Effective use of Digital Identities and ID cards in a Government Environment

Transcription

1 Effective use of Digital Identities and ID cards in a Government Environment Bavo De Ridder Principal Information Security Consultant Competence Leader IAM Erik R. van Zuuren Principal Information Security Consultant BU Director Architectures 1

2 Disclaimers Part of this presentation reflects the personal vision of the speakers. Part of this presentation represents the architectural vision of MVG-SCICT as is being implemented at this time. All of the content is based either on public information or is based on declassified MVG-SCICT -information (and is being communicated with the consent of MVG-SCICT ). With gratitude to Luc Chauvin / Wim Martens, MVG-SCICT 2

3 Belgium At the heart of Europe Home to the EU Home to NATO Source: 3

4 Agenda Authentication Belgian eid Introduction to Belgian eid Card Access Control & Authorization Typical scenarios and requirements Identity Management Roles, mandates, management Logging & Auditing Responsibilities 4

5 Authentication - Belgian eid Card 5

6 eid Project Goals Replace existing eid-cards (identification of all inhabitants age 12 of more: names, place of birth, birthdate, unique registration-number, ) Enable e-communications with government (certs for authentication and digital signature) Source: FOD BZ 6

7 Bull Belgian eid Card Government - the national eid-card: Communities, the National Registry, Private Partners. VRK (4) CM/CP/CI (7) (5) (10a1) (3) RC (10a2) (6) Meikäläinen Matti (9) CA CA (8) PIN & PUK1 -code ERA (10b) (1) De Gemeenten Face to face identification (2), (12) (11) Source: Fedict (13) - For Techies: validation via CRL s and OCSP 7

8 Other Projects Intermediate solution Federal Token Startup issues of the eid Readers / Middleware / For Techies: authentication via SAML1.0 POST-profile Source: 8

9 Other Projects Kids Card < 12 years Voluntary Potential 1.3 million cards Source: Fedict Foreigner Card EU and non-eu Potential 1 million cards Source: Fedict 9

10 Access Control And Authorization 10

11 Typical Access Control Use Case: Resource needs to be protected John Doe wants access Access Control Environment: Identifies John Doe Authorizes John Doe 11

12 Identification Requires knowledge of the subject Username Unique ID Requires a mechanism of proof Passwords? Token? Trusted Provider? Trusted Issuer? Identity Repository LDAP, Active Directory TrustedSources? 12

13 Authorization Sometimes requires knowledge of the subject: Department Function Sometimes requires other info: Contextual Environment Trusted Sources of roles, atttibutes,? Trusted Sources of eg mandates? 13

14 Government Case 14

15 Government Case (2) Government Organization Small number of large and independent agencies Large number of small and dependent agencies Access Control Infrastructure Expensive for most agencies ASP Model Share knowledge and infrastructure 15

16 Example Flemish Gov BUITEN MVG reverse proxy server web server informatie Authenticatie- en Identificatie- Diensten 6. Indien authenticatie OK, ontvang identiteitsgegevens: rijksregisternummer (RRN) (1) Vlaamse portaal applicatie Vlaamse overheidswebsites (8) web server informatie applicatie 5. Verzend authenticatiegegevens ACM (2) gebruikersnaam + paswoord toegangs beheer (7) 2. Authenticeer gebruiker op veiligheidsniveau X (3) (6) identiteits beheer authentificatie & identificatie BINNEN MVG (5) (4) federale authenticatieen identiteitsgegevens federale token ACM federale eid BUITEN MVG reverse proxy server web server informatie applicatie (1) Eigen portaal e od eth erm nd tice ke en lf be h t e u in s a k uz ns Kie aa ve 3. n m ge e ge atie ic nt the au ef Ge 4. (8) web server informatie applicatie (2) Vlaamse portaal 1. Log in op website om toegang te krijgen tot Informatie of dienst 8. Komt u maar binnen 9. Toegang 7. Heb gebruiker geauthenticeerd, dit zijn zijn/haar identiteitsgegevens (7) ACM toegangs beheer (3) (6) authentificatie & identificatie identiteits beheer BINNEN MVG (4) (5) federale authenticatieen identiteitsgegevens 16

17 Example - InterGov PDP-SZ PDP-FGOV PDP-VO (SM) PDP-LIJN Policy Enforcement Points Policy Decision Points 17

18 Identity Management 18

19 Identity Sources 19

20 Identity Targets 20

21 Challenges Strong diversity in identities Citizens, civil servants, nurses Changes in Sources and Targets In numbers and technology Different Administration Models Central, delegated (flavors!) Real World Support Smaller agencies, political issues 21

22 Requirements Stable Platform Adding user types Adding sources Adding targets Maximal re-use of Components Flexible New administration models Federation, ID-WSF, SPML 22

23 Flemish ASP Model 23

24 ASP Proces Model 24

25 Flemish ASP Model Abstraction Import and Administration Consolidation and Unification Synchronisation and Provisioning Out Sourcing At Each Level Keep your own IdP but out source administration Out source IdP and administration Keep your own IdP and administration 25

26 Conclusion 26

27 Conclusion Government Context Some unique challenges Reality check (small agencies, politics ) ASP Model Requirements Offer rich environment Offer choice at different levels Identity Standards Very useful but not sufficient Use them as soon as possible 27

28 Questions? 28

29 Thank You 29