Kentucky Enterprise User Provisioning System (KEUPS)

Transcription

1 Commonwealth of Kentucky 2010 NASCIO Recognition Awards Nomination Category: Improving State Operations Kentucky Enterprise User Provisioning System (KEUPS) Submitted by: Commonwealth Office of Technology

2 2 Executive Summary December 1, 2009, the Cabinet for Health and Family Services (CHFS) implemented the Kentucky Enterprise Users Provisioning System (KEUPS) application which is currently used by over 2,000 Department for Community Based Services (DCBS) workers statewide. DCBS, a department within CHFS, is responsible for child and adult protective services, foster care and adoption, and services to enhance self-sufficiency, including food stamps, cash assistance to needy families, child support, childcare assistance, and Medicaid eligibility. With availability of limited resources, in early 2009, DCBS in collaboration with OATS launched the Kentucky Access Accuracy and Accountability Project (KAAAP) to integrate and update the systems utilized for eligibility determination and benefit issuance for the Medicaid, Food stamps, and Income Maintenance programs with new technologies. Development and implementation of KEUPS was part of the overall efforts of KAAAP. However, this implementation was in alignment with and part of a larger Cabinet plan that included the modernization of the CHFS s most critical applications. The goal of KEUPS was to provide a comprehensive security solution that provides centralized identity management, automates user provisioning and de-provisioning and provides an end to end security solution for every software solution within the Cabinet. KEUPS centralizes user authentication and authorization, provides a single point of access for all authorized systems for a user and positions the Cabinet to build and deploy technology solutions that can efficiently and seamlessly interoperate. In the next couple of months, the CHFS plans to use KEUPS for identity management of over 9,000 Cabinet users. The CHFS Office of Administrative and Technology Services (OATS) is currently working on a road map to allow integration of all IT solutions with KEUPS.

3 3 Description The CHFS is responsible for providing a broad array of health and human services to the citizens of Kentucky. The CHFS OATS is the organization within the Cabinet responsible for delivery and maintenance of the Cabinet s technology systems and supports numerous computer applications that help deliver these services. These include systems for: TANF (Temporary Assistance to Needy Families), Medicaid, Food Stamps, Child Support, Child Care, Child and Adult Protective Services, and various Public Health related services. In keeping with the CHFS s strategic goal to effectively identify and implement IT solutions, the KEUPS application was envisioned as the foundational component which will allow for incremental upgrades to the Cabinet s existing legacy systems by facilitating seamless integration between the existing and the modernized components. Over the past few years, CHFS has endured declining budgets coupled with reductions in staffing while the demands for health and human services continue to increase. Staffing shortages continue to be problematic in all areas of the Cabinet for handling the ever increasing responsibilities, workloads, and demand from the public constituents for Cabinet services. In an effort to mitigate future disruptions in service and gain efficiencies through system upgrades CHFS devised a strategic plan to reengineer current business processes, automate current manual processes and modernize existing systems leveraging the capabilities of new technologies. Historically, CHFS users accessed applications hosted on disparate systems and disparate platforms to fulfill their daily responsibilities. Users had multiple usernames and passwords for entry into different systems, applications, utilities or to obtain data in different formats. In addition, security schemas differed across platforms and applications. Requesting and receiving access to these disparate systems took several days. Use of disparate paper based forms made tracking and reporting difficult to comply with the demands of the auditors. Security officers within the Cabinet had no means of accessing centralized reports on user authorizations and accesses. KEUPS aimed to solve the business challenges around managing user account access for applications on a variety of platforms including web (ASP.NET) and mainframe (z/os). Instead of having an assortment of forms for requests, KEUPS creates a consistent method for requesting access to applications and network resources. The solution manages user access through automating the request and approval that replace the existing manual and mostly paper driven processes. KEUPS provides centralized user lifecycle management, automation of user provisioning, de-provisioning via approval workflows. In addition KEUPS supports role based access to systems and provide single sign-on to multiple systems from a single portal landing page. In addition, KEUPS provides comprehensive reporting

4 4 and audit logging for access privileges and activities for security officers to utilize in their pursuit of security compliance. KEUPS integrates and synchronizes with the state s existing Active Directory as well as the state s mainframe security on the z/os. KEUPS provides support for claims aware applications via an Active Directory Federated Services (ADFS) based runtime authentication environment. In addition, KEUPS integrates with the z/os mainframe security, Resource Access Control Facility (RACF) for user authentication. KEUPS has a multi-tier architecture, or n-tier design that logically isolates components based on their functionality. KEUPS is designed with security, scalability, and extensibility in mind as it core design practice. In order to achieve these goals, KEUPS is separated into smaller, but very specific, functional areas so that the designs of the components are clear, precise, and standardized. Above all, what makes KEUPS a unique solution is that it has been designed so that most features within KEUPS can be built by virtue of configuration. This configuration model makes KEUPS highly extensible and allows for adding of applications, roles, credentials, work flows and many other features without needing to make any coding changes to the solution. The use of ADFS technology allows KEUPS to seamlessly integrate with other organizations Active directories via a federated model. KEUPS addresses the Cabinet s need for heightened security, automated support for application access, federated identity management, and single sign on while providing a platform for future expansions in support of ongoing CHFS modernization efforts. Significance The implementation of KEUPS has offered many improvements by providing automated workflow processes to tasks that were previously completed manually. KEUPS has reduced to a matter of mere minutes the hours once required to formulate, complete, copy, and disseminate paperwork using the old method. In addition to eliminating the paper process, KEUPS utilizes an onboard tracking system along with notification. These systems allow one to monitor the real-time progression of steps taken as each level of upper management and the security teams complete their duties in finalizing the access process. The following are some of the significant improvements realized by this solution: Single Sign On: KEUPS users have a single user-id and password. This capability eliminates the need for a user to remember and manage multiple user names and passwords for each application.

