identity management and security · 2019-10-08 · directive (eu) 2016/1148 of the european...
TRANSCRIPT
Identity management andsecurity
Could an IdP be considered an OES?
www.law.kuleuven.be/citip
2
What is an Identity provider (IdP)?
3
C. Sullivan, E. Burger, “Blockchain, Digital Identity, E-government”, in: H. Treiblmaier, R. Beck (eds.), Business Transformation through Blockchain, 2019, pp. 233-258, p. 241.
Proprietary IdM and PKI IdM
UserRelying
Party
IdP
Issues
credential
Uses
credential to
authenticate
Verifies
credential
at the IdP
UserRelying
Party
IdP
Issues
certificate
Uses
certificate to
authenticate
Verifies
certificate
e.g.
Facebooke.g. Belgian eID
4
Could an IdP be considered an operator of
essential services or a digital service provider?
Could the NIS Directive be applicable to IdPs?
5
Operator of essential services
• Art 4 (4) NIS: Annex II + criteria of art. 5 (2) NIS
• Specific sectors, including Digital Infrastructure:• IXPs
• DNS service providers
• TLD name registries
+ an entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
+ the provision of that service depends on network and information systems; and
+ an incident would have significant disruptive effects on the provision of that service.
What is an OES?
6
Digital Service Provider:
• Legal person that provides a digital
service: Information Society service of a
type:
• online marketplace;
• online search engine; or
• cloud computing service
What is a DSP?
7
• Austria: Bundesgesetz zur Gewährleistung eines hohen Sicherheitsniveaus von
Netz- und Informationssystemen (Netz- und Informationssystemsicherheitsgesetz –
NISG)
• Belgium: 7 APRIL 2019. - Wet tot vaststelling van een kader voor de beveiliging
van netwerk- en informatiesystemen van algemeen belang voor de openbare
veiligheid ( changes to 1 JULI 2011. - Wet betreffende de beveiliging en de
bescherming van de kritieke infrastructuren)
• Estonia: Cybersecurity Act (also important: Emergency Act)
• Germany: Gesetz zur Umsetzung der Richtlinie (EU) 2016/1148 des Europäischen
Parlaments und des Rates vom 6. Juli 2016 über Maßnahmen zur Gewährleistung
eines hohen gemeinsamen Sicherheitsniveaus von Netz- und Informationssystemen
in der Union ( changes to BSI Gesetz, see also Verordnung zur Bestimmung
Kritischer Infrastrukturen nach dem BSI-Gesetz (BSI-Kritisverordnung - BSI-KritisV))
• Netherlands: Wet van 17 oktober 2018, houdende regels ter implementatie van
richtlijn (EU) 2016/1148 (Wet beveiliging netwerk- en informatiesystemen) (& Besluit
beveiliging netwerk- en informatiesystemen)
• UK: The Network and Information Systems Regulations 2018
National implementation of NIS
8
The same as in the NIS Directive:
• online marketplace,
• online search engine,
• cloud computing service
IdP not a DSP
National implementation of DSP?
9
Austria §3 9.„wesentlicher Dienst“ einen Dienst, der in einem der in § 2 genannten Sektoren erbracht wird und der eine
wesentliche Bedeutung insbesondere für die Aufrechterhaltung des öffentlichen Gesundheitsdienstes, der öffentlichen
Versorgung mit Wasser, Energie sowie lebenswichtigen Gütern, des öffentlichen Verkehrs oder die Funktionsfähigkeit
öffentlicher Informations- und Kommunikationstechnologie hat und dessen Verfügbarkeit abhängig von Netz- und
Informationssystemen ist;
10. „Betreiber wesentlicher Dienste“ eine Einrichtung mit Niederlassung in Österreich, die einen wesentlichen Dienst
erbringt;
Belgium art. 6 11° "aanbieder van essentiële diensten": een publieke of private entiteit die actief is in België in een van de
sectoren opgenomen in bijlage I bij deze wet, die aan de criteria bedoeld in artikel 12, § 1, voldoet en die als dusdanig is
aangewezen door de sectorale overheid;
Estonia (2) Service providers specified in subsection (1) of this section who operate in sectors set out in Annex II to
Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of
security of network and information systems across the Union (OJ L 194, 19.07.2016, pp. 1–30) are deemed to be
operators of essential services for the purposes of said Directive.
Germany (10) Kritische Infrastrukturen im Sinne dieses Gesetzes sind Einrichtungen, Anlagen oder Teile davon, die
1. den Sektoren Energie, Informationstechnik und Telekommunikation, Transport und Verkehr, Gesundheit, Wasser,
Ernährung sowie Finanz- und Versicherungswesen angehören und
2. von hoher Bedeutung für das Funktionieren des Gemeinwesens sind, weil durch ihren Ausfall oder ihre
Beeinträchtigung erhebliche Versorgungsengpässe oder Gefährdungen für die öffentliche Sicherheit eintreten würden.
