SlideShare a Scribd company logo

Security and interoperability

E-Government Center Moldova
E-Government Center Moldova
TechnologyBusiness
1 of 23
Download to read offline
Security and Interoperability Danny De Cock January 16th, 2012 Moldova E-mail: Danny.DeCock@esat.kuleuven.be Slides: godot.be/slides
Secrets of Successful eID Environments • 3 High-level actors Citizen/Customer • Different sectors – eGovernment Government Business • Collect and store data once, reuse where possible – eHealth • Make patient records available to health care service providers – eCommerce & eBusiness • Provide ability to correctly identify involved parties – Avoiding online fraud, preparing effective anti-spam measures
Secrets of Successful eID Environments • Success depends on joined forces of public and private sector – Private sector requires return on investment (ROI) • Number of contacts between a citizen and its eGovernment only does not justify huge investments – Public sector prefers eID enablers for use in public and private sector • Avoid reinventing the wheel – Need to exchange of experience with successes and *failures* – Risk of lacking focus to create interoperable solutions • Caveat: Systems focusing on any single sector are inherently incompatible with *similar* systems
Design Decisions – Basic Concepts • Federated architecture – Each sector operates autonomously – Interfaces with other sectors through bus system • Built around authoritative sources – Master copy of data is available at exactly one repository – Master copy = authoritative source • Maximal reuse of information – No data replication – Administrations cannot re-request data already available • Integrated system for user and access management – eID for all – Citizens & organizations – Autonomous management of access & use policies
Design Decisions – Benefits • Guaranteed interoperability enhances security! – Modularity respects each organization’s sovereignty • Prevents vender-lock-in – Exchanging information using standard and open protocols and data formats • Guaranteed flexibility – Modularity allows updating and following • Security standards • Good/best practices
Identification & Authentication • Unique identification of – Citizens – Professionals – Companies and other Service Providers (public and private sector) • eID for all: Authentication & Identification tokens – Federal token – eID card – Belgian citizens & foreigners – Other tokens – companies, organizations, individuals
eID Card Types Citizens Kids Aliens eID card Kids-ID Foreigners’ card
eID Card Content PKI Citizen Identity Data ID ADDRESS Authentication Signature RRN RRN Root CA SIGNATURE SIGNATURE CA 140x200 Pixels RRN 8 BPP 3.224 Bytes RRN = National Register
eID Card = 4 Functions • Non-electronic 1. Visible Identification of a person • Electronic Enabler of eServices 2. Digital identification • Data capture 3. Prove your identity • Authentication signature eFunctionality 4. Digitally sign information • Non-repudiation signature
Levels of Assurance (LoA) of Authentication • Federated identity management model – E.g., Shibboleth, Liberty Alliance, CardSpace… LoA 4+ Setting access policies (qualified plus biometric) LoA 4 Sensitive medical records (e.g. HIV), (qualified cert with smart card EAL4+) Consultant notes containing opinions. Ability to Break the Glass. Bank to bank transfers LoA 3 Patient confidential records (non- (2-factor authentication, non-qualified sensitive) cert, EAL4 smart card) LoA 2 Some Internet banking applications (one time password) System administration LoA 1 Retrieve degree certificate. Completing (uid/password, Verisign Class 1 cert) public service employment application LoA 0 Public data (no authentication)
eID – Level 3 + 4
Citizen’s Federal Token – Level 2
How to Choose a Security Level? • Responsibility of the service provider under supervision of the Privacy Commission • Based on risk assessment and depending on – Type of processing: communication, consultation, alteration,… – Scope of the service: does the processing only concern the user or also concern other persons ? – Degree of sensitivity of the data processed – Possible impact of the processing • In addition to right security level – Use of an electronic & time-stamped signature might be needed
Interoperable & Secure by Design • Mandates & authorization credentials based on open standards, e.g., – XACML – SAML • Revocation services setup by mandate manager and certification authority – OCSP – CRL • Certificates, Signatures and timestamps, e.g., – X.509 – XADES-* • Communication protocols – SSL/TLS
XAXML – Allow/Deny Service Requests… Joe Policy Enforcement Point Service Provider 6 1 Execute OK Service Y Execute Service Y Check Policy Compliance 2  5 Permit / Deny Service Request Authorization Domain 3 4 Retrieve Relevant Retrieve Policy Policies Validation Information Policy Decision Point Policy Information Policy Access Point Point
Generic Policy Enforcement Model XACML-based Action on application DENIED Policy Action on application User Enforcement PERMITTED (PEP) Application Action on application Decision Decision Request Reply Information Policy Request/Reply Retrieval Policy Decision (PDP) Information Request/Reply Policy Management Policy Administration Policy Information Policy Information (PAP) (PIP) (PIP) Manager Policy Repository Authentic Source Authentic Source Slide inspired by Frank Robben
Re-using Architecture Be-Health Social sector Non social FPS USER USER (CBSS) USER (FedICT) APPLICATIONS APPLICATIONS APPLICATIONS Authen - Authorization Authen - Authorization Authen - Authorization tication PEP WebApp tication PEP WebApp tication PEP WebApp Role Role Role Mapper XYZ Mapper XYZ Mapper XYZ Role Role Role Mapper Mapper Mapper DB DB DB PDP Role PDP Role PDP Role PAP PAP PAP Role Provider Role Provider ‘’Kephas’’ Role Provider ‘’Kephas’’ Provider DB ‘’Kephas’’ Provider DB Provider DB PIP PIP PIP PIP PIP PIP PIP PIP PIP Attribute Attribute Attribute Attribute Attribute Attribute Attribute Attribute Attribute Provider Provider Provider Provider Provider Provider Provider Provider Provider Management Management DB DB DB Management DB DB DB DB RIZIV UMAF Bailiffs XYZ XYZ Mandates XYZ VAS Mandates XYZ VAS VAS Slide inspired by Frank Robben
Conclusion • eGovernment Services are accessible – Via open standards – With strong authentication & access management • Federated system permits use of common basic services securely – Without losing any autonomy! • System allows permanent evolution – Continuously changing user & organization requirements
Food for Thought • Trust is Good – Control is Better!
Th@nk you! Danny De Cock Researcher Applied Cryptography Danny.DeCock@esat.kuleuven.be Slides: www.godot.be/slides © fedict 2011. All rights reserved
eID Card Issuing Procedure Card Personalizer (CP) Card Initializer (CI) (5) (4) (6) (10a”) (8) National Certification Register (RRN) (9) Authority (CA) (10a’) (3) (7) Municipality (2) (0) (10b) Citizen PIN & PUK (11) Face to face identification (1) Citizen (12) (13)
eID Certificates Hierarchy 2048-bit RSA 2048-bit RSA 1024-bit RSA Card Administration: Certificates for update address, key Government web servers, pair generation, store signing citizen files, public certificates,… information,…
Abstract eGovernment Ecosystem A F C Context 1 E D H G B Introducting Belgian eID Cards & eGovernment Slide 24 16 January 2012 Context 2 Context 3

