Ken Cochrane | Identity's the key to a better Web

Ken Cochrane, Canada's chief information officer

Teckles Photo Inc.

When Ken Cochrane took the position of Canada's chief information officer two years ago, one of his top priorities was improving identity management.

'I still don't think it means a single card,' he said ' but 'having the right elements that interoperate are really critical.'

As CIO of an organization with more than 470,000 employees, 1,600 points of service, and a mission to serve a far-flung population, Cochrane has seen his role take on new dimensions as Canada attempts to harness Web 2.0 technologies.



GCN: The Canadian government earns high marks for its use of information technology. What lessons have drawn the greatest interest from your counterparts elsewhere in the world?

Ken Cochrane: One difference between Canada and other countries is some of the tools we use. Everybody's using tools to make sure there's compliance. One of the important tools we use is the Management Accountability Framework. Each department and agency is assessed based on evidence as to how well they are exercising good management in their enterprise: How are you managing your policy and programs? How are you managing your people? What about citizen-centered service? What about stewardship? We have 21 areas of management we assess. It's like modern comptrollership on steroids.

We're trying to get to a point where there's more self-assessment, based on indicators that already exist in the system as opposed to having to look through loads of evidence. Say we're looking at IT and I want to quickly assess if you're doing a good job with your desktop services. I look at total cost of ownership, mean time to rust-out, or something, to make sure that you were really sustainable and running the operation well.

This was the first year that we've set up a portal for this, so there is a database that is loaded by departments. Over time, we will standardize the reports and make those easier for us to deal with.

I think another difference is it's somewhat unique that in the role of CIO, I have responsibility for a number of policy areas but also for governmentwide leadership for IT, identity management, security, privacy, access and so on.

Probably the other place where we're most active is identity management.

GCN:Please elaborate.

Cochrane: Although I think the [United Kingdom] is talking about a single identity card, that concept makes people very nervous in Canada and the United States. That's not what we're talking about. If a time came when we needed one, what we're doing under identity management would facilitate that ' by setting the standards around the management of identity.

When we look at identity, there are two sides to it. One is security for the safe movement of people across borders and into the right places. The other side is service ' making sure you are who you say you are when we provide you with access to a service.

GCN: And what steps are you taking to establish those standards?

Cochrane: We've worked very hard on the terminology: What do we mean by identification ' or by identifying documents? What do we mean by registration, when you register for a program? Or authentication ' when you come back and visit a second time? Or authorization ' are you authorized to do one thing or 10 things?

We now have a standard model that defines all those terms. Now we are starting to standardize assurance levels ' from zero, let's say, to four. Zero level of assurance says, 'There's really no security required; you can come in and gain access to things.' Level 1 says, 'It would be nice to know who you are, but all you're going to be doing is looking at information that could be acquired, maybe, publicly.'

Level 2 says, 'Hold on ' we need to know who you are because we may show you some information about yourself when you ask for it.' Level 3 may say, 'I'm going to give you deeper access to your account ' maybe multiple years' worth of tax returns or a list of your dependents. It is information we don't want to go to anybody but you ' not even your mother.'

Level 4 would deal with entering very secure facilities that we don't want anybody else in or top-secret data.

GCN: How are you approaching assurance?

Cochrane: Defining assurance levels is really important because it works in two ways. No. 1, it works with the credential. And we also apply the same model of assurance to the event or transaction. Some events are Level 0; some are Level 3 or 4. Our model tries to establish standards for determining what level the credential operates at and what level the transaction or the event requires.

This is very helpful because it lets us speak to any jurisdiction about what we're talking about. I could issue a credential to you, and if they trust me that I've issued it effectively, then they would let you use your credential with their services, too. We're talking to the banking community in Canada to see if these standards would work for them as well. I don't care who issues the credential as long as we have trust that they've done it effectively.

GCN: What other steps are you taking to improve service or efficiency?
Cochrane: One is we have rules in place whereby procurement has to meet certain criteria in terms of disposability of the equipment and energy saving.

Second, we're trying to get people to use different technologies to minimize their carbon footprint. Can you use videoconferencing or collaborative tools? For example, we engage 10,000 Canadians every year using surveys, but we rely more on focus groups. We were able to run these remote focus groups, via the Internet, with people from across the country, at a fraction of the cost of what a focus group would cost.

The last piece is consolidation. We've focused on three tracks: consolidating networks, consolidating data centers, and we're trying to establish a standard desktop. We're in the approval process to set up a major data center in Ottawa that collapses probably about 40 to 50 data centers (among about 140 data centers nationally) into this one ' initially by 2011.

GCN: You've written that government CIOs will need to look further into the future and plan for Government 3.0. What is your vision for Government 3.0?

Cochrane: (Laughs.) We haven't even got to 2.0. But to me, Government 2.0 is more than Web 2.0. It's the modernization of internal services, getting the right workplace and the workforce on all those dimensions ' and coherency. But you have to worry about the next generation.

So it was a messaging piece. What does 3.0 mean? Maybe it means the big shift in government services. Take the concept of mash-ups. Other people can offer our services ' geospatial data and climate data and other data we have ' and connect it and offer services that we don't offer.

There's always an entrepreneur that says, 'I found A and B, but we're going to add C, and guess what I've got? A new service nobody thought of.'

I don't think 2.0 really talks about that so much; it talks more about collaboration. I think we'll see something emerge that's even more interesting; there's going to be a revolution ' just like in early 2000 with the whole craze around the Web.

Now, the only thing is, to me, I think we need some good identity management. If we do a good job and we can share the standards, then it works for everybody.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above