Netherlands aanbieder van een essentiële dienst als bedoeld in artikel 4 van de NIB-richtlijn, aangewezen op grond van artikel 5,
eerste lid, onder a;
Vitale aanbieder: a. aanbieder van een essentiële dienst;
b. aanbieder van een andere dienst waarvan de continuïteit van vitaal belang is voor de Nederlandse samenleving.
UK “operator of an essential service” (“OES”) means a person who is deemed to be designated as an operator of an
essential service under regulation 8(1) or is designated as an operator of an essential service under regulation 8(3);
National implementation of OES?
10
• E.g. Estonia, Germany, Netherlands
Overlaps with critical infrastructure legislation
11
GermanyGesetz zur Umsetzung der Richtlinie (EU) 2016/1148 des
Europäischen Parlaments und des Rates vom 6. Juli 2016 über
Maßnahmen zur Gewährleistung eines hohen gemeinsamen
Sicherheitsniveaus von Netz- und Informationssystemen in der
Union
BSI Gesetz
Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-
Gesetz (BSI-Kritisverordnung - BSI-KritisV))
amended
Based on §10 (1) BSI Gesetz
12
Germany
§2 (10) BSI Gesetz:
Critical infrastructures within the meaning of this Act are facilities, installations or parts thereof which
1. belong to the sectors energy, information technology and telecommunications, transport and traffic,
health, water, nutrition, finance and insurance, and
2. Of great importance to the functioning of the community, because their failure or impairment would
result in significant supply shortages or threats to public safety.
BSI-Kritisverordnung§1 Critical service: a service for the general public in the sectors according to §§ 2 to 8 whose
failure or impairment would lead to significant supply bottlenecks or threats to public safety.
§ 5 Sektor Informationstechnik und Telekommunikation
Annex 4 Part 3:
Trust services
Facilities to provide trust services
Threshold:
500 000 issued qualified Certificates or
> 10 000 certificates used to authenticate publicly accessible servers (Server
certificates, eg for web servers, E-mail server, cloud server (eg TLS / SSL
certificates))
13
NIS Directive German BSI Gesetz
appropriate and
proportionate technical and
organisational measures to
manage the risks
take appropriate organizational and technical measures to prevent
disruptions to the availability, integrity, authenticity and confidentiality of
their information technology systems, components or processes relevant
to the functioning of their critical infrastructures.
state of the art The state of the art should be adhered to
appropriate to the risk
Organizational and technical arrangements are appropriate if the effort
involved is not disproportionate to the consequences of failure or
impairment of the Critical Infrastructure concerned
appropriate measures to
prevent and minimise the
impact of incidents
see 1
notify, without undue delay,
incidents having a
significant impact
Notification obligations: Must notify
• Disruptions […] that have resulted in the failure or significant
impairment of the functioning of their Critical Infrastructures;
• Significant disruptions […] that may result in failure or significant
disruption to the functioning of their Critical Infrastructure.
Every two years: audit/test/certificates to proof meeting the requirements
Provide a contact point for the critical infrastructure to the BSI
What are the obligations? - Germany
14
Netherlands
Wet beveiliging netwerk- en
informatiesystemen
Besluit beveiliging netwerk- en
informatiesystemen
Wet gegevensverwerking en
meldplicht cybersecurity
Besluit meldplicht
cybersecurity
Art. 1 WBNI vital provider:
a. operator of an essential service;
b. provider of another service whose continuity is vital for Dutch
society.
Art. 2 Bbni:
OES according to NIS
Art. 3 Bbni:
Other vital providers
15
NIS The Netherlands: Wet beveiliging netwerk- en informatiesystemen
OES OES Other vital service providers
appropriate and
proportionate technical
and organisational
measures to manage
the risks
Take appropriate and proportionate technical and
organizational measures to manage the risks to the
security of their network and information systems.
state of the art Given the state of the art
appropriate to the risk the measures provide a level of security that is
proportionate to the risks that arise.
appropriate measures
to prevent and
minimise the impact of
incidents
take appropriate measures to prevent incidents which
affect the security of the network and information systems
used for the provision of the service in question and to
confirm, as far as possible, the requirements of certain
incidents, the continuity to provide that service.
notify, without undue
delay, incidents having
a significant impact
immediately reports to Our Minister:
a. an incident with significant consequences for the
continuity of the service provided by him;
b. a breach of network and information system
security that may have a significant impact on the
continuity of the service it provides.
2 The provider of an essential service also reports an
incident as referred to in the first paragraph, under a,
immediately to the competent authority.
3 […] the provider of an essential service immediately
reports an incident to a digital service provider to Our
Minister and to the competent authority, if that incident has
significant consequences for the continuity of his essential
service.
immediately reports to Our
Minister:
a. an incident with significant
consequences for the continuity of
the service provided by him;
b. a breach of network and
information system security that
may have a significant impact on
the continuity of the service it
provides.
