Effective use of Digital Identities and ID cards in a Government Environment Bavo De Ridder Principal Information Security Consultant Competence Leader IAM Erik R. van Zuuren Principal Information Security Consultant BU Director Architectures 1
Disclaimers Part of this presentation reflects the personal vision of the speakers. Part of this presentation represents the architectural vision of MVG-SCICT as is being implemented at this time. All of the content is based either on public information or is based on declassified MVG-SCICT -information (and is being communicated with the consent of MVG-SCICT ). With gratitude to Luc Chauvin / Wim Martens, MVG-SCICT 2
Belgium At the heart of Europe Home to the EU Home to NATO Source: www.belgium.be 3
Agenda Authentication Belgian eid Introduction to Belgian eid Card Access Control & Authorization Typical scenarios and requirements Identity Management Roles, mandates, management Logging & Auditing Responsibilities 4
Authentication - Belgian eid Card 5
eid Project Goals Replace existing eid-cards (identification of all inhabitants age 12 of more: names, place of birth, birthdate, unique registration-number, ) Enable e-communications with government (certs for authentication and digital signature) Source: FOD BZ 6
Bull Belgian eid Card Government - the national eid-card: Communities, the National Registry, Private Partners. VRK (4) CM/CP/CI (7) (5) (10a1) (3) RC (10a2) (6) Meikäläinen Matti (9) CA CA (8) PIN & PUK1 -code ERA (10b) (1) De Gemeenten Face to face identification (2), (12) (11) Source: Fedict (13) - For Techies: validation via CRL s and OCSP 7
Other Projects Intermediate solution Federal Token Startup issues of the eid Readers / Middleware / For Techies: authentication via SAML1.0 POST-profile Source: www.belgium.be 8
Other Projects Kids Card < 12 years Voluntary Potential 1.3 million cards Source: Fedict Foreigner Card EU and non-eu Potential 1 million cards Source: Fedict 9
Access Control And Authorization 10
Typical Access Control Use Case: Resource needs to be protected John Doe wants access Access Control Environment: Identifies John Doe Authorizes John Doe 11
Identification Requires knowledge of the subject Username Unique ID Requires a mechanism of proof Passwords? Token? Trusted Provider? Trusted Issuer? Identity Repository LDAP, Active Directory TrustedSources? 12
Authorization Sometimes requires knowledge of the subject: Department Function Sometimes requires other info: Contextual Environment Trusted Sources of roles, atttibutes,? Trusted Sources of eg mandates? 13
Government Case 14
Government Case (2) Government Organization Small number of large and independent agencies Large number of small and dependent agencies Access Control Infrastructure Expensive for most agencies ASP Model Share knowledge and infrastructure 15
Example Flemish Gov BUITEN MVG reverse proxy server web server informatie Authenticatie- en Identificatie- Diensten 6. Indien authenticatie OK, ontvang identiteitsgegevens: rijksregisternummer (RRN) (1) Vlaamse portaal applicatie Vlaamse overheidswebsites (8) web server informatie applicatie 5. Verzend authenticatiegegevens ACM (2) gebruikersnaam + paswoord toegangs beheer (7) 2. Authenticeer gebruiker op veiligheidsniveau X (3) (6) identiteits beheer authentificatie & identificatie BINNEN MVG (5) (4) federale authenticatieen identiteitsgegevens federale token ACM federale eid BUITEN MVG reverse proxy server web server informatie applicatie (1) Eigen portaal e od eth erm nd tice ke en lf be h t e u in s a k uz ns Kie aa ve 3. n m ge e ge atie ic nt the au ef Ge 4. (8) web server informatie applicatie (2) Vlaamse portaal 1. Log in op website om toegang te krijgen tot Informatie of dienst 8. Komt u maar binnen 9. Toegang 7. Heb gebruiker geauthenticeerd, dit zijn zijn/haar identiteitsgegevens (7) ACM toegangs beheer (3) (6) authentificatie & identificatie identiteits beheer BINNEN MVG (4) (5) federale authenticatieen identiteitsgegevens 16
Example - InterGov PDP-SZ PDP-FGOV PDP-VO (SM) PDP-LIJN Policy Enforcement Points Policy Decision Points 17
Identity Management 18
Identity Sources 19
Identity Targets 20
Challenges Strong diversity in identities Citizens, civil servants, nurses Changes in Sources and Targets In numbers and technology Different Administration Models Central, delegated (flavors!) Real World Support Smaller agencies, political issues 21
Requirements Stable Platform Adding user types Adding sources Adding targets Maximal re-use of Components Flexible New administration models Federation, ID-WSF, SPML 22
Flemish ASP Model 23
ASP Proces Model 24
Flemish ASP Model Abstraction Import and Administration Consolidation and Unification Synchronisation and Provisioning Out Sourcing At Each Level Keep your own IdP but out source administration Out source IdP and administration Keep your own IdP and administration 25
Conclusion 26
Conclusion Government Context Some unique challenges Reality check (small agencies, politics ) ASP Model Requirements Offer rich environment Offer choice at different levels Identity Standards Very useful but not sufficient Use them as soon as possible 27
Questions? http://www.ascure.com bdr@ascure.com ezu@ascure.com 28
Thank You 29