The Scottish Government Draft Consult Paper on Identity Management and Privacy Issues

Transcription

1 Scottish Government Draft Consultation Paper on Identity Management and Privacy dns ref: SCX028 date: 23 November 2009 version: 1.0 classification: unclassified dns contact: Mike Wawro, dns ltd, 83 princes street, edinburgh, eh2 2er; 16 st martin s le grand, london, ec1a 4en t: +44(0) f: +44(0) e: info@dns.co.uk w: registered in Scotland No

2 1 distribution and revision 1.1 document revision history name revision date version description Stewart McIntyre 19 November initial draft Mike Wawro 23 November review Don Smith 23 November review and release 1.2 distribution list name company contact info Natasja Bolton dns Graeme Cox dns Gordon Lang dns Richard Lewis dns Stewart McIntyre dns Don Smith dns Mike Wawro dns Caroline Irving Scottish Government Page 2

3 2 table of contents 1 distribution and revision document revision history distribution list table of contents executive summary introduction proving identity and entitlement identify only once risk appropriate login single sign-on prevent data mining avoid discrimination maintain non-it access to services consider users IT platforms offer choice provide a reasonable choice of authentication methods governance and accountability appointment of a privacy officer frequency of privacy officer reports audit incident management system data and data sharing controlling access role based access control access authorised by users linking information between systems add examples of link situations links must be reliable and accurate clarification on persistent identifiers education and engagement educate people about identity management and privacy issues introduction of a breach disclosure principle conclusions Page 3

4 3 executive summary As a leading provider of identity management and information security consultancy services to the Scottish public sector, dns is well placed to respond to the Scottish Government draft consultation paper on identity management and privacy principles. dns provides these types of services to (among others); The Scottish Government, NHS Scotland, General Register Office of Scotland, The Scottish Courts Service, The Crown Office and Procurator Fiscal Service, The Scottish Police Services Authority and many Scottish Local Authorities. We believe that the draft consultation paper provides an excellent start for refining the principles which seek to balance privacy needs with the undoubted benefits that well designed identity management systems can bring. We share the view that organisations should avoid creating large centralised databases of people s personal information with the exception of a single staff database per organisation. We have reviewed the paper and recorded our comments in this document. We understand that this is a principles paper and should not address issues associated specifically with implementation methods. However, we have made comments that reference identity management methods based on our experience where relevant. In summary; We advocate variable authentication methods that match the risk associated with the transaction(s) involved. Where possible a variety of authentication methods should be offered. Regarding governance and accountability, we believe that there should be a compliance process that involves annual sign-off by the identity store owner of a statement that summarises any security incidents related to the identity store and providing an assurance of the security and integrity of the identity store. The audit principle should be supported by an active security incident management system capable of immediately managing an alert caused by an actual, or suspected, breach of the identity store. The principle of least privilege should be used for controlling access to personal data. Where choice is available, users should be able to choose which services are able to access their personal information. The recommendation against sharing identifiers prevents increased damage by the breach of connected repositories. However, our experience suggests that the preference for avoiding identifiers may not be practical due to the errors inherent in a rules based matching system. The use of common identifiers is likely to be proposed as a link solution because of ease of implementation and satisfaction of the accuracy and reliability criteria. Finally, we are in favour of adding a breach disclosure principle that forces public service data controllers to inform service users if there has been, or is likely to have been, a breach of their identity credentials. The communication to users should inform them of any actions they should take to minimise the consequences. We recognise the need for a concise identity management and privacy principles definition. However, as always, the proof is in the quality of the design, implementation and operational management. Identity and privacy are complex subjects and we therefore recommend the creation of a guidance document, complementary to the principles, that provides greater context to aid interpretation, discusses identity management methods, and explains choices for system designers. dns would welcome the opportunity to participate in the creation of such a document. Page 4

5 4 introduction Focusing exclusively on information security, dns offers a complete set of both professional services and managed security services to a wide range of customers. Based in Edinburgh and London, dns serves an international customer base. Due to its commitment to customer satisfaction and information security expertise dns is the fastest growing information security services company in Europe. dns has been involved in several public sector organisation projects, including Scottish Schools Digital Network, NHS Scotland and Scottish Enterprise. The dns vision is to be the leading niche provider of quality information security solutions and services. dns is well placed to respond to the Scottish Government draft consultation paper on identity management and privacy principles. dns provides these types of services to (among others); The Scottish Government, NHS Scotland, General Register Office of Scotland, The Scottish Courts Service, The Crown Office and Procurator Fiscal Service, The Scottish Police Services Authority and many Scottish Local Authorities. In a broad sense, the principles in this document can be compared to principles from successful public service identity schemes in other countries, including New Zealand s igovt service, which provides user registration and authentication for government services, and Norway s enorway initiative, which provides a portal to 30 government services. Notably, both New Zealand and Norway are comparable to Scotland in terms of population size. In the following sections 5 to 8 we have provided our comments on the draft consultation paper. Each section corresponds to a section of the consultation paper. For ease of reference, we have restated the principle prior to our comments on it. Page 5

