New Zealand is now the first country in the world to decide citizens' authentication data can safely reside offshore in Microsoft's Azure public cloud.
But shifting more than six million identities, over 163 government services and 56 agencies to the public cloud was never going to be a quick and easy process. That was the challenge facing Australian-owned identity and access specialist and Microsoft partner Unify Solutions, which won a tender for the work early last year..
Created in 2006, RealMe made it possible for people to use a single username and password to access online government services. But almost from the start, the goal was to open the system up for use by the private sector as well.
More recently, RealMe also helped improve security and trust during the pandemic. The Ministry of Health’s My COVID Record: Proof of Vaccination application, for instance, uses RealMe as its authentication layer to provide the necessary level of security.
The Department of Internal Affairs (DIA) partnered with Unify to migrate RealMe to the scalable cloud platform for use by both private organisations and public agencies.
Unify Solutions’ Wellington-based chief operating officer Sam Choudhury said the new system was needed to provide greater flexibility and the personalised service that people expected today, while still providing the single authenticator sign-in service and ensuring privacy.
“This move has really future-proofed RealMe for New Zealanders in years to come,” he said.
However, the idea of shifting such a core and potentially sensitive system to an offshore public cloud did cause concerns for some.
In July, National MP Melissa Lee asked the minister of internal affairs Jan Tinetti if she was satisfied no RealMe data is being handed over to anyone including private and foreign companies. Tinetti said she was.
"The RealMe verified identity service continues to be hosted in New Zealand," she said. "The RealMe login and assertion services were recently transitioned to an offshore cloud-based Microsoft Azure B2C platform. Pseudonymous data related to the login and assertion services is stored overseas."
The organisations able to receive verified account data, Tinetti said, were government agencies, and companies registered in New Zealand who must meet the criteria in the Electronic Identity Verification Regulations 2013.
Unify Solutions’ certified identity and access management (CIAM) practice lead and solutions architect Sooraj Payyoormana said the move to the cloud meant the DIA could reduce costs, add future solutions and enhancements and provide a faster system.
One of the biggest challenges facing Unify and the RealMe team was building government agencies’ trust in the cloud as a secure option for services, Payyoormana said.
“Fortunately, we were able to point to Unify’s successful track record of managing Microsoft Azure cloud services for New Zealand’s Ministry of Education and New Zealand Police."
In addition, Microsoft had already partnered with the government for other cloud services, he said, with the adoption of Microsoft 365, Azure, and Dynamics 365 becoming increasingly widespread.
Data for millions of sign-ins – with many users having multiple identities – were transitioned to the cloud without disruption to services. Despite the global pandemic, the whole new platform was up and running in 18 months.
Contracts identified in relation to the effort in the 2020 financial year show Unify winning two: one for $529,185 and another for $905,104. Datacom, which hosts parts of the RealMe service, was awarded $71,146 for what is described as a "design on a page", including a security review to support the migration. Quantum Security Services won $56,812 worth of security-related work on the replatforming.
Contracts awarded in the 2021 financial year have not yet been released.
Microsoft is in the process of building local cloud regions based in Auckland, which could potentially enable the migrated functions to come back onshore in the future.