Balancing security and user experience – how can councils get digital identity right?

Kevin Butler, Principal Solutions Engineer at Okta, discusses how councils can balance security with usability, post-pandemic.

Posted 14 March 2023 by Christine Horton

As ransomware and other cyberattacks on UK councils continue to surge, IT and security leaders face immense pressure to protect their citizen and workforce data from harm. Yet finding the balance between security and usability is still a huge challenge for councils, according to Kevin Butler, Principal Solutions Engineer at Okta.

Digital identity came to the fore during the pandemic. But with the need to rapidly establish the new remote workforce, the scales tipped more towards accessibility than security, said Butler. That’s an issue that must now be addressed.

“We’re seeing the deployment of additional checks; multi factor authentication (MFA) or device-based checks. One approach is to use Virtual Private Networks (VPN), [to] make individual applications accessible. One way to do that is move the application from on-premise to the cloud, adopting a Software as a Service (SaaS) method. The other way is to apply a network pathway to it. The good thing is, from an Okta point of view, we can enable and support any of those methods.”

In light of those devastating ransomware attacks, ensuring digital identities has become critical. “It was a nice-to-have before, but it’s absolutely critical, particularly for remote access,” he said.

Single sign on

Butler pointed to the Zero Trust concept, which works on the basis of not trusting anyone coming into the organisation, until they are verified and access is ascertained, irrespective of their role – employee, supplier or customer. This is vital considering the increase in supply chain attacks in recent years.

The question of trust versus user experience is also evident when it comes to citizens accessing council services. It is common for citizens to have multiple logins to multiple council services – Council Tax, Benefits, Car Tax and Drivers licence just to name a few.

“Employees go through screening, validation, and have to verify that they are who they say they are on every step of the journey, for multiple departments and services. This point of trust in terms of the citizen is all about self-registration, self service capability and optimising the customer’s experience. Ideally, citizens want to do that as a single identity across the council, [to be] known as an individual rather than having to be registered for 10 or 15 services – the bins, car parking, council tax, rent – each [time] having to enter their details and dates of birth.”

An added bonus is that this single identity approach would also help councils perform analytics and reporting on individual citizens and get a clearer idea of what services they’re using.

“Again, this comes back to cyberattacks. If we know who the individual is, we can apply the principle of least privilege. The whole point of this zero trust approach is to make sure that every person is accountable,” said Butler.

The security aspect of single sign on (SSO) involves additional credential checks, known as contextual access or risk based access. For example, said Butler: “You can build relationships between the user and the device that they’re using. So if using touch ID, face ID on your mobile app, that can be recorded as a combination. If there’s a login from somewhere else, then that can be blocked, [based on] other capabilities like geolocation, or service logins coming from out of the country.”

Availability in the cloud

Another challenge that both local and central governments in the UK are trying to address at the moment is around resilience.

“We, as citizens, want to be able to access applications and services at strange hours of the day rather than just office hours,” said Butler. This means councils must be able to keep those applications up and running and accessible to users – which can come at a cost, particularly if their on premise hardware needs maintenance.

“This is where digital transformation to the cloud comes back into the picture,” said Butler. “Why spend money on legacy infrastructure when you can actually uplift it into the cloud; it’s more available as far as end users and the workforce is concerned and can scale based on the service and customer needs.”

However, most local councils are not ‘born in the cloud’. “Like 98% of organisations, they’ve got an on premise directory service, which works great for the desktop, or for file and print servers. But when it comes to applying identities for the cloud, you have to invest more in providing that capability,” said Butler.

“From an Okta point of view, we make that a lot easier and quicker to deploy. The traditional way of doing ADFS [Active Directory Federation Services] is to buy more servers, put more elements of tin into the on premise environment first, before you went to the cloud. The Okta story is about adopting it first from a cloud point of view.

“All the cloud services are using a set of integration standards for login services. The key here is ours is a prime service – a lot of other organisations provide that connectivity but that’s not their mainstream. From Okta, we’re talking about the full set of services and creating a strategic approach to identity: single sign on, multifactor authentication and lifecycle management.”

We have seen first hand how enabling Council workers with better access to applications to provide better services to the citizens. By strengthening internal cybersecurity practices with Zero Trust and adaptable authentication, Okta is demonstrating that identity is the foundation for government services and the only way to deliver next generation digital experiences to people across the UK.