mature digital trust infrastructure - are we there yet?

Mature Digital Trust Infrastructure Are we there yet?

Søren Peter Nielsen, Chief IT ArchitectDanish National IT and Telecom Agency

presented June 9th atEuropean e-Identity Management

Conference 2011Tallinn, Estonia

Identities in eGovernment - a look to the future

• Mature Digital Trust Infrastructure - Are we there yet?Reflections on current Government approaches to Trust, federation and identity management. What needs to change as we move forward. We have come a long way with PKI, federation standards, trust frameworks, etc. but are we there yet? Where is there still work to be done and mindsets to be changed?

Conceptually – It seems simple

Web SSO Model

1 4

5

6

3

IdentityProvider

“Circle of Trust”ServiceProvider Authentication Authority

Attribute Authority7

2

Federation Building Blocks

Business &Operating Rules

Operational Infrastructure

Service Providers/

Identity Providers

PolicyTechnical Standards

Aud

iting

/

Acc

redi

tatio

n

Factor Token

Very High

High

Medium

Low

Employee Screening for a High Risk Job

Obtaining Govt. Benefits

Applying for a Loan

Online

Access to Protected

Website

PIN/User ID-

Knowledge

Strong Password

-Based

PKI/ Digital Signature

Multi-

Incre

ase

d $

Cost

Increased Need for Identity Assurance

Authentication Assurance Levels

Areas that determine the Level of Assurance

• Tokens (typically a cryptographic key or password) for proving identity,

• Identity proofing, registration and the delivery of credentials which bind an identity to a token,

• Remote authentication mechanisms, that is the combination of credentials,tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be,

• Assertion mechanisms used to communicate the results of a remote authentication to other parties.

EU eGov Benchmark 2010 Fundamental IT enablersKey Horizontal Enablers

Have we crossed the chasm for eID?

Do we have full adoption?

Credit to: Simon Wardley

Do we have the right assumptions?

IntendedStrategy

RealisedStrategy

Fix This! Fixed!

DeliberateStrategy

IDM dev

The world is not standing still

IntendedStrategy Realised

Strategy

DeliberateStrategy

Unrealised Strategy

EmergentStrategy

Fixed! ???

No organisation is an Island anymore

But the approach to Identity and Access management is still rooted in industrial age thinking

Architecture and mindsets are locked into the identification-oriented paradigm

Areas with requirements determining Assurance level

• Tokens (typically a cryptographic key or password) for proving identity,

• Identity proofing, registration and the delivery of credentials which bind an identity to a token,

• Remote authentication mechanisms, that is the combination of credentials,tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be,

• Assertion mechanisms used to communicate the results of a remote authentication to other parties.

Architecture and mindsets

• Are locked into the identification-oriented paradigm

• To grow adoption beyond what can be accomplished using current approaches an architecture that supports both the identification- and validation-oriented paradigms is needed

Validation-oriented paradigm

(i.e. the user can prove that he represents a pseudonym via a secret key).

Bruger(fysisk person)

Serviceudbydere

Virtuelleidentiteter

Instead of all applications identifying the users and coupling local data to the identity (e.g. SSN), data is coupled to virtual identities (pseudonyms), which are subject to validation

Credit to: Simon Wardley

Credit to: Simon Wardley

Credit to: Simon Wardley

identification- and validation-oriented paradigms

identification- oriented paradigm

Credit to: Simon Wardley

Digital Trust Infrastructure

Are We There Yet?

• There is still a long way to go before we reach maturity

• On the short run– We need to re-think our architecture to support a

validation-orientated paradigm as well as an identification-oriented paradigm

• On the long run– We need to be conscious that the world is not

standing still while working on the Next Big IDM Thing

Contact

• Søren Peter Nielsen• Twitter.com/sorenp• spn@itst.dk