6 5 proving identity and entitlement 5.1 identify only once Principle 1.1. For services which are used frequently and for which identification is needed, public service organisations should give people a simple way to register once. Thereafter, unless there is a statutory requirement to prove identity, in many cases a person should be able to access the service using a token, such as a bus pass or library card that proves their entitlement without revealing unnecessary personal information. In other circumstances, a user name and a password or elements of a password may be required risk appropriate login Authentication is the process of verifying that someone is who they claim to be. Authentication should be appropriate to the level of risk associated with intended transaction. The registration and authentication methods an organisation requires for access to a service should be appropriate to the impact of the misappropriation of a user identity in that service 1. As well risk differences between organisations a single organisation may offer several services with various levels of risk. For example, the impact of identity misappropriation is greater for a council s tax payment service than their library service. If an authentication method is used by several services it must meet the requirements of the service with greatest risk or support some form of tiered authentication single sign-on Single sign-on allows users to access their services through a single login event. Single sign on increases user convenience, increases the consistency of the user experience, fosters ownership of their public service identity, avoids re-inventing authentication solutions for each service provider and avoids separate authentication infrastructure in each organisation. The purpose of a single sign-on service is user authentication. The information collected for a single sign-on service should be sufficient to verify that a user is who they claim to be. Service specific personal information should still be stored by the service provider organisation, avoiding general purpose centralised databases (principle 4.2) prevent data mining Services must not leak personal information to unauthorised parties. An example of personal information leakage is a Norwegian government pension scheme website that returned name and address when presented with a social security number, allowing an adversary to build a list of information useful for identity theft 2. This type of unauthorised bulk data collection is known as data harvesting or data mining. Anonymous users whose identity has not been verified must not have access to personal information. Authenticated users typically have authority to access only their own personal information and should not have access to another user s information. Authentication systems should avoid leaking usernames by only informing users if the login was successful and not confirm whether or not the user name exists. 1 Registration and Authentication Framework, UK e-government Strategy 2 Risks in Networked Computer Systems, Andre N. Klingsheim Page 6

7 5.2 avoid discrimination Principle 1.6. Organisations must take steps to ensure that people are not discriminated against unfairly (for example, on grounds of disability, age or ethnicity) or socially excluded as a result of the approach to identification or authentication maintain non-it access to services Though possibly self-evident, we think it might be worth explicitly stating that service users who do not have access to information technology systems should be able to continue to access services by alternative methods (including in person, by telephone and mail correspondence) consider users IT platforms Services provided by IT systems should be available to a high proportion of users as reasonably possible. For services presented via the Internet, compatibility with a reasonable proportion of web browsers is a key issue. For example, although Microsoft Internet Explorer 6 has been superseded by newer versions, and may in some instances be harder to create web based services for, it still accounts for approximately 16% of web traffic in the UK offer choice Principle 1.7. As far as possible, people should be offered alternative ways to prove identity and / or entitlement provide a reasonable choice of authentication methods The alternative methods used to prove identity and entitlement should avoid burdening users with a confusing array of choices. Collecting additional information to support additional authentication methods (or to increase confidence about user identity before granting additional authentication methods) must be balanced with the principles of single registration and avoidance of excessive data. If an authentication method is used by several services it must meet the requirements of the service with greatest risk. 3 Survey Unveils a Softer Start for Internet Explorer 8 ( _en.htm ) Page 7

8 6 governance and accountability 6.1 appointment of a privacy officer Principle 2.3. Responsibility and accountability for privacy should be assigned to a named senior management officer who reports to the Board or equivalent frequency of privacy officer reports The duties of a privacy accountability officer should include regular reviews of privacy issues in an organisation. Regular internal reviews of privacy as a normal business activity help organisations maintain a state of readiness for audits and ICO inspections specified in principle 2.7. There should be a process whereby the officer endorses compliance to the Senior Information Risk Owner at least annually. The compliance report should summarise any security incidents related to the identity store and provide an assurance of the security and integrity of the identity store. 6.2 audit Principle 2.4. Public service organisations must be able to demonstrate that personal information can only be accessed by staff who need access to it. Organisations must ensure that they keep records of access to personal information, that there are alerts which prevent or identify inappropriate access and that access logs and alerts are reviewed regularly by line managers incident management system The alerts only have value if they feed into a live incident management system. The key point is that it must be pro-active and trigger action. The definition in paragraph 2.4 suggesting regular review could be interpreted to mean that a weekly (for example) frequency of review is sufficient. If an identity store is compromised then it must be sensed immediately and remedial action initiated. The public should expect nothing less. Page 8