What are the obligations? – The Netherlands
16
Estonia
Cybersecurity Act Emergency Act
Service provider:
- Provider of a vital service
- [List of operators/providers/
undertakings]
OES:
Service providers who
operate in the sectors set
out in the NIS Directive
Provider of a vital service:Legal person whose competence
includes the fulfillment of:• electricity supply;
• natural gas supply;
• liquid fuel supply;
• ensuring the operability of national roads;
• phone service;
• mobile phone service;
• data transmission service;
• digital identification and digital
signing.• Health services
• payment services;
cash circulation.
• district heating;
ensuring the operability of local roads;
water supply and sewerage.
17
NIS Estonia – Cybersecurity Act
appropriate and
proportionate technical
and organisational
measures to manage
the risks
(1) A service provider shall permanently apply organisational, physical and information
technological security measures:
1) for preventing cyber incidents;
2) for resolving cyber incidents;
3) for preventing and mitigating an impact on the continuity of the service or the security of the
system due to a cyber incident or for preventing and mitigating a possible impact on the
continuity of another dependant service or the security of a system.
(2) Upon the application of security measures, the service provider is required to:
1) prepare a system risk assessment […]
2) ensure the existence and timeliness of a documented system risk assessment, security
regulations and description of the application of security measures;
3) ensure the monitoring of the system […]
4) take measures for reducing the impact and spread of a cyber incident […]
5) check the sufficiency and compliance of the application of security measures and document the
results;
6) preserve the documents […] no less than three years […]
(3) If the service provider authorises another party to administer the system or uses another party
to host the system, the service provider is responsible for the application of the security measures
of the system by the other party.
state of the art
appropriate to the risk
appropriate measures
to prevent and
minimise the impact of
incidents
notify, without undue
delay, incidents having
a significant impact
(1) A service provider shall inform the Estonian Information System Authority immediately but no
later than 24 hours after becoming aware of a cyber incident:
1) which has a significant impact on the security of the system or the continuity of the service;
2) a significant impact of which on the security of the system or the continuity of the service is not
obvious but can be reasonably presumed.
What are the obligations? - Estonia
18
NIS Estonia – Emergency Act
appropriate and
proportionate technical and
organisational measures to
manage the risks
- ensure the constant application of security measures in regard to the
information systems used for the provision of the vital service and the related
information assets.
- continuity risk assessment and plan of the vital service
state of the art
appropriate to the risk
appropriate measures to
prevent and minimise the
impact of incidents
- implement measures that prevent interruptions of the vital service
- ensure the capability to guarantee the continuity of and to quickly restore the
service provided
notify, without undue delay,
incidents having a
significant impact
- immediately notify the authority of an interruption of the vital service, a risk of
an interruption, an event significantly interfering with the continuity of the vital
service or an impending risk of such an event;
- participate in resolving an emergency according to the emergency response
plan;
- At request: provide the authority with information on the provision of the vital
service
- at least once every two years: organise exercise
- perform other obligations provided by legislation for ensuring the continuity of
the vital service.
- If information systems ensuring the operation of a vital service are located in
a foreign country, the provider of the vital service is also required to ensure
the continuity of the vital service in a manner and by means not dependent on
information systems located in foreign countries.
What are the obligations? - Estonia
19
• NIS Directive: IdPs are neither IXPs, DNS
service providers nor TLD name registries
IdP not OES
• Critical/vital infrastructure?
possibly, depends on national
implementation
Could an IdP be an OES?
20
• Estonia already considers it as vital
service
• Should other Member States do the
same?
IdPs that do not fall under eIDAS?
Jessica Schroers
KU Leuven Centre for IT & IP Law (CiTiP) - imec
Sint-Michielsstraat 6, box 3443
BE-3000 Leuven, Belgium
http://www.law.kuleuven.be/citip
21
Questions?
22
NIS DirectiveArt. 14 (1) […] take appropriate and proportionate technical and organisational measures to
manage the risks posed to the security of network and information systems which they use in their operations. […]
Having regard to the state of the art,
those measures shall ensure a level of security of network and information systems appropriate to the risk posed.
Art. 14 (2) […] take appropriate measures to prevent and minimise the impact of incidents
affecting the security of the network and information systems used for the provision of such
essential services, with a view to ensuring the continuity of those services.
Art. 14 (3) notify, without undue delay, the competent authority or the CSIRT of incidents
having a significant impact on the continuity of the essential services they provide.
Notifications shall include information enabling the competent authority or the CSIRT to
determine any cross-border impact of the incident. Notification shall not make the notifying
party subject to increased liability.
Competent authority/CSIRT may in some cases also inform:
- Other affected Member State(s)
- The public
What would be the obligations?