Establishing Trust Across International Communities

Transcription

1 Establishing Trust Across International Communities 6 Feb 2013 info@federatedbusiness.org Proprietary - British Business Federation Authority 1

2 Strategic Drivers - Industry 1. Business is becoming more collaborative and international 2. Increasing legal, regulatory and commercial requirements for accountability and information protection in regulated industries 3. Information protection requires access control 4. Access control requires identity, authentication and authorisation, which are the basis of trust 5. Trust across multiple organisations requires federation Organisations have to be considered trustworthy to trust each other Organisations need a common language of business to understand each other 6. Federation requires collaborative governance and agreed Common Policy 7. US and European federation bodies are pressing ahead and setting federation standards, leveraging national ID activities 8. UK needs a governance body for federated trust for UK industry Proprietary - British Business Federation Authority

3 Business World Competition Collaboration Organisation A Process Information Application Data Infrastructure Organisation B Process Information Application Data Infrastructure Cyber world collaborates to support normal Business use of cyberspace Cyber World Competition Collaboration Node A Process Information Application Data Infrastructure Node B Process Information Application Data Infrastructure

4 Strategic Drivers - International ID Fraud = a top EU crime enabler McAfee: $1 trillion/year cybercrime (rising $2 trl) UK fraud > 73bn EU fraud > 500bn If we are not winning, we must be losing British Business Federation Authority - 4

5 To collaborate and share information, each organisation must be Trustworthy. Each organisation s ID management must be internally homogeneous & externally interoperable. If compliant, they can then federate, based on common policies, procedures and mechanisms HR Industry & Governments IT Business Identity Proofing & Verification Credentialing Authentication Authorization Audit Citizenship ID & Right to Work documents from different nations UK FR DE Identity Proofing & Vetting Credentialing Authentication Identity Proofing & Vetting Credentialing Authentication Identity Proofing & Vetting Credentialing Authentication Are you who you say you are? Are you authorized to access my information? Can your organization prove this to me? Proprietary - British Business Federation Authority Note: Authentication gives Reliability of Identity Authorisation gives Assurance of Trustworthiness

6 Employee - Gov Employee - Industry 4 Contexts of Identity Plus: Device ID Organisation ID Software Authentication Data Authentication Citizen Consumer British Business Federation Authority - 6

7 Citizen e-id 1.European Digital Agenda requires all citizens to have a citizen e-id for public purposes in all member states. 1. A few states have successful and valued e-id. e.g. Estonia, Belgium 2. More have e-id for state (infrequent) use, with limited value and adoption/activity. e.g. Austria, Sweden 3. Most have plans 4. One has no plans. UK 2.STORK began as technical interoperability pilot for government issued credentials, based on Mutual Recognition. It has no meaningful Common Policy and no liability model. 3.New draft EU regulation requires nations to accept credentials from Notified Schemes of other nations, and pay then pass liability back to the issuing state. 4.Real issue is foreigners Proprietary - British Business Federation Authority

8 Basics We need to identify ourselves to others, and vice versa, in a wide range of situations and particularly for electronic activities. We require different Levels of Assurance. 1. LoA 4. Extra measures. 3 factor authentication (with second biometric). Strong hardware token. Optional federated Physical Access Control. Used in highly secure situations. 2. LoA 3. High confidence in identity. Legally robust nonrepudiation. 2 Factor Authentication E.g. employee authentication, digital signature, ID based encryption, secure LoA 2. Some confidence of Identity. Expect some failures. Financial liability model E.g. credit cards, Know Your Customer. 4. LoA 1. Self assertion. E.g. mickey.mouse@microsoft.com. Proprietary - British Business Federation Authority

9 Employee - Gov 3 4 Employee - Industry 3 4 9/11 HSPD 12 FIPS PIV Good Federation CertiPath/SAFEBioPh arma Supply chain collaboration SESAR FIPS 201 PIV - Interoperable Kantara Initiative Identity Assurance Framework Aero space NATO ITU-T/ISO 24760/29115 Pharma Police Energy Borders Citizen 2 3 NSTIC?? Consumer Credit cards Legal OIX Google 1 Facebook 1 Hardly used = weak business case? British Business Federation Authority - NFC?? HACC? 3 9