9 7 data and data sharing 7.1 controlling access Principle 4.4. Public service organisations should ensure that personal data is held securely (see 2.1c above), that their employees only have access to the minimum personal information they need and that audit records exist of all accesses to, changes to and uses of that data role based access control The principle of controlling access to information should consider the purpose that the access is for rather than the employee performing the purpose. This allows the definition of access rights based on business purposes, rather than around individual employees. An employee s access rights therefore consist of the set of rights for the business purposes they perform. This is often described as role-based access control. Each of an organisation s services (or purposes) may require only a subset of the information held by the organisation. Only the information required by a service should be provided to that service. Alternatively, using a claims based model, services can validate claims without requiring access to raw identity data, for example, validating that someone is over 18 or not (a binary response) rather than disclosing their date of birth access authorised by users Allowing users to manage how services access their personal information provides an opportunity to justify the need for the personal information and explain how the information will be used, increasing user involvement and trust in the system. User authorisation of access to their personal information is only necessary when the user s personal information changes or the service changes, rather than per-access event. User authorised access allows users to control the personal information, or persona, that they present to a service, rather than having their service identity specified solely by the request from the service provider organisation. User authorisation of access can be finer than grant or deny decisions, and a deny access decision does not necessarily prevent access to a service. For example a service may have a requirement that the user provides contact information but each individual contact method is optional. 7.2 linking information between systems Principle 4.6. Public service organisations should not share personal information unless it is strictly necessary. If a public service organisation needs to link personal information from different systems and databases, it should avoid sharing persistent identifiers; other mechanisms, such as matching, should be considered. If a public service organisation believes that persistent identifiers should be shared, it must publicly explain why add examples of link situations Further qualifying the types of situation where linking data is necessary would be beneficial. This may include situations where the use is a purpose the data was collected 4 Many of these models are discussed in the recommended document Identity Governance Framework, Oracle White Paper, November Phillip Hunt and Prateek Mishra Page 9

10 for, the use is necessary to uphold the law, or the use lessens an imminent threat to public safety links must be reliable and accurate The method used to connect a user s records across several systems must produce accurate and reliable links. An accurate link connects all of a single user s records, without records from any other users. A reliable linking method consistently produces the same links from the same sets of personal information on multiple occasions clarification on persistent identifiers Identifiers can match a person and a system, rather than just a person, preventing direct matches between different systems identity repositories. Links are therefore established through a central link mechanism which groups these identifiers by user with a minimal amount of personal information. Access to the link mechanism is only granted in circumstances where linking systems is necessary, and only for the systems involved in the particular link. 5 Examples from New Zealand Privacy Act, Principle 10: Limits on use of personal information Page 10

11 8 education and engagement 8.1 educate people about identity management and privacy issues Principle 5.2. Public service organisations must ensure that staff or contractors who handle personal data on their behalf have and maintain a good working knowledge and understanding of identity management and privacy. Principle 5.3. Public service organisations must take steps to ensure that their customers have enough information to make informed decisions about identity management and privacy introduction of a breach disclosure principle In order to foster transparency with the public, we strongly advocate the addition of breach disclosure to the education and engagement principles, as recently legislated by the majority of states in the USA. Privacy breaches include the theft, loss or inadvertent disclosure of identity information. Disclosure of a breach could require either reference to the ICO for guidance or the notification of affected service users. Breach disclosure makes public service data controllers accountable to users and provides an official mechanism for response to press coverage. As part of the organisation s responsibilities under 5.8 (duty to repair or redress) they may be required to inform the user of any actions they should take, in the event of a breach, in addition to the actions required of the organisation. Disclosure laws are not a magic bullet solution to the problem of identity theft. A study on the impact of the USA data breach laws found that breach laws have had a minimal effect in reducing identity theft but can contribute to improved data handling practise and user education 6. 6 Do Data Breach Disclosure Laws Reduce Identity Theft?, Carnegie Mellon University Page 11

12 9 conclusions The current Proving Identity and Entitlement principles implicitly include risk appropriate login. Adding a principle of risk appropriate login clarifies that authentication methods used must be sufficient for the circumstances (1.3, 1.5) and that the user s services may influence the choice of authentication methods available to them (1.7). The e-government Strategy paper Registration and Authentication Framework recognises four authentication levels, ordered by severity of the consequences of a misappropriation of a user s identity. New Zealand s igovt authentication service uses user name and password for most services and adds a one-time password, generated from a device or sent to the user s mobile phone, as a second factor for services that require extra security. A single sign-on access management system provides benefits in two areas: user experience, increasing convenience and consistency, and a common access management infrastructure for service providers, avoiding re-inventing login for each organisation. Access management systems accelerate development of service provider systems by providing packaged authentication, authorisation and audit integration points. Although single sign-on is a central system, it has the distinct business purpose of authenticating users to service and should only share the information necessary to achieve this purpose with service provider systems. The proposed principles describe a user centric identity system, which provides users with visibility of and control over their relationships with government organisations systems, including how these systems collect and use their personal information. Extending the access control principle (4.4) to include user authorisation of access to personal information extends the commitment to the Education and Engagement principles. Involving the user in the authorisation of access to their personal information provides an opportunity to inform users which information is required or optional for a service, how the information will be used and provides user control. We recognise the need for a concise identity management and privacy principles definition. However, as always, the proof is in the quality of the design, implementation and operational management. Identity and privacy are complex subjects and we therefore recommend the creation of a guidance document, complementary to the principles, that provides greater context to aid interpretation, discusses identity management methods and explains choices for system designers. dns would welcome the opportunity to participate in the creation of such a document. Page 12