How To Create Trust Online

Similar documents
Glossary of Key Terms

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients

Vidder PrecisionAccess

Introduction to SAML

View from a European Trust Service Provider Server Signing: Return of experience and certification strategy

Single Sign-On (SSO), Identity Exchange Hub, Remote Identity Proofing

Adobe PDF for electronic records

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

Multi-Factor Authentication of Online Transactions

Digital Identity Management

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

Guardium Change Auditing System (CAS)

Web Conferencing: Unleash the Power of Secure, Real-Time Collaboration

WHITE PAPER Usher Mobile Identity Platform

Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements

Realize Greater Profits As An Authorized Reseller Of Network Solutions nsprotect Secure SSL Certificates

Identity: The Key to the Future of Healthcare

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

Knowledge-Based Authentication Challenge Response System

Cyber Essentials Questionnaire

NetworkingPS Federated Identity Solution Solutions Overview

Strengthen security with intelligent identity and access management

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Full Compliance Contents

Version 1.0 STRATEGIC PARTNER TRAINING MANUAL

Did you know your security solution can help with PCI compliance too?

solutions Biometrics integration

CHAPTER 1 INTRODUCTION

End-User Manual. for. e-pramaan: A National e-authentication Service. Submitted to

Signicat white paper. Signicat Solutions. This document introduces the Signicat solutions for digital identities and electronic signatures

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Understanding Enterprise Cloud Governance

Information Security Basic Concepts

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Security Digital Certificate Manager

CA Performance Center

Security Digital Certificate Manager

Live Guide System Architecture and Security TECHNICAL ARTICLE

Web Applications Access Control Single Sign On

CloudPassage Halo Technical Overview

Introduction. Editions

You can contact (local rate) where our Customer Services staff will help you resolve the problem. For help:

Compliance and Security Challenges with Remote Administration

White Paper. The E-Sign Act. Use and enforceability of identifiers, passwords and personal identification numbers as signatures

How To Achieve Pca Compliance With Redhat Enterprise Linux

The Authentication Revolution: Phones Become the Leading Multi-Factor Authentication Device

White paper. Implications of digital certificates on trusted e-business.

An Oracle White Paper Dec Oracle Access Management Security Token Service

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

OPENIAM ACCESS MANAGER. Web Access Management made Easy

WebEx Security Overview Security Documentation

CTS2134 Introduction to Networking. Module Network Security

Chapter 1: Introduction

H&R Block Digital Tax Preparation, Online, and Mobile Application Privacy Practices and Principles

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

Hospital Certified Electronic Health Record (EHR) Technology Questionnaire

Estate Agents Authority

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

Biometrics in Identity as a Service

Good Afternoon! Since Yesterday we have been talking about threats and how to deal with those threats in order to protect ourselves from individuals

Your security is our priority

What is an SSL Certificate?

THE USE OF BANK DATA FOR IDENTITY VERIFICATION. White Paper

That Point of Sale is a PoS

PortWise Access Management Suite

Media Shuttle s Defense-in- Depth Security Strategy

PortWise Access Management Suite

IDENTIKEY Appliance Administrator Guide

Cyber-Ark Software and the PCI Data Security Standard

Authentication Scenarios India. Ramachandran

Digital Document Processing

FileRunner Security Overview. An overview of the security protocols associated with the FileRunner file delivery application

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

CloudPassage Halo Technical Overview

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

HIPAA Privacy & Security White Paper

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Automate PCI Compliance Monitoring, Investigation & Reporting

ParlaMI, Enterprise Instant Messaging

Iowa Student Loan Online Privacy Statement

Building Customer Confidence through SSL Certificates and SuperCerts

SOLAARsecurity. Administrator Software Manual Issue 2

How can Identity and Access Management help me to improve compliance and drive business performance?

Transcription:

