establishing trust across international communities...iso 24760 - a framework for identity...
TRANSCRIPT
1 Proprietary - British Business Federation Authority –
Establishing Trust Across International Communities
6 Feb 2013
www.federatedbusiness.org
Proprietary - British Business Federation Authority – [email protected]
Strategic Drivers - Industry
1. Business is becoming more collaborative and international
2. Increasing legal, regulatory and commercial requirements for accountability and information protection in regulated industries
3. Information protection requires access control
4. Access control requires identity, authentication and authorisation, which are the basis of trust
5. Trust across multiple organisations requires federation
– Organisations have to be considered trustworthy to trust each other
– Organisations need a common language of business to understand each other
6. Federation requires collaborative governance and agreed Common Policy
7. US and European federation bodies are pressing ahead and setting federation standards, leveraging national ID activities
8. UK needs a governance body for federated trust for UK industry
Process
Information
Application
Data
Infrastructure
Organisation A
Process
Information
Application
Data
Infrastructure
Organisation B
Competition
Collaboration
Cyber world collaborates to support normal Business use of cyberspace
Business World
Node A Node B
Process
Information
Application
Data
Infrastructure
Process
Information
Application
Data
Infrastructure
Competition
Collaboration
Cyber World
4 British Business Federation Authority -
ID Fraud = a top EU crime enabler McAfee: $1 trillion/year cybercrime (rising $2 trl)
UK fraud > £73bn EU fraud > €500bn
If we are not winning, we must be losing
Strategic Drivers - International
Proprietary - British Business Federation Authority – [email protected]
To collaborate and share information, each organisation must be Trustworthy. Each organisation’s ID management must be internally homogeneous & externally interoperable. If compliant, they can then federate, based on common policies, procedures and mechanisms
Audit
Identity Proofing & Verification Credentialing Authentication
• Are you who you say you are?
Authorization
• Are you authorized to access my information?
• Can your organization prove this to me?
Business
Industry & Governments
Identity Proofing & Vetting Credentialing Authentication Identity Proofing & Vetting Credentialing Authentication
Identity Proofing & Vetting Credentialing Authentication
Citizenship ID & Right to Work documents from different nations
UK FR DE
Note:
• Authentication gives Reliability of Identity
• Authorisation gives Assurance of Trustworthiness
IT HR
6 British Business Federation Authority -
Citizen Consumer
Employee - Industry Employee - Gov
4 Contexts of Identity Plus:
•Device ID
•Organisation ID
•Software Authentication
•Data Authentication
Proprietary - British Business Federation Authority – [email protected]
Citizen e-ID
1.European Digital Agenda requires all citizens to have a citizen e-ID for public purposes in all member states.
1. A few states have successful and valued e-ID. e.g. Estonia, Belgium
2. More have e-ID for state (infrequent) use, with limited value and adoption/activity. e.g. Austria, Sweden
3. Most have plans
4. One has no plans. UK
2.STORK began as technical interoperability pilot for government issued credentials, based on Mutual Recognition. It has no meaningful Common Policy and no liability model.
3.New draft EU regulation requires nations to accept credentials from Notified Schemes of other nations, and pay then pass liability back to the issuing state.
4.Real issue is foreigners
Proprietary - British Business Federation Authority – [email protected]
Basics…
We need to identify ourselves to others, and vice versa, in a wide range of situations and particularly for electronic activities.
We require different Levels of Assurance. 1. LoA 4. Extra measures. 3 factor authentication (with second
biometric). Strong hardware token. Optional federated Physical Access Control. Used in highly secure situations.
2. LoA 3. High confidence in identity. Legally robust non-
repudiation. 2 Factor Authentication E.g. employee authentication, digital signature, ID based encryption, secure email.
3. LoA 2. Some confidence of Identity. Expect some failures. Financial liability model E.g. credit cards, Know Your Customer.
4. LoA 1. Self assertion. E.g. [email protected].
9 British Business Federation Authority -
Citizen
Consumer
Employee - Gov Employee - Industry
9/11
HSPD 12
FIPS 201 - PIV
FIPS 201 – PIV - Interoperable
ITU-T/ISO 24760/29115
Supply chain collaboration
CertiPath/SAFEBioPharma
Kantara Initiative Identity Assurance
Framework
Borders
Police
NATO
SESAR
Legal
Energy
Pharma
Aero space
?
3 4
3 4
1 2
Hardly used = weak business case?
OIX
Facebook 1
1
Credit cards
HACC? NFC??
2
3
2 3
NSTIC ?
