CIS Identity Agent - CareCERT Cyber Security Bulletin
The Care Identity Service (CIS) will be undertaking several controlled site failovers of the live service during 2017 and the following actions are required to prevent impact.
This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
The Care Identity Service (CIS) will be undertaking several controlled site failovers of the live service during 2017 and the following actions are required to prevent impact.
Threat details
CIS Identity Agent (IA) – Critical actions required
- The Identity Agent is a small application on every device which authenticates a Spine Smartcard.
- Ensure you are using a supported version of the Identity Agent (IA). NHS Digital v1 as a minimum, v2 is recommended:
http://nww.digital.nhs.uk/dir/downloads/ - Check with your system suppliers to confirm the recommended Identity Agent is compatible with their systems:
https://digital.nhs.uk/spine/technical-information-warranted-environment-specification
What do I have to gain from using NHS Digital IA v2?
- Improved resilience to handle failover between data centres without user impact.
- Designed to provide more secure and convenient ways of working with identity access, through the introduction of two new modes:
- Session Lock Persistence: If a user removes their Smartcard in order to temporarily leave their workstation, they are able to ‘lock’ their Spine session. On re-insertion of their Smartcard, the user is able to re-authenticate and continue their Spine session, with no loss of state.
- Mobility mode: This mode enables users of mobile devices running a Windows OS to authenticate, remove their Smartcard from the device for secure storage (lanyard, etc.), and continue working as normal.
- An improved role selection form – more configurable, and now including Org Code
- Support for those employing ‘fast-user-switching’ and ‘follow-me-sessions’ ways of working:
- Fast-user-switching is the method of using multiple Windows accounts and discrete respective Spine sessions on a single workstation.
- Follow-me-sessions describe the method of connecting / disconnecting to remote or VDI (Virtual Desktop Infrastructure) sessions, from different workstations, whilst maintaining a single Spine session.
In order to maintain live service in the event of system issues, or to make service improvements to CIS, we may need to failover sites. This will impact all users of the BT Identity Agent (IA) clients and will result in disruption to service – if you log off you will be unable to log back in until you reboot or restart.
Software Download
To obtain supported versions of the Identity Agent (IA) please download from:
http://nww.digital.nhs.uk/dir/downloads/
What is site failover?
- The Care Identity Service Authentication runs from a Primary site in Harrogate but has a Secondary (failover) site in Reading.
- Live service could be relocated to the secondary site at any time if the need arises.
When is failover required?
- In the event of a disaster or significant operational issue on the live site
- As part of a Disaster Recovery (DR) failover test
- For general maintenance, updates or other operational reasons
Impact of Site Failover
The impact of site failover varies depending on the version of the Identity Agent (IA) client in use to access Spine Services.
- The identity agent is an installable component that resides on every device that acts as a point of access to Spine systems.
- If you use BT IA versions you will suffer disruption to service
- Organisations using the BT IA client for Spine will be disrupted in the event of a site failover.
- If you log out after a failover you will be unable to log back in until the client is restarted or rebooted.
- BT IA13 client software has passed its end of life and has reduced support from January 2017.
Last edited: 17 February 2020 11:28 am