Identity and Access Management Improves Digital Experiences
The Department for Work and Pensions (DWP) is the United Kingdom’s largest government department. The organization is implementing an identity-based digital transformation in order to reduce fraud, keep costs down and help citizens more easily and securely access benefits. I had the pleasure of speaking with James Randall, the Lead Identity and Trust Architect for DWP, who gave us a peek into the department’s strategy and execution.
Q. DWP is the UK’s largest public service department and largest distributor of benefits. Who are you serving and at what scale?
We are responsible for welfare, pensions and child maintenance policies for more than 20 million customers. Through our welfare systems such as Universal Credit, we encourage people to be financially independent by providing assistance and guidance to help them back into employment. We also administer the UK state pension service as well as a range of other benefits including child maintenance and support for people with ill-health.
Q. Tell me about your role within the organization.
My role is to design and execute our digitization strategy. I work within the DWP Digital Group - a team of people who manage the DWP’s digital estate and all the electronic services. Specifically, I’m the lead architect for identity trust and my focus is on identity verification and identity-based access. We are using technology to combat fraud while fostering accessibility and ease-of-use for our citizens. The citizen is the focus of our work: We are tasked with providing a personalized experience while also protecting citizens’ privacy. We also want to keep costs low, driving value for money in order to protect the public purse.
Q. What role does identity play in your digitization strategy?
Identity is at the center of our strategy. It is imperative that we allow citizens easy access to the information we hold while protecting their privacy. We need to determine that people are who they say they are on multiple channels including face-to-face, chat, phone, web, etc. Once identified, we need to authenticate users quickly and easily in order for them to securely interact with the services we provide.
But identity can be tricky, particularly in the UK. In Estonia, for example, they have a national identity card which citizens can use to establish their identity across government, health and banking sectors easily and it works really well; their citizens can move smoothly through government systems without having to constantly reaffirm their identity. In the UK this is not the case. As a society we have a different view on the use of government-issued ID cards and that’s OK, it just means that the identity challenge is more complex in countries like the UK; of course, that’s also what makes it so interesting!
We have tried to solve this problem before, of course, with GOV.UK Verify -- a bold attempt to establish a government identity approach that would facilitate better citizen interaction with government systems. We learned a great deal from Verify and it was heavily used by the DWP, specifically on our Universal Credit service. But it was not perfect and we found that it was often very hard for some of our more vulnerable citizens to use. That’s why we are now building our own service, which is known as the Dynamic Trust Hub. We are taking loads of learning from Verify and we are working across government to ensure our internal approach can complement, reuse and support other departments wherever possible.
Q. What more can you tell us about the Dynamic Trust Hub?
We created the Dynamic Trust Hub, which is based on the ForgeRock Identity Platform, with help from Accenture and we have deployed it into AWS. The Dynamic Trust Hub will allow individuals access to the department’s numerous digital services, reusing a single identity that they should only have to prove once. The ‘dynamic’ nature of the Trust Hub relates to the way it will manage the citizen journey based on what they are trying to do, reducing complexity where possible but ensuring, when necessary, effective identity and security controls are put into place to protect citizens’ data. The Dynamic Trust Hub implements a policy-based approach so it can support federated credentials and mandate multi-factor authentication and govern access to citizen data held across different benefit lines. It will do so in a way that will provide for a joined up and, hopefully, a more pleasant experience for all our citizens.
Q. Many agencies globally are facing threats of fraud. Is that an issue at DWP?
Reducing fraud and error is a massive consideration for DWP so we’re always looking for ways to reduce that. With the Dynamic Trust Hub, we are implementing solutions to combat identity fraud and inappropriate access. The department already operates a sophisticated fraud service and the Dynamic Trust Hub will allow us to incorporate that intelligence into every customer transaction. We’re running risk solutions that identify patterns and risk engines that flag issues to agents and systems before they become truly problematic.
Q. Does combating fraud conflict with usability for consumers?
It can be difficult to install safety protocols that don’t hinder the user experience. The Dynamic Trust Hub will support the development of risk profiles based on an individual’s behaviour. With ForgeRock, we can put speed bumps into place that alert agents and systems to potential fraud. But we can also remove those speed bumps for a citizen who exhibits less risky behavior for a smoother experience. ForgeRock helps to make it easy to deliver a personalized customer journey. We can say, “Yes, we know that person and that person is safe.”
Q. Tell us about your identity journey.
We have a significant number of legacy systems as well as an increasing number of modern solutions supporting specific benefits, but we knew we needed to update our capabilities that center on identity. But identity thinking at the complex level required by the department was relatively new to us; We took about six months to investigate and fully understand our needs and the technology that could assist us. From there, we identified the capabilities and outlined our specific needs. We decided we needed Identity and Access Management to create a real-world identity store and a transaction risk management solution that builds up a citizen’s credibility over time.
We then sent a Market Analysis paper to various identity vendors, we narrowed the candidates down to six and then eventually to two with whom we tested and built fully operational prototypes. We found that ForgeRock had the most comprehensive capabilities like delegated access, user access and risk execution. We also like the modular nature of ForgeRock’s products. I have confidence that ForgeRock is future-proofing our architecture, bringing good things to bear down the road.
Q. How did the COVID-19 pandemic affect DWP? Did you believe you were prepared?
I am not sure anyone can truthfully say they were prepared for the pandemic and obviously it has had a profound impact on DWP not only as a large, complex organization but, more importantly, on our operations teams with a substantial increase in demand for the national services we provide. Speaking from the perspective of our team in Identity and Trust, I think we handled the situation extremely well. We not only moved overnight to a 100% home working environment but also managed to accelerate some of our inflight activity to support the significant increased demand on our wider operations, without which some of our major benefit lines would not have been able to support citizens as well as they have through this crisis.
Q. Any future plans you can share?
Just that we have very ambitious plans to continue to roll out new services that allow people to more quickly and easily get the help they need.
Learn how the AI-driven ForgeRock Identity Platform can improve and scale all things identity, governance, and access management for your business. And check out our customer page to see how our customers use ForgeRock to help grow their organizations, manage risk, and reduce costs.