5 5 User provisioning/de-provisioning: KEUPS provides a configurable workflow capability to automate user provisioning from the originating request through approval to the actual granting of application access. Through KEUPS, a user can submit a request for access which is ed to the appropriate approver for review. When the approver grants the request, KEUPS automatically sets up the application access and sends a confirming to the original requester. This automation reduces user provisioning timeframes from days to less than an hour. Credential Management: KEUPS is equipped with a completely configurable module for Credential management that provides automated capabilities for submitting and reviewing credentials to request and approve access to applications. Self Service: KEUPS provides users with self support options such as updating their profile information in Active Directory or an automated password reset capability. For example, if a user s password expires or if a user forgets their password, they can request a password reset through KEUPS instead of calling the help desk. This decreases the number of calls to the help desk and provides faster resolution to self service requests. Citizen Self Registration: KEUPS enables Kentucky citizens to access specified applications through the security solution. Citizens are able to register via a website and set up a user name and password using their own personal addresses and request access to the applications and functions that CHFS determines appropriate for external use. Efficient Help Desk Support: KEUPS is equipped with a robust Help Desk module that allows supporting of all KEUPS functions via a centralized Help Desk. By providing a centralized repository of all user information, KEUPS provides help-desk staff with a quick and efficient information look up mechanism and facilitates quicker response. Audit & Logging: KEUPS provides comprehensive audit logging of each activity and produces detailed web based reports for access privileges and activities that enable the Cabinet s security officers to effectively comply with requirements enforced by state Auditors. KEUPS has delivered a significant return on investment to CHFS and has provided the security foundation for steady progress in integrating existing and new systems for centralized user management. KEUPS is currently being used by over 2000 DCBS employees statewide. In addition to migrating existing Cabinet IT solution to integrate with KEUPS as their security model, the CHFS plans to utilize KEUPS as the security solution for its planned modernization efforts for Child Support and Public Health. Benefit

6 6 KEUPS has succeeded in meeting CHFSs IT strategic goal to implement IT solutions that builds upon and leverages the Cabinets existing legacy systems while integrating modern technologies that has provided a foundation for future technology modernization. KEUPS has also provided vast efficiencies and economic value in tough budget times. The following lists just a few of those benefits and efficiencies: 1. Positive gains in worker time and efficiency as a result of having single signon. Workers are now able to log-on to their workstation and gain access to the applications that they have been authorized to use through the KEUPS landing page for those applications that are currently on-boarded to KEUPS (currently 4 applications). It is estimated that prior to KEUPS it may have taken up to 1/2 minute per each application to log-on and gain access to each system. The efficiencies are estimated at gaining 2 minutes per day x 2785 state workers x 252 workdays (365 minus weekends and holidays) = an additional 1,403,640 minutes CHFS workers have for casework activities serving Commonwealth citizens on an annual basis as a result of single sign-on. This equates to $491,274 annual savings (40k /(252 x 7.5 x 60 =113,400) =.35cents per minute x 1,403,640 = $491,274) 2. Green Government and Savings from postage and reduction in paper forms due to automated provisioning and de-provisioning. CHFS DCBS has local offices located in each county across the state and prior to KEUPS those offices mailed paper forms with supervisor signature for approval of systems access for new employees. KEUPS now automates and logs the approval workflow increasing service to the public by reducing the time it takes for new workers to gain access to the web-based systems used to conduct their job duties in some cases from several days to several hours. In addition, it eliminates the need for printing and time and space used for storage of the paper forms as well as postage avoidance for DCBS calculated at an average of 40 forms per month x 12months x.44 cents postage for an ongoing annual savings of more than $ This savings will increase as other Cabinet users are on boarded to the KEUPS system. KEUPS also eliminates the need for printing and copying of paper forms which supports the Green Government Initiative. 3. Future Cost avoidance of hiring additional Help Desk Staff to support Citizen Calls. KEUPS provides self-service capabilities for self registration and password reset capabilities that a Help Desk would otherwise be required to handle.

7 7 CHFS help desk staff currently support approximately 10,000 users and the Help Desk currently has 13 help desk analysts. The current ratio equates to 760 users to each help desk analyst. CHFS DCBS serves more than 1 Million Commonwealth Citizens. Factoring in that citizens would not be logging into the systems each day as required by employees, CHFS estimates that it would need to hire 50 additional help desk analyst at an average salary of $35,000 per year. This equates to an annual cost avoidance of $1,750,000. The Office of Administrative and Technology Services (OATS) in collaboration with the Department for Community Based Services (DCBS) within the Kentucky Cabinet for Health and Family Services (CHFS) implemented the Kentucky Enterprise User Provisioning System (KEUPS). KEUPS is a web based system that allows secure and effective use of applications hosted within an environment by consolidating provisioning and allowing for centralized management of a user identity lifecycle.