Good Federation
10 British Business Federation Authority -
13
Potential Gov & Ind CSPs
EADS/Cassidian, Citi, Entrust,
SAFE/BioPharma, Symantec,
Trustis
Early Adopters
Cross Certified Orgs:
MOD
NHS
NPIA/Police
DWP+
LoA 2+ Brokers
CertiPath Aero/Def
UK PKI Bridge
SAFE-BioPharma
Potential UK CSPs:
Citi, EADS, Entrust,
Symantec,
(Emerging Bridge)
Level 3+ Identity Federations (PKI) - a UK
perspective
Potential UK CSPs:
Citi, EADS, Entrust,
Symantec,
Verizon Business+
Other Potential National Bridges
or CAs:
USA, Australia, Canada, NZ, NL,
BE, FR, DE, IT+, NO, SWE, ESP
Interpol, EU, NATO
Any nation could put itself at the centre…
National &
Inter-
national
Allies &
Industry
Partners
BBFA – Big Picture…
Legend:
Two way trust
One way trust
Level 32
Level 3 Dept A
PSN trust
B C D
Root CA
??
Level 3+
Potential Gov Shared
Service Providers
Early Adopters
Cross Certified Orgs:
MOD; NHS; Police; UKBA+
CertiPath
Aero/Def
UK PKI
Bridge
SAFE-
BioPharma
(Emerging
Bridge)
Other Potential
National Bridges or
CA:
11
Level 2
G-
Digital
Hub
DWP
HMRC
Financial Sector
Corporate
Credentials? Companies paying tax
Consumer
credentials
&
attributes?
Citizen access Gov
services
Root Authentication
Broker
Other Central
Gov
Other Local
Gov Level 2
Dept – Dept trust - PSIIF
Broker
IdP
Credential re-use – 15M
taxpayers?
Broker
IdP
Proprietary - British Business Federation Authority – [email protected]
ISO/IEC JTC1 SC27 WG5 – Identity Management & Privacy Technologies
ISO 29100 – Privacy framework
ISO 29101 – Privacy reference architecture
ISO 29115 – Entity authentication assurance framework (contains ID
definitions)
ISO 29146 – A framework for access management
ISO 29191 – Proposal on requirements on relative anonymity with identity escrow model for authentication and authorization using group signatures
ISO 24760 - A framework for identity management -- Part 1: Terminology and concepts
ISO 24760 - A Framework for Identity Management -- Part 2: Reference architecture and requirements
ISO 24760 - A Framework for Identity Management – Part 3: Practice
ISO 24761 - Authentication context for biometrics
ISO 29003 - Identity Proofing of Persons, Organisations, Devices and Software
Plus TCG Trusted Platform Module 1.2 and 2.0
MNE7 – Access to the Global Commons
of Cyber Space
Collaborative Cyber
Situational Awareness
(CCSA)
Expanding to 25+ nations – mil, ind & gov
New multinational CCSA organisation being planned 19-21 Feb 13
Collaborative Cyber Situational Awareness (CCSA)
14 Proprietary - British Business Federation Authority –
3.2 – Information Sharing Framework (ISF)
1 – High Assurance Federated Trust
2 – Critical Controls (Normality)
3 – Incident Operations Taxonomy
4 – Cyber SA Triage process
5 – Prioritised communications
ISO & ITU(T) standards
IETF standard <> ENISA
NATO ID Strategy, NATO Cyber Strategy, EU Cybersecurity
Strategy
US CERT & NCCIC
Police, aerospace & defence, health implementations ….
Process
Information
Application
Data
Infrastructure
Organisation A
Process
Information
Application
Data
Infrastructure
Organisation B
Competition
Collaboration
Cyber world collaborates to support normal Business use of cyberspace
Business World
Node A Node B
Process
Information
Application
Data
Infrastructure
Process
Information
Application
Data
Infrastructure
Competition
Collaboration
Cyber World
16 Proprietary - British Business Federation Authority –
Nine Challenges from Europe’s Piecemeal Approach
1. The E Commission needs to coordinate internally and externally focused views 2. The E Commission could be doing more to reflect the global context. Technology, business,
consumers do. So do criminals
3. The E Commission needs to work more collaboratively with nations. They can only afford to do things one way
4. The E Commission should focus on all aspects of Person Identity, not just citizen
5. The E Commission must address Organisational ID
6. The E Commission must consider federation for global business. Mutual Recognition is not enough
7. The E Commission must take account of international standards. UN agrees
8. The draft EC Regulation treats the digital signature as separate from identity, which creates a major fraud attack vector, particularly at high assurance. Digital signatures are an attribute of an identity
9. The EU Cyber Security Strategy and national strategies must mention Trust, identity and authentication, so that gov-gov, gov-business, business-business and supply chains can work. The Single Market depends on this