Moving on from the dramas that surrounded the cargo management re-engineering (CMR) software project, Australian Customs Service CIO Murray Harrison is embarking on an in-house identity management project, which he describes as a "world first".

With the system receiving 80,000 messages and sending some 300,000 each day, Harrison stressed how critical it is for Customs to ensure the integrity of the system is upheld.

"I came into this thing in 2002 and we were bedding down ID management [and] it's bloody difficult," he said. "You've got other systems for ID management, but not for non-repudiation; PKI was the only tech available."

While conceding the legal framework around digital certificates is an "expensive and difficult process", Harrison said they do work once an organization is "over the hump" of convincing its industry partners to comply.

The Gatekeeper framework (the Australian government's strategy for the use of Public Key Infrastructure (PKI) as a key enabler for the delivery of online government services) was designed to be a generic entry system for government, but to move goods across the border a person must be responsible for identifying themselves by becoming an authorized agent for digital certificates within the organization.

Internally, Customs took the opportunity to review its own identity management infrastructure, which is required to cope with four different levels of authentication amid about 17,000 business rules.

"With our own internal ID management infrastructure, we looked at our current environment and frankly we have various systems, like cargo; and each of the systems all [require] the same things like provisioning and audit trails," Harrison said, adding they are all disparate.

"Someone even had to remember 45 different logins within the organization for applications like HR, cargo, and finances," he said. "Our strategy is to simplify all that and we want federated ID capability. The data source in Customs may be a security system as the first point of entry so if you want security clearance you need some ID."

Harrison believes the federated ID capability will allow Customs' systems to accept other IDs stored at other departments, like the Federal Police or Immigration.

"When you come in and sign on, the system will source that information wherever it is found," he said. "You will then be given access to different types of information [and] we don't have to have all the data in one place. We can make it simpler and more streamlined. It may be one sign-on, that's the theory."

Although the architecture is in place, Harrison said the issue of federated identity is complicated for Customs because cargo management not only has to take account of a range of internal systems, but others as well such as those from the Bureau of Statistics, Taxation Office, and Quarantine at the back end.

"A federated identity store across government is a real challenge. The Australian Government Information Office is looking at it, but I suspect we will be talking about it in a few years time," he said. "There is a spectrum of stuff you can do when providing services; changing the world by using this technology is still a worthwhile goal."

When asked about the fitness of PKI technology as an identity management framework, Harrison said even though Customs hasn't done an "adequate consideration" of it, there isn't another technology "that gives you non-repudiation".

"If someone comes up with a better solution tomorrow I would go for it," he said.

Dealing with the legacy of CMR

Defending the Cargo Management Re-engineering project, Customs CIO Murray Harrison said it is a world-first to combine customs requirements with goods handling and administration.

"We need to facilitate trade and yet secure our borders," Harrison said during a presentation at an identity management summit in Sydney. "In the past our systems were siloed and we've combined that into one system. It's a very large undertaking."

Rather than attempt to modernize existing legacy systems, Harrison said CMR was built from the ground up, including the backend.

"It's not lipstick on a pig, it is a real-time Web-based system that operates 24x7," he said, adding the system now has as much public scrutiny as a bank's ATM network. "The difference is it's a real-time system so you get an answer [whether] you can import goods in minutes. The system itself is a first in the e-business world."