarchy that we have within our, our staff or our partner identity management systems.
But just suggesting that as we put that together, we should, I guess I I'd like a concept of an identity of a relationship diagram where we, we, we document what it is that we are, are storing and the information that we are storing and make sure that's treated as a ubiquitous approach for our identity management throughout our, our, in this case government department. Am I, is that correct? Yeah.
And I, I think you, you, you raise another important point. So it's, to some extent, less complex, because if you look at the employee or partner or contractor side, you have a lot of roles, a lot of different things to consider. When you look at a citizens, basically it's the citizen, there might be some differences, but it's not that you have hundreds or thousands of different roles. The citizens will have commonly, however, and I think that's more complex in the citizen than in the consumer space.
The access to the citizen data requires very well sought out approaches regarding access control, because there are so many different, highly sensitive data, which only should be available to certain parties or only in a very restricted way to other parties in certain scenarios. So investigations, et cetera. And I think that's, that's an interesting area where, where it's also important to look at the similarities and the differences to traditional identity management. Hmm. Thank you. Can you comment on the data security requirements for this citizen information?
How, how different, or do you see a difference between the identity security requirements? Like keeping your identity information secure within a government department for your staff or your partners? Do you see a difference between that and keeping the, your, your, the, the information you might keep on citizens secure?
How, how do they, how do they relate That? That's a very interesting question. There's not a simple answer on that. It's interesting because clearly the, the, the security privacy and the way governments look at citizen data and RO citizen data is, is one which always is, is seen very, very skeptical by citizens. Sometimes more, sometimes less. And there are a massive differences between on one hand, sort of the, the role or the way a government can deal with the data. So it's totally different in a dictatorship than in a very privacy, a fine democracy, obviously.
So there are massive differences around that. If you look at it more, more in the sort of traditional space of, of countries, where, where people are asking for privacy, where they are somewhat reluctant, having the government, having too much access to their data, I think it's basically the same things and you brought it up. There should be consent and government should work fair with their citizens as well. There's obviously always the, the risk and also sort of demand of government agencies to say, oh, if, if we have the data, we want to use it so differently.
I think there's not a simple answer saying that's the way to do it. I personally believe that that the approaches such as the upcoming European general data protect regulation provide, provide a good way to balance privacy needs and business or government needs at the end of the day, by saying, this is, this is a way where you can do it. And if you provide a value, if you show well, you people will share data will allow you to do stuff. But as I've said, it, it very much differs depends on the, the country you are in. Yes. Yes. That's very good point.
And it, it, it it's, I, I agree with you watching the, the development of the GDPR regulation activity. I think that becomes a, a good Mark Stone, if you like, of, of what we should be focusing on, regardless of whether our particular government requires that at this point in time, and, you know, in Australia there, there's, there's pretty strong privacy regulation in Singapore. They've their data protection has been, you know, very high, but in terms of the, the, the watermark now, I think is a GDPR regulation.
And, and I think governments need to start thinking in terms of that level of data protection in terms of their citizen information. Yeah, not, I would say Singapore and GDPR are very much at the same level.
So, so it's what I've frequently hinted on one people to me as a European come and say, oh, this is where you have to strict laws. I say, it's not only du or Germany, but there are other countries such as Singapore as well.
And yes, I think it's a good idea to, to orientate on that. But as I've said, it very much depends on the country. Yeah. Okay. Our time has gone.
I, I, I, I do appreciate your participation on this webinar, Martin, and thank you very much. Thank you.
