- Email: [email protected]
Who do you think you are?
story
Cover
COVER STORY P
Who do you think you are? The anonymity of the internet raises many information security concerns. Cath Everett takes a look at PKI and identity tokens as ways of authenticating identity online Cath Everett
The current problem is that if you have 100 issuers of electronic identity, you need 100 controls and interfaces for those issuers to check their validity, which makes the process very complex Tom Losnedahl
Many organisations have introduced, or are in the process of introducing, some form of internal identity and access management system to secure in-house applications. The problem of how to establish, validate and authenticate an individual’s identity over the public internet however, is far from solved. Tom Losnedahl, vice president of business development at managed e-identity service provider BBS, comments on validating identity online, “It’s a difficult situation as it’s somewhat chaotic. Different players in the identity space have different solutions and there’s no uniform set of answers.” “The complexity of managing multiple user identities will increase exponentially when organisations start using hosted services from 30-40 different providers”, he adds. Key issues in this context relate to governance and defining and managing policies. Such policies include access entitlements based on role, which are currently rarely granular enough to work effectively in a cloudbased world. To make matters worse, external service providers all tend to have different ways of defining roles, which means that it becomes necessary to map internal definitions to multiple external ones. Felix Gaehtgens, a senior analyst at Kuppinger Cole, says, “Many organisations are not doing in-house access control very well now, but the issues become more extreme when you’re dealing with the cloud. If you’re dealing with simple federated identity internally, you can wing it to a certain extent, but as you move more valuable parts of infrastructure and processes outside, it gets very hairy.” How can organisations identify Another challenge relates to finding a suitable balance individuals without compromisbetween privacy and anonymity. Patrick Curry, who heads ing privacy?
NOVEMBER/DECEMBER 2009
15
COVER STORY
Identity and access management has become more than just a question of username and password
up the emerging British Business Federation Authority, believes that using the internet “for the common good” is being “significantly frustrated by anonymity”, which breeds lack of trust for both service providers and users.
Need to know basis There are political questions about how much sensitive personal information should be disclosed to third party providers – whether commercial or governmental – in order to use their services. As BBS’ Losnedahl points out, “If my electronic ID says that I’m Tom, I live in Norway, I’m a certain age and this is my medical history, would I be happy for my Software-as-aService provider to read that? You have to think about how much identity information is really required and for what purposes.” As a pragmatic means of dealing with the issue of identity today, some enterprises are introducing technology such as one-time password devices, digital signature and/or digital certificate-based software. Although the latter tend to be more widespread, PKI-based systems are currently costly and unable to interoperate with each other. This means that organisations can end up in the expensive situation of having to support a range of offerings from multiple suppliers, of which there are about 100 in Europe alone. To try and solve this problem, the European Commission (EC) is in the process of setting up a register of authorised PKI providers that offer interoperable services. The register is expected to go live by the end of 2009.
16
Roger Dean, executive director of the European Association for e-Identity and Security (eema) and a member of the British Computer Society’s Security Forum, says, “It’s like the early days of the internet – once everyone could access everything, it exploded, and there’ll be the same effect here. Once one supplier’s system recognises the security of another’s, there’ll be more trust, which should aid e-procurement. But it’ll take a while.”
A complex process BBS, meanwhile, is attempting to exploit the current situation by providing a global validation service for PKI users across Europe, although its initial focus is on the public sector. “The current problem is that if you have 100 issuers of electronic identity, you need 100 controls and interfaces for those issuers to check their validity, which makes the process very complex”, explains Losnedahl. BBS has already signed a managed services contract with the Norwegian government. It is currently waiting on the EC’s Pan-European Electronic Procurement OnLine (PEPPOL) initiative to define and specify four new security ratings relating to digital identity. Four is expected to represent the highest level of security and one the lowest, with each rating enabling access to a different set of services. PEPPOL is intended to provide a common means of enabling public and private sector organisations to electronically order, invoice and digitally sign for products and services
NOVEMBER/DECEMBER 2009
sold online. Its e-Identity foundation, however, is expected to be supplied by another EC project dubbed the Secure idenTity acrOss boRders linKed (Stork). Stork, which comes under the auspices of the EC’s Competitive Innovation Programme, a subset of its ICT Policy Support Programme, is a three-year initiative that began last June. Its aim is to provide a means of authenticating the identity of effectively anonymous citizens and staff within third party organisations to enable them to transact securely online with any public authority within the European Union. The project is currently being run by a consortium of 13 Western European member states such as the UK and Germany, although six more Eastern European nations are expected to join next year. The key deliverable to date is a technical specification based on the concept of panEuropean proxy servers, which will act as a gateway from each country to the outside world. The servers will form a mesh network and manage traffic moving from one Performance Enhancing Proxy (PEP) to another. Therefore, if a Belgian student decides to study at Oxford University in the UK and wants to access the University’s services online after registration, they will use an agreed identifier – such as their national identity card details – to do so.
