1st modinis workshop identity management in egovernment frank robben general manager crossroads bank...
TRANSCRIPT
1st MODINIS workshop
Identity management in eGovernment
Frank RobbenGeneral manager Crossroads Bank for Social SecurityStrategic advisor Federal Public Service for ICTSint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected]: http://www.law.kuleuven.ac.be/icri/frobben
2© Frank Robben Leuven, 4 May 2005
Structure of the contribution
proposal of objectives
proposal of a conceptual framework
choices made in Belgium
some international issues
3© Frank Robben Leuven, 4 May 2005
Objectives to be reached
be able to electronically- identify all relevant entities (physical persons, companies,
applications, machines, …)- know the relevant characteristics of the entities- know that an entity has been mandated by another entity to
perform a legal action- know the authorizations of the entities
in a sufficiently certain and secure way in as much relations as possible (C2C, C2B, C2G,
B2B, B2G, …) using open interoperability standards
4© Frank Robben Leuven, 4 May 2005
Conceptual framework
entity: someone or something that has to be identified (e.g. a physical person, a company, a computer application, …)
attribute: a piece of information about an entity identity: a number or a set of attributes of an entity
that allows to know precisely who or what the entity is; an entity has only one identity, but this identity can be determined by several numbers or sets of attributes
characteristic: an attribute of an entity, other than an attribute determining its identity, such as a capacity, a function, a professional qualification, ...; an entity can have several characteristics
5© Frank Robben Leuven, 4 May 2005
Conceptual framework
mandate: a right granted by an identified entity to another identified entity to perform well-defined legal actions in her name and for her account
registration: the process of determining the identity, a characteristic or a mandate of an entity with sufficient certainty, before putting at the disposal means by which the identity can be authenticated, or the characteristic or the mandate can be verified
6© Frank Robben Leuven, 4 May 2005
Conceptual framework
authentication of the identity: the process of checking whether the identity that an entity pretends to have, corresponds to the real identity; authentication of the identity can be done based on the verification of knowledge (e.g. a password), of possession (e.g. an electronic card), of biometrical characteristics or on a combination of those
7© Frank Robben Leuven, 4 May 2005
Conceptual framework
verification of a characteristic or a mandate: the process of checking whether a characteristic or a mandate that an entity pretends to have, corresponds to a real characteristic or mandate of that entity; the verification of a characteristic or a mandate can be done by the same kind of means as those used for the authentication of the identity, or, after the authentication of the identity, by consulting a database that contains information about characteristics of mandates related to identified entities
8© Frank Robben Leuven, 4 May 2005
Conceptual framework
authorization: a permission to an entity to perform a defined action or to use a defined service
authorization group: a group of authorizations role: a group of authorizations or authorization groups
related to a specific service role based access: a method of assigning
authorizations to entities by means of authorization groups and roles, in order to simplify the management of authorizations and their assignment to entities
9© Frank Robben Leuven, 4 May 2005
Choices made in Belgium
identification number for every citizen and every company- characterictics
• unicity– one entity – one identification number– same identification number is not assigned to several entities
• exhaustivity– every entity to be identified has an identification number
• stability through time– identification number should not contain variable characterics of the
identified entity– identification number should not contain references to the
identification number or characteristics of other entities– identification number should not change when a quality or
characteristic of the identified entity changes
10© Frank Robben Leuven, 4 May 2005
Choices made in Belgium
art. 8, 7 Directive 95/46/EC: "Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed"- evolution towards meaningless identification numbers- unique identification numbers of citizens can only be used by
instances authorized by a sectoral committee of the national privacy commission
- patient identification number is a number derived from the unique number of the citizen
- regulation on interconnection of personal data
registration of the identity of citizens by the municipalities
11© Frank Robben Leuven, 4 May 2005
Choices made in Belgium registration of the identity of companies by company
counters registration of characteristics and mandates relevant
for eGovernment by private or public bodies designated by government
authentication of the identity of physical persons by the electronic identity card
verification of characteristics and mandates relevant for eGovernment preferably by consulting authentic databases
multifunctional use of authentication and verification means
authorization is the responsibility of each service provider
12© Frank Robben Leuven, 4 May 2005
Choices made in Belgium
overall policy on security and privacy protection for eGovernment- security, integrity and confidentiality of government
information are ensured by integrating ICT measures with structural, organizational, physical, personnel screening and other security measures according to agreed policies
- personal information is only used for purposes compatible with the purposes of the collection of the information
- personal information is only accessible to authorized institutions and users according to business needs, legislative or policy requirements
13© Frank Robben Leuven, 4 May 2005
Choices made in Belgium overall policy on security and privacy protection for
eGovernment- the authorizations for government bodies to communicate
personal information to third parties are granted by sectoral committees of the privacy commission, designated by Parliament, after having checked whether the communication conditions (e.g. purpose limitation, proportionality) are met
- the authorizations for communication are public- every concrete electronic communication of personal
information by a government body is preventively checked on compliance with the existing authorizations by an independent institution managing the interoperability framework used for the communication
- every concrete electronic communication of personal information by a government body is logged, to be able to trace possible abuse afterwards
14© Frank Robben Leuven, 4 May 2005
Choices made in Belgium
overall policy on security and privacy protection for eGovernment- every time information is used to take a decision, the used
information is communicated to the concerned person together with the decision
- every person has right to access and correct his own personal data
- this system has been implemented in the Belgian social security sector for 10 years and is being extended to the whole Belgian government sector
15© Frank Robben Leuven, 4 May 2005
International context: some issues
determination of the means by which an entity can be identified within each country and across countries
the way identity management and characteristics management are well separated in order to guarantee the multifunctional use of identity authentication means
the quality insurance criteria for the registration procedures that are used to determine the identity, relevant characteristics or mandates before linking it to authentication or verification means
the quality insurance criteria for authentication and verification means and their use
16© Frank Robben Leuven, 4 May 2005
International context: some issues
an organizational, functional and technical interoperability framework to exchange identity, characteristics, mandate and authentication data based on open standards
the necessary legal framework for identity, characteristics and mandate management, with a good balance between trust enhancing measures and measures guaranteeing a free market
17© Frank Robben Leuven, 4 May 2005
International context: proposed method
to work out a common conceptual framework, a common vision and common basic principles
to translate these principles in common, measurable objectives
to ask every state to develop an action plan to achieve these objectives
to elaborate an architecture and guidebooks to implement the principles
to create a forum for the exchange of best practices
Th@nk you !
Any questions ?