Aspects of Identity. IGF November BCS Security Community of Expertise

Transcription

1 Aspects of Identity IGF November 2012 BCS Security Community of Expertise

2 Representatives Dr. Louise Bennett FBCS CITP Chair of the BCS Security Community of Expertise Mirza Asrar Baig Executive Director, IT Matrix, Saudi Arabia Andy Smith MSc CEng FBCS CITP FSyI CSyP Member BCS SCoE and Digital Policy Alliance (EURIM) John Bullard Global Ambassador, IdenTrust Ian Fish FBCS CITP Member BCS SCoE Remote Moderator 2

3 Agenda Introduction Louise Bennett Outlines of issues 3 Topics Commercialisation of the Internet (West view): Commercialisation of the Internet (East view): Governance of Identity on the Internet: Security v. Privacy and openness: NO Questions Save for discussion Panel Session Wrap-Up 5 minutes 25 minutes Louise Bennett Asrar Baig John Bullard Andy Smith 50 minutes 5 minutes 3

4 Points of Admin In case of a fire Try to keep up This session is being recorded under the Chatham House Rule to allow the talks and Feedback to be transcribed. The recordings may be published on the website in which case all names and affiliations will be removed. 4

5 Introduction Who is BCS, The Chartered Institute for IT? Formerly British Computer Society International organisation 70,000+ members worldwide Remote Moderation 5

6 Last Year Workshops at UN-IGF, EuroDIG, InfoSec, UK Pictfor, BCS/EEMA conference Produced Aspects of Identity Started with a set of questions Got some surprising answers and changes in direction Fundamental finding Proportionality between security & privacy / anonymity culturally and context sensitive but also very hard to define and emotive New Questions for 2012 InfoSec

7 This Year Developing a dialogue on: The commercialisation of Identity Legal Frameworks Effect on economic development of the Internet Better use of identity for access to online resources and services Dynamic Coalition InfoSec

8 Commercialisation of the Internet Western View Dr. Louise Bennett

9 Is it a real e-commerce site? InfoSec

10 Aggregation & Data Mining Where is my personal Information? InfoSec

11 Are all Identities the same? InfoSec

12 Questions 1. Is identity legitimate currency to fund the Internet? 2. Can individuals have any control over aggregating / data mining on the Internet? 3. Do business and things need the same types of identities as individuals on the Internet? 12

13 Commercialisation of the Internet Eastern View Mirza Asrar Baig

14 Eastern view of Internet Commerce Challenges: Product Transaction in Ecommerce Physical presence is still preferred Delivery Infrastructure issues Lacking Legal framework to protect consumer Thereby what is working partially over Ecommerce Airline tickets / Hotel bookings E-banking / Utility Bills Government services InfoSec

15 Eastern view of Internet Commerce Challenges: TRUST on FACE VALUE User awareness about digital security is very low in comparison to the west If it is on the internet it must be true! Prevention??? Not part of culture InfoSec

16 Eastern view of Internet Commerce Acceptance: Privacy not so private Being monitored closely is normal Challenging authority is not so thinkable Lacking legal framework to define privacy rights Expects Government Authority to define, manage and control Internet identities InfoSec

17 Questions 1. How privacy advocates would not go over board in pushing the eastern societies to be more aware of their rights? 2. How internet identity framework can become e-business enabler for the masses in the east? 3. What boundaries of Internet Identity would advocates of Anonymous accept? 17

18 Governance of Identity on the Internet John G Bullard Global Ambassador

19 What, exactly, do we mean by trusted e-identity? Having absolute certainty of who you are interacting with Being able to check/validate that this is, indeed, the case Knowing who guarantees the identity of the individual person Being a real name, not just a number Having complete trust to act on their instructions Having a complete & transparent audit trail of who did what, and when Seeing eid as a key component to limiting liability and external exposures In the online world, trusted identity management is an Operational Risk Management Issue, not just a Technology issue

20 Vital for Business, Govts, Citizens and Banks Buyer Find Trading Partner Bid/ Selection Obtain Credit Contracts/ Purchase Order einvoicing Logistics Pay / Settle Online Trust is essential at each stage for commerce to flourish globally Seller Find Trading Partner Offer/ Accept Assess Credit Contracts/ Purchase Order einvoicing Logistics Pay / Settle Having established the identities of the two trading parties, bits & bytes representing money move between the parties

