Mature Digital Trust Infrastructure Are we there yet? Søren Peter Nielsen, Chief IT Architect Danish National IT and Telecom Agency presented June 9th at European e-Identity Management Conference 2011
Nov 29, 2014
Mature Digital Trust Infrastructure Are we there yet?
Søren Peter Nielsen, Chief IT ArchitectDanish National IT and Telecom Agency
presented June 9th atEuropean e-Identity Management
Conference 2011Tallinn, Estonia
Identities in eGovernment - a look to the future
• Mature Digital Trust Infrastructure - Are we there yet?Reflections on current Government approaches to Trust, federation and identity management. What needs to change as we move forward. We have come a long way with PKI, federation standards, trust frameworks, etc. but are we there yet? Where is there still work to be done and mindsets to be changed?
Conceptually – It seems simple
Web SSO Model
1 4
5
6
3
IdentityProvider
“Circle of Trust”ServiceProvider Authentication Authority
Attribute Authority7
2
Federation Building Blocks
Business &Operating Rules
Operational Infrastructure
Service Providers/
Identity Providers
PolicyTechnical Standards
Aud
iting
/
Acc
redi
tatio
n
Factor Token
Very High
High
Medium
Low
Employee Screening for a High Risk Job
Obtaining Govt. Benefits
Applying for a Loan
Online
Access to Protected
Website
PIN/User ID-
Knowledge
Strong Password
-Based
PKI/ Digital Signature
Multi-
Incre
ase
d $
Cost
Increased Need for Identity Assurance
Authentication Assurance Levels
Areas that determine the Level of Assurance
• Tokens (typically a cryptographic key or password) for proving identity,
• Identity proofing, registration and the delivery of credentials which bind an identity to a token,
• Remote authentication mechanisms, that is the combination of credentials,tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be,
• Assertion mechanisms used to communicate the results of a remote authentication to other parties.
EU eGov Benchmark 2010 Fundamental IT enablersKey Horizontal Enablers
Have we crossed the chasm for eID?
Do we have full adoption?
Credit to: Simon Wardley
Do we have the right assumptions?
IntendedStrategy
RealisedStrategy
Fix This! Fixed!
DeliberateStrategy
IDM dev
The world is not standing still
IntendedStrategy Realised
Strategy
DeliberateStrategy
Unrealised Strategy
EmergentStrategy
Fixed! ???
No organisation is an Island anymore
But the approach to Identity and Access management is still rooted in industrial age thinking
Architecture and mindsets are locked into the identification-oriented paradigm
Areas with requirements determining Assurance level
• Tokens (typically a cryptographic key or password) for proving identity,
• Identity proofing, registration and the delivery of credentials which bind an identity to a token,
• Remote authentication mechanisms, that is the combination of credentials,tokens and authentication protocols used to establish that a claimant is in fact the subscriber he or she claims to be,
• Assertion mechanisms used to communicate the results of a remote authentication to other parties.
Architecture and mindsets
• Are locked into the identification-oriented paradigm
• To grow adoption beyond what can be accomplished using current approaches an architecture that supports both the identification- and validation-oriented paradigms is needed
Validation-oriented paradigm
(i.e. the user can prove that he represents a pseudonym via a secret key).
Bruger(fysisk person)
Serviceudbydere
Virtuelleidentiteter
Instead of all applications identifying the users and coupling local data to the identity (e.g. SSN), data is coupled to virtual identities (pseudonyms), which are subject to validation
Credit to: Simon Wardley
Credit to: Simon Wardley
Credit to: Simon Wardley
identification- and validation-oriented paradigms
identification- oriented paradigm
Credit to: Simon Wardley
Digital Trust Infrastructure
Are We There Yet?
• There is still a long way to go before we reach maturity
• On the short run– We need to re-think our architecture to support a
validation-orientated paradigm as well as an identification-oriented paradigm
• On the long run– We need to be conscious that the world is not
standing still while working on the Next Big IDM Thing
Contact
• Søren Peter Nielsen• Twitter.com/sorenp• [email protected]