In 2006, the New Zealand Department of Internal Affairs (DIA) decided to create a centralized online platform where residents can affirm their legal identities and easily access services—a voluntary opt-in digital ID used by government agencies and private companies. Called RealMe, this sign-in service made it possible for people to use a single username and password to access 163 government services across 56 public agencies, and it had a fairly high adoption across New Zealand’s population of 4.9 million residents.
To accomplish this, the team at RealMe built a bespoke solution using partner products and custom code to meet each client agency’s needs. Because of its complexity, however, the system had limited adaptability, meaning that it couldn’t keep up with the next generation of personalized digital services. Maintaining the old system was costly, and upgrades required time-consuming custom builds. Additionally, the entire network infrastructure needed an upgrade to meet modern security requirements at a cost of millions.
“We needed to create an identity verification service that could be used by both our private and public sector agencies and be easily scaled up as needed,” says Tim Waldron, Business and Market Development Manager for RealMe Services at the New Zealand Department of Internal Affairs. “The policy was actually in place before the solution. We were working from a broad government directive to help New Zealanders do more online by creating a digital passport for access to services.”
Meanwhile, public cloud technology had raced ahead in the intervening 14 years, offering a plethora of off-the-shelf solutions at an attractive price point. Waldron recognized that the time was right to take advantage of these external innovations to create a more scalable, cost-efficient service that could keep up with changing needs.
Defining the solution
Identity data is the crown jewel of any government. An updated version of RealMe would still have to provide maximum protection for more than 6 million customer records. And the new system had to provide the greater flexibility and personalized service that today’s users have come to expect.
Partnering with DIA, Waldron and his team settled on three requirements for a new cloud-based RealMe. First, the updated system would have to continue providing simple digital access—a sign-in service that gives a single authenticator for access to government services while helping ensure privacy. Second, the system would need to provide a trusted identity, binding that to the trusted authenticator. Third, it would need to take that trusted base identity and build a model where the system can link in people’s information, allowing users to share more consent-based information with other agencies and organizations.
After an exhaustive search that began in 2017, DIA chose Microsoft Azure Active Directory B2C, part of Microsoft Entra because of its built-in security, scalability, and ease of integration with apps and databases. It was also impressed by its Log Analytics and easy integration with Azure Sentinel, enabling a monitoring and alert system that cuts down on false positives. “We’re looking at moving away from managing our security with on-premises solutions toward using that kind of cloud-based solution where security is built in and has all the accreditations,” adds Waldron.
Microsoft has been great at sharing product details and doing workshops with us to help us understand why this is the right platform.
We saw that Azure AD B2C is far better than what we had.
Tim WaldronBusiness and Market Development Manager for RealMe ServicesNew Zealand Department of Internal Affairs
Waldron recalls that the smart lockout feature was an attractive, built-in security feature. “We wanted to reduce our total cost of ownership. If the security function is already implemented, that’s one more reason to go with the Microsoft solution.”
After DIA finalized its requirements for the business case and platform, it began a selection process to finalize a supplier who could help it achieve its desired outcome. In the end, DIA chose to partner with UNIFY Solutions.
Establishing trust
DIA’s selection team did a full options analysis with the organization’s general managers and others, explaining that if DIA decided to upgrade its existing on-premises systems, its operating expense would remain high. If it moved services to the cloud with Azure AD B2C, however, DIA could actually lower its total cost of ownership (TCO) over the next five years, all while creating more solutions and adding feature enhancements. As an added bonus, the new system would be faster.
“We articulated to stakeholders and general managers what data we would move and what we would keep on-premises,” recalls Venkat Maddali, Identity and RealMe Architect at the New Zealand Department of Internal Affairs. His team explained to agency leaders that users would access RealMe through Azure AD B2C, but their verified identity data, such as name, birthday, gender, and place of birth, would remain on-premises. The team demonstrated that architecturally, Azure AD B2C could support that pattern while easily scaling as a future-proof solution that would lower costs.
When UNIFY came onboard, one of the big challenges that it and the RealMe team faced was building government agencies’ trust in the cloud as a secure option for services. Fortunately, they were able to point to UNIFY’s successful track record of managing Microsoft Azure cloud services for New Zealand’s Ministry of Education and New Zealand Police. And Microsoft had already partnered with the government for other cloud services, with the adoption of Microsoft 365, Azure, and Dynamics 365 becoming increasingly widespread.