Recommended

Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinalAlan Hartman
 
Identity Insights: Social, Local and Mobile Identity
Identity Insights: Social, Local and Mobile IdentityIdentity Insights: Social, Local and Mobile Identity
Identity Insights: Social, Local and Mobile IdentityJon Bultmeyer
 
Jim o donoghue hull wsdan 30 june 2011
Jim o donoghue hull wsdan 30 june 2011Jim o donoghue hull wsdan 30 june 2011
Jim o donoghue hull wsdan 30 june 20113GDR
 
TSB_IoT_Presentations_27June2012
TSB_IoT_Presentations_27June2012TSB_IoT_Presentations_27June2012
TSB_IoT_Presentations_27June2012100%Open
 
ESEconf2011 - Buzzi Andreas: "Schrittweise Modernisierung von komplexen Mainf...
ESEconf2011 - Buzzi Andreas: "Schrittweise Modernisierung von komplexen Mainf...ESEconf2011 - Buzzi Andreas: "Schrittweise Modernisierung von komplexen Mainf...
ESEconf2011 - Buzzi Andreas: "Schrittweise Modernisierung von komplexen Mainf...Aberla
 
Enterprise Security Architecture: From Access to Audit
Enterprise Security Architecture: From Access to AuditEnterprise Security Architecture: From Access to Audit
Enterprise Security Architecture: From Access to AuditBob Rhubart
 
Smart Micro Credit Business Suite
Smart Micro Credit Business SuiteSmart Micro Credit Business Suite
Smart Micro Credit Business SuiteFahad Iftikhar
 
