Proposal for New Standard: Identity and Access Management - Okta

[TotallyInformation]

Proposed name/title

Identity and Access Management - Okta

Purpose and description

Define how and when Okta is to be used for Identity and Access Management (IDAM).

Okta is the standard platform for systems and services wanting to control login identities for external (e.g. not corporate) users. Current use is outlined below. Note that any corporate (internal) users who have Okta accounts are treated the same way as external users, no identity assurance is provided. IDAM for internal users is provided by Azure AD.

Standards for the use of Okta will be documented and will include the fact that the current instance of Okta: • Is configured to only provide identities for authentication (not authorisation). • Identities are currently managed via the enterprise layer not directly in Okta. • Current identities have minimal identity assurance – if applications require identity assurance, they must provide that within their own applications or contact CISW to talk about other options. • Is currently designed primarily for non-corporate users (there is no identity management of corporate users/staff/contractors). • Some identity requests are auto-approved by pre-approving email domains – again, this does not provide any but the most minimal identity assurance. • The Okta platform is owned and operated (including configuration and licensing) on behalf of NHS E&I by CISW. Requests for Okta use outside this current configuration will most certainly be considered and there are various ways more complex scenarios can be set up and even integrated with the current ID’s.

Information domain this standard would relate to

e.g. Web development, corporate system development, infrastructure design, IT procurement, IT architecture, operations, service management, cyber security, ...

Existing related standards?

What existing standards are there that relate to this proposal?

References to related external standards

Is this proposal based on another standard? e.g. GDS, NHS Digital, NCSC, Industry standard? List any relevant related standards or other information here along with links.

[TotallyInformation]

• Produce Exec positioning paper: As-Is, Business level journey's, To-Be

• As-Is - IDAM Folder

  • NHSmail - PJ
  • Okta current - UN/JB
  • Azure Active Directory - JK
  • Other NHS/Govt ID initiatives - PT

• To-Be - Discovery

  • Consistent auth groups
  • Func & Non-Func requirements for identity
  • Business level journey's, ethics
  • Business processes
  • Decisions needed
  • Standards - rules (e.g. MFA, verification, ...)

[TotallyInformation]

Please use the idam folder for the documents. Thanks.

[TotallyInformation]

Just a note to say that I will include an overview of the IT People DB as well since that is relavent to wider discussion on Identity and mapping between different electronic identities.

Done.

[TotallyInformation]

Just to note here that we are currently working up a new IDAM strategy paper. Once that is done, we will be in a position to set the standards