Though Ireland had been the first country to move its citizen identity service to the cloud, the Irish government was able to keep their directory data onshore. New Zealand was the first to cross the next threshold, deciding that based on its risk assessment and successful history with Microsoft solutions, New Zealanders’ authentication data could safely reside offshore in the Azure public cloud.
Making the move
After being in place for roughly 14 years, the earlier RealMe system was already integrated with many organizations and agencies. The teams at UNIFY and DIA needed an approach that could seamlessly transition data for millions of sign-ins to the cloud. That meant being able to replicate the earlier on-premises RealMe system within Azure AD B2C without extended downtime. Supported by Microsoft product engineering teams, they began the move in December 2019.
They began by mapping the RealMe interface to Azure, mirroring customer flows such as sign-ins, password management, and sign-ups so they’d be consistent across government agency sites. The RealMe team was clear that it didn’t want to use Azure AD B2C just as a directory service, but rather, to create a more integrated approach. “We wanted to make it an orchestration engine to guide the user’s journey through the customer identity framework,” explains Maddali.
Many government agencies and vendors who were still providing some existing services had to be integrated into a single Azure service managed by UNIFY. More than 6 million sign-in and authentication records then had to be migrated to the new platform in one big lift to avoid disrupting services. “Six million is actually higher than the population of New Zealand because RealMe allows for multiple identities for each user,” says Waldron. Though each user is allowed only a single verified identity record, notes Waldron, they’re allowed to create multiple identities or pseudonyms that are decoupled from their verified record.
Moving 163 government services across 56 public agencies was no small task. Despite a global pandemic, the UNIFY and DIA teams managed to get the new cloud-based RealMe platform up and running in just 18 months, completing the final data migration within 48 hours and launching the new system in July 2021.
“A big part of the journey was holding ourselves to using out-of-the-box Azure AD capabilities,” Waldron recalls. “That meant not falling into the trap of, ‘We’ll do it exactly the way we’ve been doing it—with our own code.’” In the end, the team at UNIFY only needed to customize some help desk functions for New Zealand users.
Results
The RealMe team is pleased to have achieved its primary goals: to reduce TCO and create a more flexible solution that easily adapts as services grow. “There’s been a huge cost drop from the previous on-premises platform to the current Microsoft cloud solution,” says Maddali. “Also, we can implement enhancements faster while providing a better user experience.”
In addition to smart lockout, the team points at self-service password reset as another built-in feature that helped lower TCO.
We used to have people resetting passwords manually. So besides the cost savings, we’ve improved the user experience as well.
Mike JonesProject Manager for RealMeNew Zealand Department of Internal Affairs
The new cloud-based RealMe has also helped improve security and trust for frontline workers who are dealing with the ongoing pandemic. New Zealand’s Ministry of Health frequently sends text messages with COVID-19 updates, and using RealMe as the authentication layer provides the necessary level of security.
Currently, RealMe has verified 905,000 New Zealand residents, and the number is growing.
Strengthening partnerships, looking ahead
All three of the teams involved—DIA, UNIFY, and Microsoft—are proud of their accomplishments in future-proofing the new RealMe for New Zealanders in years to come. Maddali describes moving 6 million identities to Azure AD B2C as “relatively pain-free considering the scale. And it’s been very successful in terms of the flexibility, scalability, and minimal impact to users.”
Other jurisdictions are now looking at how DIA implemented Azure AD B2C, making it a showcase solution for more government agencies to emulate. Going forward, the team at DIA is committed to expanding the Zero Trust approach to provide end-to-end security across the entire RealMe platform—from devices to data. It’s also looking forward to establishing passwordless authentication for a simple, highly secure user experience.
Everyone agrees that the collaborative relationship between RealMe, Microsoft, and UNIFY helped make this massive undertaking go smoothly. “Microsoft issued features and functional enhancements to help us,” explains Peter Tiernan, Chief Customer Officer at UNIFY Solutions. “Our three teams made up three legs of the stool. Along with building trust with your stakeholders, that kind of partnership and collaboration are vital elements of success.”
Microsoft issued features and functional enhancements to help us.
Our three teams made up three legs of the stool.
Along with building trust with your stakeholders, that kind of partnership and collaboration are vital elements of success.
Peter TiernanChief Customer OfficerUNIFY Solutions