21 Level of Effort/Complexity Level of Effort/Complexity Two distinct issues for trusted e-id / e Signatures 1. What aspects of Identity will be managed? 2. Who will be covered by the identity management solution? Policy Multiple Communities of Interest Often spanning Multiple legal jurisdictions Legal & Liability Multiple Communities of Interest Operations A Community of Interest Tech Internal

22 Contract-based liability framework for global trusted e-id Global Legal Interoperability is possible only in a Contractual System governing Subscribing Customer Customer Agreement- per each country jurisdiction Issuing Participant (Locally Regulated) Global Scheme Operating Rules (contractual) IdenTrust Root CA Relying Customer Customer Agreement per each country jurisdiction Relying Participant (Locally Regulated) Liability and Recourse Among All Parties - Operating Rules bind all players - Customer Agreements bind customers to contractual liability limitations Legal Recognition of Digital Signatures Contract Formation Electronically - Signed OCSP validation assures every Relying Party is bound to a customer agreement - Legal effect of digital signatures authenticated by validated certificates provided by contract, globally Dispute Resolution over Signature Validity - Dispute Resolution Procedures provide private forum (London Court of Arbitrage) Technical Standards - Ensures compatibility across the Network - Reduces cost through vendor competition for standard component elements

23 Questions 1. To what extent does Identity help fund the Internet? 2. Are there transactions where Identity is not needed? 3. Do Devices need Identities? 23

24 Security v. Privacy & Openness Andy Smith

25 Balancing Act InfoSec

26 Security v. Privacy Very Emotive InfoSec

27 How good is good enough? InfoSec

28 Questions 1. How do you protect the naïve from themselves? 2. Will we ever be able to balance the need for security with the right to privacy? 3. How do you gain assurance in remote identities for the context its needed? 28

29

30 Conclusion This is an ongoing piece of work and an important subject Identities are critical to success of the Internet, they are different for individuals and things. It is vital to have the right level of Identity assurance for the context of a transaction over the Internet 30

31 Dynamic Coalition We strongly feel that ongoing dialogue about identity assurance over the Internet is important and we need as many stakeholders to be involved as possible. Please contact to join the Dynamic Coalition More information 31

32 What Next?? Draw conclusions from the work this year and publish a new Yearbook Revise the question set for next year InfoSec 2013, IGF Get the Dynamic Coalition working with a multistakeholder group including Government, Industry, financial institutions and legal profession Continue engagement on Identity Assurance online with UN-IGF and adding a Cyber Security dimension to evolving treaties and legislation 32

33 Visit the website at: EURIM Digital Policy Alliance IdenTrust IT Matrix

34 Question Sets 1. To what extent does Identity help fund the Internet? 2. Are there transactions where Identity is not needed? 3. Do Devices need Identities? 4. How do you identify someone remotely? 5. What is an acceptable False accept / reject rate? 6. How can you rely on / trust an online identity? 7. How much do we care about Fraud? 8. How does Trust vary with Context? 9. How do you protect the Naive from themselves? 10. How do you know who is Liable? For what? 11. In what situations is Redress essential? 12. Can you withdraw Consent? 13. Is Identity legitimate Currency? 14. Can the individual have any control over Aggregation / Data Mining? 15. What is the Risk Reward balance? 1. Question 1: What impact can security and governance issues have on the Internet and human rights? In this case the right to privacy 2. Question 3: What risks can Internet fragmentation pose to security, privacy and openness? If identity governance becomes fragmented and requirements change what impact does this have? 3. Question 5: What risks do law enforcement, information suppression and surveillance have on security, privacy and openness? Identity information can be used as a tool by state and law enforcement both for good and bad reasons, how do you strike a balance? 4. Question 6: What measures can be taken to ensure freedom of expression, access to knowledge and privacy, including for children? Can anonymity really be possible on the Internet and does this have implications on providing a tool for criminal and terrorist organisations? 1. To look at the governance of identity on the internet and its impacts on security and privacy. 2. Look at the use of identity in commercialisation of the Internet with particular regard to legal frameworks and economic development. 3. To look at the balance between privacy and openness, in the context of user norms and behaviour, including how to protect the naïve from themselves, and how to enable better use of identity for access to information resources and online services. InfoSec