Effective use of Digital Identities and ID cards in a Government Environment

Effective use of Digital Identities and ID cards in a Government Environment Bavo De Ridder Principal Information Security Consultant Competence Leader IAM Erik R. van Zuuren Principal Information Security Consultant BU Director Architectures 1

Disclaimers Part of this presentation reflects the personal vision of the speakers. Part of this presentation represents the architectural vision of MVG-SCICT as is being implemented at this time. All of the content is based either on public information or is based on declassified MVG-SCICT -information (and is being communicated with the consent of MVG-SCICT ). With gratitude to Luc Chauvin / Wim Martens, MVG-SCICT 2

Belgium At the heart of Europe Home to the EU Home to NATO Source: www.belgium.be 3

Agenda Authentication Belgian eid Introduction to Belgian eid Card Access Control & Authorization Typical scenarios and requirements Identity Management Roles, mandates, management Logging & Auditing Responsibilities 4

Authentication - Belgian eid Card 5

eid Project Goals Replace existing eid-cards (identification of all inhabitants age 12 of more: names, place of birth, birthdate, unique registration-number, ) Enable e-communications with government (certs for authentication and digital signature) Source: FOD BZ 6

Bull Belgian eid Card Government - the national eid-card: Communities, the National Registry, Private Partners. VRK (4) CM/CP/CI (7) (5) (10a1) (3) RC (10a2) (6) Meikäläinen Matti (9) CA CA (8) PIN & PUK1 -code ERA (10b) (1) De Gemeenten Face to face identification (2), (12) (11) Source: Fedict (13) - For Techies: validation via CRL s and OCSP 7

Other Projects Intermediate solution Federal Token Startup issues of the eid Readers / Middleware / For Techies: authentication via SAML1.0 POST-profile Source: www.belgium.be 8

Other Projects Kids Card < 12 years Voluntary Potential 1.3 million cards Source: Fedict Foreigner Card EU and non-eu Potential 1 million cards Source: Fedict 9

Access Control And Authorization 10

Typical Access Control Use Case: Resource needs to be protected John Doe wants access Access Control Environment: Identifies John Doe Authorizes John Doe 11

Identification Requires knowledge of the subject Username Unique ID Requires a mechanism of proof Passwords? Token? Trusted Provider? Trusted Issuer? Identity Repository LDAP, Active Directory TrustedSources? 12

Authorization Sometimes requires knowledge of the subject: Department Function Sometimes requires other info: Contextual Environment Trusted Sources of roles, atttibutes,? Trusted Sources of eg mandates? 13

Government Case 14

Government Case (2) Government Organization Small number of large and independent agencies Large number of small and dependent agencies Access Control Infrastructure Expensive for most agencies ASP Model Share knowledge and infrastructure 15

Example Flemish Gov BUITEN MVG reverse proxy server web server informatie Authenticatie- en Identificatie- Diensten 6. Indien authenticatie OK, ontvang identiteitsgegevens: rijksregisternummer (RRN) (1) Vlaamse portaal applicatie Vlaamse overheidswebsites (8) web server informatie applicatie 5. Verzend authenticatiegegevens ACM (2) gebruikersnaam + paswoord toegangs beheer (7) 2. Authenticeer gebruiker op veiligheidsniveau X (3) (6) identiteits beheer authentificatie & identificatie BINNEN MVG (5) (4) federale authenticatieen identiteitsgegevens federale token ACM federale eid BUITEN MVG reverse proxy server web server informatie applicatie (1) Eigen portaal e od eth erm nd tice ke en lf be h t e u in s a k uz ns Kie aa ve 3. n m ge e ge atie ic nt the au ef Ge 4. (8) web server informatie applicatie (2) Vlaamse portaal 1. Log in op website om toegang te krijgen tot Informatie of dienst 8. Komt u maar binnen 9. Toegang 7. Heb gebruiker geauthenticeerd, dit zijn zijn/haar identiteitsgegevens (7) ACM toegangs beheer (3) (6) authentificatie & identificatie identiteits beheer BINNEN MVG (4) (5) federale authenticatieen identiteitsgegevens 16

Example - InterGov PDP-SZ PDP-FGOV PDP-VO (SM) PDP-LIJN Policy Enforcement Points Policy Decision Points 17

Identity Management 18

Identity Sources 19

Identity Targets 20

Challenges Strong diversity in identities Citizens, civil servants, nurses Changes in Sources and Targets In numbers and technology Different Administration Models Central, delegated (flavors!) Real World Support Smaller agencies, political issues 21

Requirements Stable Platform Adding user types Adding sources Adding targets Maximal re-use of Components Flexible New administration models Federation, ID-WSF, SPML 22

Flemish ASP Model 23

ASP Proces Model 24

Flemish ASP Model Abstraction Import and Administration Consolidation and Unification Synchronisation and Provisioning Out Sourcing At Each Level Keep your own IdP but out source administration Out source IdP and administration Keep your own IdP and administration 25

Conclusion 26

Conclusion Government Context Some unique challenges Reality check (small agencies, politics ) ASP Model Requirements Offer rich environment Offer choice at different levels Identity Standards Very useful but not sufficient Use them as soon as possible 27

Questions? http://www.ascure.com bdr@ascure.com ezu@ascure.com 28

Thank You 29