Interoperability versus Cyber Security/Information Assurance?
Interoperability versus Cyber Security/Information Assurance? Interoperability versus Cyber Security/Information Assurance?
Interoperability versus Cyber Security/Information Assurance? GovCloud Network
 

Recommended

Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinalAlan Hartman
 
Identity Insights: Social, Local and Mobile Identity
Identity Insights: Social, Local and Mobile IdentityIdentity Insights: Social, Local and Mobile Identity
Identity Insights: Social, Local and Mobile IdentityJon Bultmeyer
 
Jim o donoghue hull wsdan 30 june 2011
Jim o donoghue hull wsdan 30 june 2011Jim o donoghue hull wsdan 30 june 2011
Jim o donoghue hull wsdan 30 june 20113GDR
 
TSB_IoT_Presentations_27June2012
TSB_IoT_Presentations_27June2012TSB_IoT_Presentations_27June2012
TSB_IoT_Presentations_27June2012100%Open
 
ESEconf2011 - Buzzi Andreas: "Schrittweise Modernisierung von komplexen Mainf...
ESEconf2011 - Buzzi Andreas: "Schrittweise Modernisierung von komplexen Mainf...ESEconf2011 - Buzzi Andreas: "Schrittweise Modernisierung von komplexen Mainf...
ESEconf2011 - Buzzi Andreas: "Schrittweise Modernisierung von komplexen Mainf...Aberla
 
Enterprise Security Architecture: From Access to Audit
Enterprise Security Architecture: From Access to AuditEnterprise Security Architecture: From Access to Audit
Enterprise Security Architecture: From Access to AuditBob Rhubart
 
Smart Micro Credit Business Suite
Smart Micro Credit Business SuiteSmart Micro Credit Business Suite
Smart Micro Credit Business SuiteFahad Iftikhar
 
Interoperability versus Cyber Security/Information Assurance?
Interoperability versus Cyber Security/Information Assurance? Interoperability versus Cyber Security/Information Assurance?
Interoperability versus Cyber Security/Information Assurance? GovCloud Network
 
Secure outsourced attribute based signatures
Secure outsourced attribute based signatures Secure outsourced attribute based signatures
Secure outsourced attribute based signatures Adz91 Digital Ads Pvt Ltd
 
EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...
EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...
EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...E-Government Center Moldova
 
Mona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloudMona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloudKrushna Panda
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Mona secure multi owner data sharing for dynamic groups in the cloud-ppt
Mona secure multi owner data sharing for dynamic groups in the cloud-pptMona secure multi owner data sharing for dynamic groups in the cloud-ppt
Mona secure multi owner data sharing for dynamic groups in the cloud-pptKrushna Panda
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud AuditingJonathan Sinclair
 
MISMO / eMortgage Update
MISMO / eMortgage UpdateMISMO / eMortgage Update
MISMO / eMortgage UpdateElectronic Signature & Records Association
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
 
Conducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceConducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceFintan Swanton
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)Happiest Minds Technologies
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 
Standards of dental informatics, security issues
Standards of dental informatics, security issuesStandards of dental informatics, security issues
Standards of dental informatics, security issuesEbtissam Al-Madi
 
O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014Alexey Vlasenko
 
Operando @ Cyber camp 2015
Operando @ Cyber camp 2015Operando @ Cyber camp 2015
Operando @ Cyber camp 2015Operando Consortium
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceBankingdotcom
 

More Related Content

Viewers also liked

Secure outsourced attribute based signatures
Secure outsourced attribute based signatures Secure outsourced attribute based signatures
Secure outsourced attribute based signatures Adz91 Digital Ads Pvt Ltd
 
EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...
EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...
EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...E-Government Center Moldova
 
Mona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloudMona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloudKrushna Panda
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Mona secure multi owner data sharing for dynamic groups in the cloud-ppt
Mona secure multi owner data sharing for dynamic groups in the cloud-pptMona secure multi owner data sharing for dynamic groups in the cloud-ppt
Mona secure multi owner data sharing for dynamic groups in the cloud-pptKrushna Panda
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 

Viewers also liked (6)

Secure outsourced attribute based signatures
Secure outsourced attribute based signatures Secure outsourced attribute based signatures
Secure outsourced attribute based signatures
 
EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...
EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...
EXCHANGE OF EXPERIENCES AND KNOW-HOW ON E-GOVERNMENT AS A TOOL FOR REGIONAL C...
 