Authors: Niall Burns (Symphonic), Professor Bill Buchanan (Edinburgh Napier University), Cassie Anderson (miicard) Overview There is a growing demand within governments, health sectors, social care, police, education authorities and individual citizens to allow and enable controlled access to sensitive information based on trusted rights and privileges; particularly when doing so will lead to improved health and well-being and/or save lives. But this is a highly contentious subject and raises many ethical, political and technological questions. In this paper we explore how, once the ethical and political issues have been resolved, we handle the technical challenges of sharing data across disparate domains and sectors, and how we develop the necessary infrastructure and framework to provide the trust, assurances and confidence in a workable solution The challenge: creating trust online Most organisations share data in some form or another and almost all will have their own bespoke integral security and data governance layers, granting and denying access based on pre-defined claims provided by the user. This mechanism is reasonably effective when the users sharing this information are wellknown and the accessible domains are centrally controlled/owned. But as we open up our data to much wider audiences for greater efficiencies, and span across multiple domains and sectors, we are faced with a number of new problems: How do we identify users (from all walks of life, devices and networks) and assure ourselves that they are who they say they are and with what degree of certainty? How can we impose scalable, cross system, cross-domain policies given the disparity of our systems and their individual, often bespoke security protocols? How can we retain overall control and track who has access or who tried to access what services? "Big data is such a new area that nobody has developed governance procedures and policies, there are more questions than answers Boris Evelson, Forrester Research Inc. August 2012 How do we lock down systems in the case of an emergency? How can we guarantee the effective governance of the data we share? These questions, along with historical technological and political barriers, have prevented, or significantly delayed, the drive to successfully sharing data. The desire to share data is certainly there. A recent survey carried out at the e-health Conference in Edinburgh found that 62% of attendees would like access their health records online. The main restriction and focus now is How do we share relevant data in a highly trusted and governed framework for access to what may be highly sensitive data?

A centralised trust framework In order to achieve an accurate and comprehensive view/control of data governance within, and across organisational boundaries there needs to be a centralised approach to defining and distributing a single and binding trust framework. This trust framework contains all definitions related to the data governance, from the legal policy definitions, levels of trust assigned to identity and attribute providers, ontology of domains, roles, relationships and services, down to the granular data and service access policies. All access control is governed by a well-defined trust framework. In creating this centralised trust framework the organisations and domain owners can be assured that this framework forms the only basis on which data governance and service access rights can be granted - ensuring that when any new services or data exchanges are introduced (or when existing services are updated), they cannot simply bypass or make up their own rules for access. Defining trust levels As we make the move away from relying on built-in proprietary system security to more trusted and federated third-party identity providers, we need to implement a scalable and somewhat dynamic way of being able to define our trust levels and base our policies on these levels. PERMIT [MIICARD_USER] TO [ACCESS] [MYSECURESERVICE] FOR [READ] AND [WRITE] As the service begins to support more and more identity providers and introduce different access/trust rights to each provider, we can end up with highly complicated and inflexible governance and access policies. When we introduce hundreds or thousands of services, each with differing access rights depending on identity provider and attribute provider, this can become increasingly complex. PERMIT [MIICARD_USER] TO [ACCESS] [MYSECURESERVICE] FOR [READ] AND [WRITE] PERMIT [FEDERATED_ID_PROVIDER_USER] TO [ACCESS] [MYSECURESERVICE] FOR [READ] AND [WRITE] PERMIT [NHS_FEDERATED_USER] TO [ACCESS] [MYSECURESERVICE] FOR [READ] AND [WRITE] PERMIT [OTHER_FEDERATED_USER] TO [ACCESS] [MYSECURESERVICE] FOR [READ] AND [WRITE]...

However, by defining trust levels within a trust framework and matching them to identity providers, attribute providers and the properties of these providers (such as whether they support bank validation, passport checks, password cycling, geo-location verification, etc.) we can then assign access to services based on the level of trust, opening our services to any identity provider defined in the trust framework. For example: Level of Assurance in Identity Identity Providers Attributes Supported Level of Assurance 1 Social accounts Email addresses [Username], [Password] Level of Assurance 2 Knowledge Based Assessment Upload scans of ID documents Data bureau checks [Username], [Password], [Document Check] Level of Assurance 3 miicard Government Identity Services EU e-passport Scheme Offline Physical ID Document Check [Username], [Password], [Document Check], [Bank Check], [Geo-location], [Mobile Verification], etc PERMIT [LEVEL_3] TO [ACCESS] [MYSECURESERVICE] FOR [READ] AND [WRITE] When new providers are approved, they can be added to the list of trusted providers under the appropriate trust level, making the integration of new identity and attribute providers not only simple but also without any modifications to the core access rights for the affected services.

Identifying the user Many industries are faced with the challenges of online identity as more business and services move online and user demand for convenience increases. As businesses look to deliver higher value and regulated products and services online we need to establish a greater level of trust in user identities across a range of industries including retail banking, finance, gaming, healthcare and ecommerce right through to dating, social and peer-to-peer networks. Year on year increases in identity related fraud, which now accounts for more than half of all fraud*, demands online identity verification be strengthened, particularly as the value in the information accessed or service increases. In identifying a user, email access, Knowledge Based Assessments and data validation are not enough as they do not provide a level of assurance that a person is who they say they are online. Where high levels of trust are required, the user must be identified to the same level as an in-person physical ID document check such as passport, driver s licence or photo ID.