Computer says yes Frank Leyman, manager of international relations at the Federal Ministry for ICT in Belgium and Stork member, explains how the project will work. “The information will be rerouted through the UK PEP to the Belgian one to link to the Belgian certification authority. A message will then go back through the Belgian and UK PEP to the Oxford University site to say that the guy is or is not who he says he is. The idea is to make the process as simple and controllable as possible.” The technology is based on a common, transparent communications protocol, which is embedded in middleware and acts like a mains adaptor. As a result, it translates requests from different countries into a common language that can be understood by member states’ systems no matter what their design or architecture. This function is considered crucial as it enables members to use the system without needing to change
COVER STORY either infrastructure components or policies in order to support Stork. The responsibility for initially verifying citizens’ identities will rest with member states, but a central tenet of Stork’s security methodology relates to minimum information disclosure. As a result, no more information will ever be requested than is required to complete a transaction. For example, if a citizen is asked to prove that they are 18 years old, the system will answer ‘yes’, but will not supply birth dates. Stork’s technical architecture specifications were completed at the end of July and submitted to the industry for review. Work on building a proof-of-concept, which started in September, is due to be completed by the start of next year and from Easter 2010, member states will roll out five year-long cross-border pilot projects.
Mobile phones will be the key to solving the identity issue. Touch-screen phones could include fingerprint biometric capabilities and digital certificates for authentication
Roger Dean, eema
These initiatives will include enabling both citizens and businesses to securely send, access and sign online documents such as contracts across national boundaries. Although it is not currently clear how any implementation phase will be conducted, or whether joining the scheme will be mandatory, the ultimate aim is to roll Stork into the European Large Scale Action (ELSA) initiative. ELSA is currently under development and its goal is to devise a longterm vision for a digital Europe.
In every pocket Another UK-based initiative currently under discussion is that of a ‘strong authenticator in every pocket’. It has not yet been decided whether the government will develop some kind of framework of its own, or set up a third party organisation similar in nature to PayPal, to provide and manage identifiers as well as process transactions. Such identifiers could take the form of mobile phone-based tokens or cards such as London’s Oyster travel pass, and users would specifically sign up to use them in order to access government services and undertake commerce both physically and online. Matt Came, a senior consultant at PriceWaterhouseCooper’s technology practice, says, “It’s all at the discussion phase at the moment, but the issue is that identities are fragmented across different devices at the moment, whether that’s passports, Oyster cards or government documentation. So if you could bring everything together into a single identity token or whatever, it would simplify the situation.” Dean, however, is convinced that mobile phones will become the identity vehicle of choice, given their widespread usage. “I think mobile phones will be the key to solving the identity issue. Touch-screen phones could include fingerprint biometric capabilities and digital certificates for authentication and would work well as a contactless device so people could just swipe past something and be recognised”, he says. To the BBFA’s Curry, however, such initiatives – including the UK government’s proposed national identity card scheme – do not go far enough, particularly for highly regulated sectors such as aerospace and defence, pharmaceuticals, telecoms and financial
services that require high levels of assurance. “The government has not declared plans for the use of the national identity scheme by industry. It’s up to individual companies to decide how to do things, but if you have an extended supply chain and are dealing with lots of customers, you only want one way. There can’t be different flavours or it becomes unmanageable”, he says. As a result, the BBFA was set up in August to establish a governance framework for federated identity management in order to make it possible for employers in one industry to accept the online and physical credentials of workers from another without opening themselves up to undue risk. Such activity will entail moving beyond “authentication into permission, which is based around authorisation”, Curry says. At the very least, the move is expected to cut the cost of background checks on new staff and enable staff to switch employers more seamlessly. The ultimate aim, however, is to enable highly regulated industries to implement and operate (and develop where appropriate) relevant policies, procedures and mechanisms in order to create an environment of ‘federated trust’. The goal is not to reinvent the wheel, but rather to use existing technical and non-technical standards as well as best practice to create a “cook-book of what you have to do internally for people to work with you securely and in an interoperable fashion”, Curry says. The ‘cook-book’ can then either be used to develop infrastructure and policies in-house or as a basis for procuring services from third party providers. To this end, the plan is to set up a steering group comprising major enterprises from the key target sectors by the end of this year and to produce the first deliverables, including the governance framework and policies, by March 2010. “It all comes down to the risks associated with what you’re trying to do. But it’s clear that there’s a growing requirement for trustworthiness, which is becoming as valuable as credit-worthiness”, Curry says. “While a lot of people don’t think about it until it’s taken away from them via identity theft, there’s a growing proportion of society that understands its value and wants to be able to use that trustworthiness electronically.”