Mona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloudMona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloud
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Mona secure multi owner data sharing for dynamic groups in the cloud-ppt
Mona secure multi owner data sharing for dynamic groups in the cloud-pptMona secure multi owner data sharing for dynamic groups in the cloud-ppt
Mona secure multi owner data sharing for dynamic groups in the cloud-ppt
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 

Similar to Security and interoperability

3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
 
Conducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceConducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceFintan Swanton
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 
Standards of dental informatics, security issues
Standards of dental informatics, security issuesStandards of dental informatics, security issues
Standards of dental informatics, security issuesEbtissam Al-Madi
 
O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014Alexey Vlasenko
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceBankingdotcom
 
Information governance process & technology
Information governance process & technologyInformation governance process & technology
Information governance process & technologyGNetadmin
 
Mobile marketing meltdown
Mobile marketing meltdownMobile marketing meltdown
Mobile marketing meltdownMobile March
 
GDPR Compliance Made Easy with Data Virtualization
GDPR Compliance Made Easy with Data VirtualizationGDPR Compliance Made Easy with Data Virtualization
GDPR Compliance Made Easy with Data VirtualizationDenodo
 
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsEthyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsCillian Kieran
 

Similar to Security and interoperability (20)

3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
 
MISMO / eMortgage Update
MISMO / eMortgage UpdateMISMO / eMortgage Update
MISMO / eMortgage Update
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
apidays LIVE New York 2021 - Security Design Patterns that Protect Sensitive ...
 
Co p
Co pCo p
Co p
 
Co p
Co pCo p
Co p
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
 
Conducting a self-audit of data protection compliance
Conducting a self-audit of data protection complianceConducting a self-audit of data protection compliance
Conducting a self-audit of data protection compliance
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 
Standards of dental informatics, security issues
Standards of dental informatics, security issuesStandards of dental informatics, security issues
Standards of dental informatics, security issues
 
O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014
 
Operando @ Cyber camp 2015
Operando @ Cyber camp 2015Operando @ Cyber camp 2015
Operando @ Cyber camp 2015
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and Compliance
 
Information governance process & technology
Information governance process & technologyInformation governance process & technology
Information governance process & technology
 
Mobile marketing meltdown
Mobile marketing meltdownMobile marketing meltdown
Mobile marketing meltdown
 
GDPR Compliance Made Easy with Data Virtualization
GDPR Compliance Made Easy with Data VirtualizationGDPR Compliance Made Easy with Data Virtualization
GDPR Compliance Made Easy with Data Virtualization
 
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsEthyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
 

More from E-Government Center Moldova

The nexus of Social, Mobile, Cloud and Big Data Analytics
The nexus of Social, Mobile, Cloud and Big Data AnalyticsThe nexus of Social, Mobile, Cloud and Big Data Analytics
The nexus of Social, Mobile, Cloud and Big Data AnalyticsE-Government Center Moldova
 
Prezentare compartiment securitatea 05 03 2013 p sincariuc
Prezentare compartiment securitatea 05 03 2013 p sincariucPrezentare compartiment securitatea 05 03 2013 p sincariuc
Prezentare compartiment securitatea 05 03 2013 p sincariucE-Government Center Moldova
 
Can e government work in the cloud reichstaedter
Can e government work in the cloud reichstaedterCan e government work in the cloud reichstaedter
Can e government work in the cloud reichstaedterE-Government Center Moldova
 
Driving government efficiency and innovation through cloud computing k...
Driving government efficiency and innovation through cloud computing k...Driving government efficiency and innovation through cloud computing k...
Driving government efficiency and innovation through cloud computing k...E-Government Center Moldova
 
Unleashing the potential of cloud computing in europe francisco garcia moran
Unleashing the potential of cloud computing in europe francisco garcia moranUnleashing the potential of cloud computing in europe francisco garcia moran
Unleashing the potential of cloud computing in europe francisco garcia moranE-Government Center Moldova
 
Government innovation through cloud computing arthur riel
Government innovation through cloud computing arthur rielGovernment innovation through cloud computing arthur riel
Government innovation through cloud computing arthur rielE-Government Center Moldova
 

More from E-Government Center Moldova (20)

The new era of smart
The new era of smart The new era of smart
The new era of smart
 