10 Any nation could put itself at the centre Level 3+ Identity Federations (PKI) - a UK perspective Other Potential National Bridges or CAs: USA, Australia, Canada, NZ, NL, BE, FR, DE, IT+, NO, SWE, ESP Interpol, EU, NATO Potential Gov & Ind CSPs EADS/Cassidian, Citi, Entrust, SAFE/BioPharma, Symantec, Trustis UK PKI Bridge Early Adopters Cross Certified Orgs: MOD NHS NPIA/Police DWP+ LoA 2+ Brokers CertiPath Aero/Def 13 (Emerging Bridge) SAFE- BioPharma Potential UK CSPs: Citi, EADS, Entrust, Symantec, Potential UK CSPs: Citi, EADS, Entrust, Symantec, Verizon Business+ British Business Federation Authority - 10

11 National & International Allies & Industry Partners Potential Gov Shared Service Providers Other Potential National Bridges or CA: CertiPath Aero/Def (Emerging Bridge) BBFA Big Picture Early Adopters Cross Certified Orgs: MOD; NHS; Police; UKBA+ UK PKI Bridge Broker IdP Broker IdP?? PSN trust Level 3 Dept A Root CA Dept Dept trust - PSIIF Root Authentication Broker Level 2 Credential re-use 15M taxpayers? B C D Other Central Gov Other Local Gov Legend: Two way trust One way trust Level 3 2 SAFE- BioPharma Financial Sector Corporate Credentials? Level 3+ Consumer credentials & attributes? Level 2 Citizen access Gov services G- Digital Hub Companies paying tax DWP HMRC 11

12 ISO/IEC JTC1 SC27 WG5 Identity Management & Privacy Technologies ISO Privacy framework ISO Privacy reference architecture ISO Entity authentication assurance framework (contains ID definitions) ISO A framework for access management ISO Proposal on requirements on relative anonymity with identity escrow model for authentication and authorization using group signatures ISO A framework for identity management -- Part 1: Terminology and concepts ISO A Framework for Identity Management -- Part 2: Reference architecture and requirements ISO A Framework for Identity Management Part 3: Practice ISO Authentication context for biometrics ISO Identity Proofing of Persons, Organisations, Devices and Software Plus TCG Trusted Platform Module 1.2 and 2.0 Proprietary - British Business Federation Authority

13 MNE7 Access to the Global Commons of Cyber Space Collaborative Cyber Situational Awareness (CCSA) Expanding to 25+ nations mil, ind & gov New multinational CCSA organisation being planned Feb 13

14 Collaborative Cyber Situational Awareness (CCSA) NATO ID Strategy, NATO Cyber Strategy, EU Cybersecurity Strategy Police, aerospace & defence, health implementations. ISO & ITU(T) standards IETF standard <> ENISA 3.2 Information Sharing Framework (ISF) 1 High Assurance Federated Trust 2 Critical Controls (Normality) 3 Incident Operations Taxonomy 4 Cyber SA Triage process 5 Prioritised communications US CERT & NCCIC Proprietary - British Business Federation Authority 14

15 Business World Competition Collaboration Organisation A Process Information Application Data Infrastructure Organisation B Process Information Application Data Infrastructure Cyber world collaborates to support normal Business use of cyberspace Cyber World Competition Collaboration Node A Process Information Application Data Infrastructure Node B Process Information Application Data Infrastructure

16 Nine Challenges from Europe s Piecemeal Approach 1. The E Commission needs to coordinate internally and externally focused views 2. The E Commission could be doing more to reflect the global context. Technology, business, consumers do. So do criminals 3. The E Commission needs to work more collaboratively with nations. They can only afford to do things one way 4. The E Commission should focus on all aspects of Person Identity, not just citizen 5. The E Commission must address Organisational ID 6. The E Commission must consider federation for global business. Mutual Recognition is not enough 7. The E Commission must take account of international standards. UN agrees 8. The draft EC Regulation treats the digital signature as separate from identity, which creates a major fraud attack vector, particularly at high assurance. Digital signatures are an attribute of an identity 9. The EU Cyber Security Strategy and national strategies must mention Trust, identity and authentication, so that gov-gov, gov-business, business-business and supply chains can work. The Single Market depends on this Proprietary - British Business Federation Authority 16