NOVEMBER/DECEMBER 2009
17
Cover
COVER STORY P
Who do you think you are? The anonymity of the internet raises many information security concerns. Cath Everett takes a look at PKI and identity tokens as ways of authenticating identity online Cath Everett
The current problem is that if you have 100 issuers of electronic identity, you need 100 controls and interfaces for those issuers to check their validity, which makes the process very complex Tom Losnedahl
Many organisations have introduced, or are in the process of introducing, some form of internal identity and access management system to secure in-house applications. The problem of how to establish, validate and authenticate an individual’s identity over the public internet however, is far from solved. Tom Losnedahl, vice president of business development at managed e-identity service provider BBS, comments on validating identity online, “It’s a difficult situation as it’s somewhat chaotic. Different players in the identity space have different solutions and there’s no uniform set of answers.” “The complexity of managing multiple user identities will increase exponentially when organisations start using hosted services from 30-40 different providers”, he adds. Key issues in this context relate to governance and defining and managing policies. Such policies include access entitlements based on role, which are currently rarely granular enough to work effectively in a cloudbased world. To make matters worse, external service providers all tend to have different ways of defining roles, which means that it becomes necessary to map internal definitions to multiple external ones. Felix Gaehtgens, a senior analyst at Kuppinger Cole, says, “Many organisations are not doing in-house access control very well now, but the issues become more extreme when you’re dealing with the cloud. If you’re dealing with simple federated identity internally, you can wing it to a certain extent, but as you move more valuable parts of infrastructure and processes outside, it gets very hairy.” How can organisations identify Another challenge relates to finding a suitable balance individuals without compromisbetween privacy and anonymity. Patrick Curry, who heads ing privacy?
NOVEMBER/DECEMBER 2009
15
COVER STORY
Identity and access management has become more than just a question of username and password
up the emerging British Business Federation Authority, believes that using the internet “for the common good” is being “significantly frustrated by anonymity”, which breeds lack of trust for both service providers and users.
Need to know basis There are political questions about how much sensitive personal information should be disclosed to third party providers – whether commercial or governmental – in order to use their services. As BBS’ Losnedahl points out, “If my electronic ID says that I’m Tom, I live in Norway, I’m a certain age and this is my medical history, would I be happy for my Software-as-aService provider to read that? You have to think about how much identity information is really required and for what purposes.” As a pragmatic means of dealing with the issue of identity today, some enterprises are introducing technology such as one-time password devices, digital signature and/or digital certificate-based software. Although the latter tend to be more widespread, PKI-based systems are currently costly and unable to interoperate with each other. This means that organisations can end up in the expensive situation of having to support a range of offerings from multiple suppliers, of which there are about 100 in Europe alone. To try and solve this problem, the European Commission (EC) is in the process of setting up a register of authorised PKI providers that offer interoperable services. The register is expected to go live by the end of 2009.
16
Roger Dean, executive director of the European Association for e-Identity and Security (eema) and a member of the British Computer Society’s Security Forum, says, “It’s like the early days of the internet – once everyone could access everything, it exploded, and there’ll be the same effect here. Once one supplier’s system recognises the security of another’s, there’ll be more trust, which should aid e-procurement. But it’ll take a while.”
A complex process BBS, meanwhile, is attempting to exploit the current situation by providing a global validation service for PKI users across Europe, although its initial focus is on the public sector. “The current problem is that if you have 100 issuers of electronic identity, you need 100 controls and interfaces for those issuers to check their validity, which makes the process very complex”, explains Losnedahl. BBS has already signed a managed services contract with the Norwegian government. It is currently waiting on the EC’s Pan-European Electronic Procurement OnLine (PEPPOL) initiative to define and specify four new security ratings relating to digital identity. Four is expected to represent the highest level of security and one the lowest, with each rating enabling access to a different set of services. PEPPOL is intended to provide a common means of enabling public and private sector organisations to electronically order, invoice and digitally sign for products and services
NOVEMBER/DECEMBER 2009
sold online. Its e-Identity foundation, however, is expected to be supplied by another EC project dubbed the Secure idenTity acrOss boRders linKed (Stork). Stork, which comes under the auspices of the EC’s Competitive Innovation Programme, a subset of its ICT Policy Support Programme, is a three-year initiative that began last June. Its aim is to provide a means of authenticating the identity of effectively anonymous citizens and staff within third party organisations to enable them to transact securely online with any public authority within the European Union. The project is currently being run by a consortium of 13 Western European member states such as the UK and Germany, although six more Eastern European nations are expected to join next year. The key deliverable to date is a technical specification based on the concept of panEuropean proxy servers, which will act as a gateway from each country to the outside world. The servers will form a mesh network and manage traffic moving from one Performance Enhancing Proxy (PEP) to another. Therefore, if a Belgian student decides to study at Oxford University in the UK and wants to access the University’s services online after registration, they will use an agreed identifier – such as their national identity card details – to do so.
