tScheme and the Employee Authentication Service (EAS)

In early 2008, the UK Government’s Department for Education (DfE) started discussions with tScheme Limited about establishing an independent ‘accreditation’ scheme to underpin what is now known as the Employee Authentication Service. Since then the scheme has also been extended to allow appropriate Local Authority employees to access DWP information databases such as the Customer Information System (CIS). Further details on EAS is available on the DFE website and on the DWP website.

Overview of EAS

As can be seen from the following diagram:
A key part of the EAS process is the role of the Registration Agents that check the identity of those that need to have a credential that gives them access to the various services necessary for their work.
Given that a critical element in the security of any data used or shared within the EAS community is the assurance in the identity of the credential holders and that they are entitled to access the information and that they have undergone all appropriate training. To this end, DfE wanted to make use of the existing tScheme framework for assessing the competence of Trust-Service Providers within the context of ISO 27001.

This model fits those cases where the credentials are being issued by an Identity Provider Service that has a full tScheme Approval, however part of the EAS model is the provision of a central Shared-service IdP, which is accredited under a different, Government mechanism (also aligned to ISO27001), therefore the concept of EAS-Ready has been established to allow for the RAs that are using this shared IdP to be assessed just for the functions they are carrying out, against the relevant IdP Profiles - namely the Identity Registration, Attribute Registration and/or the Credential Management (as determined by the EAS Policy Management Authority).