The solution: trusted data governance Symphonic has developed a range of tools based on patented technology to address the core issues surrounding data governance and trust levels. The Symphonic Suite provides the mechanisms to define and build a governance framework and the controls to enable highly assured data sharing from within and beyond organisational domains and sectors; while ensuring all compliance and policy requirements are maintained. miicard (My Internet Identity) has been selected as a trusted identity provider to Level of Assurance 3+ where high levels of trust are required for user access and is included in a number of pilot projects in online healthcare. How miicard works miicard (My Internet Identity) provides high levels of trust and traceability in identities purely online to enable secure access and information sharing across a range of applications. A Bring Your Own Identity (BYOID) solution, miicard provides a single, portable digital passport to use across the web where trust and confidence is required. Members have complete control over their miicard account and the personal information held within it. Using a consent based approach to information sharing and access rights, miicard members control the information they assert on accepting sites at all times and have the ability to revoke access by any party at any time. Delivered through an Identity as a Service platform, miicard provides a configurable Policy Engine to enable the escalation of the required level of trust, dependent on each situation. miicard combines Level of Assurance 3+ (LoA3+) identity proofing with strong authentication to provide the highest level of assurance in the online identity and its assertion, replacing the need for physical identity document checks. Identity proofing Through a patented process that leverages the trust between an individual and their financial institution, miicard establishes proof of identity to passport/ photo ID standard, providing Lo3+ purely online.

Strong authentication Hard and soft tokens, biometrics, location and device authentication are added as required to protect member accounts and ensure the true assertion of the identity. Verified attributes miicard is able to verified details of miicard members personal identities such as date of birth, phone number, address, device, signatures, qualifications and professional memberships. Each verified element, or attribute, of our member s identity has been checked with a third party data source to ensure its integrity. Active revalidation and bank-level security Active Revalidation of miicard member identities, through a process that runs nightly, ensures they are always up to date. Bank-level security and a number of member-set features to protect accounts including; multi-factor authentication, Enhanced Security Icons, strong passwords, Individualised Strong Encryption (ISETM), Enhanced SSL Certificates, auto session locking, device based security, activity alerts and detailed activity logging.

How Symphonic works The Symphonic suite consists of three core components each of which can operate as stand-alone products or can work with each other or existing systems to provide end-to-end integration. The core components are: Module Description Symphonic Trust This is a trust framework tool which enables the abstraction of roles, services, trust levels and defines their trust relationship. The export from this component provides the requirements for the information sharing/service aggregation policy. Symphonic Governance This takes, as an input, the abstraction of the trust framework, and provides a highly efficient rules engine to quickly and securely determine if an entity has the rights to access a given service based on their claims. This crosses domain boundaries and enables authentication and attribute provision from multiple identity and attribute providers. Symphonic Gateway This takes the rules from the governance engine, and implements them within a real-time filtering system, which controls and audits all the accesses to services between the domains.

Symphonic enables the abstraction, governance and implementation of trust relationships and security policies enabling disparate systems and domains to open up access to their services in a highly governed and secure manner, confident in the knowledge that only the services/data specified in their own managed Trust Framework can be accessed only by those with the necessary claims to gain permission. Example: Symphonic applied in online healthcare

About Symphonic and miicard Symphonic Symphonic technology is the culmination of over 5 years research and development within Edinburgh Napier University, through collaborations with both commercial and other academic partners, aimed at revolutionising the way organisations govern the sharing of information, allowing those that operate in highly-regulated environments such as health, social care, law and finance to securely share critical, timedependent and sensitive information. The innovative architecture created by Symphonic allows integration of complex trust and governance frameworks for information-sharing and legal policies to be integrated into the Symphonic solution, so that any information sharing which occurs meets compliance by design. www.symphonictrust.com miicard miicard (My Internet Identity) is a global Identity as a Service solution that proves you are who you say you are, purely online, in minutes and to the same level as a physical passport or photo ID check. Through a patented process that leverages the trust between an individual and their financial institution, miicard establishes identity to Level of Assurance 3+ and meets Know Your Customer and Anti-Money Laundering identity guidelines. Combining online identity proofing, verified attributes and strong authentication, miicard provides the trust and security required for people and businesses to meet and transact with confidence in a purely digital environment. As a single, trusted digital ID founded on the principles of Bring Your Own Identity, miicard is convenient and flexible providing members complete control over their online identity and personal information. With coverage across five continents and over 350 million people, miicard is creating trust online across a range of industries including finance, commerce, trading, gaming, healthcare, recruitment, dating, social and professional networking. www.miicard.com * CIFAS 2012 Fraud Trends Report : http://www.cifas.org.uk/fraudtrendstwentytwelve

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information