Computer says yes Frank Leyman, manager of international relations at the Federal Ministry for ICT in Belgium and Stork member, explains how the project will work. “The information will be rerouted through the UK PEP to the Belgian one to link to the Belgian certification authority. A message will then go back through the Belgian and UK PEP to the Oxford University site to say that the guy is or is not who he says he is. The idea is to make the process as simple and controllable as possible.” The technology is based on a common, transparent communications protocol, which is embedded in middleware and acts like a mains adaptor. As a result, it translates requests from different countries into a common language that can be understood by member states’ systems no matter what their design or architecture. This function is considered crucial as it enables members to use the system without needing to change
COVER STORY either infrastructure components or policies in order to support Stork. The responsibility for initially verifying citizens’ identities will rest with member states, but a central tenet of Stork’s security methodology relates to minimum information disclosure. As a result, no more information will ever be requested than is required to complete a transaction. For example, if a citizen is asked to prove that they are 18 years old, the system will answer ‘yes’, but will not supply birth dates. Stork’s technical architecture specifications were completed at the end of July and submitted to the industry for review. Work on building a proof-of-concept, which started in September, is due to be completed by the start of next year and from Easter 2010, member states will roll out five year-long cross-border pilot projects.
Mobile phones will be the key to solving the identity issue. Touch-screen phones could include fingerprint biometric capabilities and digital certificates for authentication
Roger Dean, eema
These initiatives will include enabling both citizens and businesses to securely send, access and sign online documents such as contracts across national boundaries. Although it is not currently clear how any implementation phase will be conducted, or whether joining the scheme will be mandatory, the ultimate aim is to roll Stork into the European Large Scale Action (ELSA) initiative. ELSA is currently under development and its goal is to devise a longterm vision for a digital Europe.
In every pocket Another UK-based initiative currently under discussion is that of a ‘strong authenticator in every pocket’. It has not yet been decided whether the government will develop some kind of framework of its own, or set up a third party organisation similar in nature to PayPal, to provide and manage identifiers as well as process transactions. Such identifiers could take the form of mobile phone-based tokens or cards such as London’s Oyster travel pass, and users would specifically sign up to use them in order to access government services and undertake commerce both physically and online. Matt Came, a senior consultant at PriceWaterhouseCooper’s technology practice, says, “It’s all at the discussion phase at the moment, but the issue is that identities are fragmented across different devices at the moment, whether that’s passports, Oyster cards or government documentation. So if you could bring everything together into a single identity token or whatever, it would simplify the situation.” Dean, however, is convinced that mobile phones will become the identity vehicle of choice, given their widespread usage. “I think mobile phones will be the key to solving the identity issue. Touch-screen phones could include fingerprint biometric capabilities and digital certificates for authentication and would work well as a contactless device so people could just swipe past something and be recognised”, he says. To the BBFA’s Curry, however, such initiatives – including the UK government’s proposed national identity card scheme – do not go far enough, particularly for highly regulated sectors such as aerospace and defence, pharmaceuticals, telecoms and financial
services that require high levels of assurance. “The government has not declared plans for the use of the national identity scheme by industry. It’s up to individual companies to decide how to do things, but if you have an extended supply chain and are dealing with lots of customers, you only want one way. There can’t be different flavours or it becomes unmanageable”, he says. As a result, the BBFA was set up in August to establish a governance framework for federated identity management in order to make it possible for employers in one industry to accept the online and physical credentials of workers from another without opening themselves up to undue risk. Such activity will entail moving beyond “authentication into permission, which is based around authorisation”, Curry says. At the very least, the move is expected to cut the cost of background checks on new staff and enable staff to switch employers more seamlessly. The ultimate aim, however, is to enable highly regulated industries to implement and operate (and develop where appropriate) relevant policies, procedures and mechanisms in order to create an environment of ‘federated trust’. The goal is not to reinvent the wheel, but rather to use existing technical and non-technical standards as well as best practice to create a “cook-book of what you have to do internally for people to work with you securely and in an interoperable fashion”, Curry says. The ‘cook-book’ can then either be used to develop infrastructure and policies in-house or as a basis for procuring services from third party providers. To this end, the plan is to set up a steering group comprising major enterprises from the key target sectors by the end of this year and to produce the first deliverables, including the governance framework and policies, by March 2010. “It all comes down to the risks associated with what you’re trying to do. But it’s clear that there’s a growing requirement for trustworthiness, which is becoming as valuable as credit-worthiness”, Curry says. “While a lot of people don’t think about it until it’s taken away from them via identity theft, there’s a growing proportion of society that understands its value and wants to be able to use that trustworthiness electronically.”
NOVEMBER/DECEMBER 2009
17