The nexus of Social, Mobile, Cloud and Big Data Analytics
The nexus of Social, Mobile, Cloud and Big Data AnalyticsThe nexus of Social, Mobile, Cloud and Big Data Analytics
The nexus of Social, Mobile, Cloud and Big Data Analytics
 
Digital Transformation by Richard Baird
Digital Transformation by Richard BairdDigital Transformation by Richard Baird
Digital Transformation by Richard Baird
 
Mpay&Mcloud
Mpay&McloudMpay&Mcloud
Mpay&Mcloud
 
Presentation cert gov-md 05.03.2013
Presentation cert gov-md 05.03.2013Presentation cert gov-md 05.03.2013
Presentation cert gov-md 05.03.2013
 
Hannes astok data protection agency
Hannes astok data protection agencyHannes astok data protection agency
Hannes astok data protection agency
 
Prezentare compartiment securitatea 05 03 2013 p sincariuc
Prezentare compartiment securitatea 05 03 2013 p sincariucPrezentare compartiment securitatea 05 03 2013 p sincariuc
Prezentare compartiment securitatea 05 03 2013 p sincariuc
 
Hannes astok policy development
Hannes astok policy developmentHannes astok policy development
Hannes astok policy development
 
Digital security hannes astok
Digital security hannes astokDigital security hannes astok
Digital security hannes astok
 
Assessing cybersecurity_Anto Veldre
Assessing cybersecurity_Anto VeldreAssessing cybersecurity_Anto Veldre
Assessing cybersecurity_Anto Veldre
 
MCloud operational framework
MCloud operational frameworkMCloud operational framework
MCloud operational framework
 
Arhitectura de securitate_MCloud
Arhitectura de securitate_MCloudArhitectura de securitate_MCloud
Arhitectura de securitate_MCloud
 
Ibm smart cloud solutions m-cloud
Ibm smart cloud solutions m-cloudIbm smart cloud solutions m-cloud
Ibm smart cloud solutions m-cloud
 
Ibm security virtual server protection
Ibm security virtual server protectionIbm security virtual server protection
Ibm security virtual server protection
 
Can e government work in the cloud reichstaedter
Can e government work in the cloud reichstaedterCan e government work in the cloud reichstaedter
Can e government work in the cloud reichstaedter
 
Driving government efficiency and innovation through cloud computing k...
Driving government efficiency and innovation through cloud computing k...Driving government efficiency and innovation through cloud computing k...
Driving government efficiency and innovation through cloud computing k...
 
Star storage m cloud week
Star storage m cloud weekStar storage m cloud week
Star storage m cloud week
 
Unleashing the potential of cloud computing in europe francisco garcia moran
Unleashing the potential of cloud computing in europe francisco garcia moranUnleashing the potential of cloud computing in europe francisco garcia moran
Unleashing the potential of cloud computing in europe francisco garcia moran
 
Government innovation through cloud computing arthur riel
Government innovation through cloud computing arthur rielGovernment innovation through cloud computing arthur riel
Government innovation through cloud computing arthur riel
 
4 francisco garcia_moran_moldova_2013
4 francisco garcia_moran_moldova_20134 francisco garcia_moran_moldova_2013
4 francisco garcia_moran_moldova_2013
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Security and interoperability

  • 1. Security and Interoperability Danny De Cock January 16th, 2012 Moldova E-mail: Danny.DeCock@esat.kuleuven.be Slides: godot.be/slides
  • 2. Secrets of Successful eID Environments • 3 High-level actors Citizen/Customer • Different sectors – eGovernment Government Business • Collect and store data once, reuse where possible – eHealth • Make patient records available to health care service providers – eCommerce & eBusiness • Provide ability to correctly identify involved parties – Avoiding online fraud, preparing effective anti-spam measures
  • 3. Secrets of Successful eID Environments • Success depends on joined forces of public and private sector – Private sector requires return on investment (ROI) • Number of contacts between a citizen and its eGovernment only does not justify huge investments – Public sector prefers eID enablers for use in public and private sector • Avoid reinventing the wheel – Need to exchange of experience with successes and *failures* – Risk of lacking focus to create interoperable solutions • Caveat: Systems focusing on any single sector are inherently incompatible with *similar* systems
  • 4. Design Decisions – Basic Concepts • Federated architecture – Each sector operates autonomously – Interfaces with other sectors through bus system • Built around authoritative sources – Master copy of data is available at exactly one repository – Master copy = authoritative source • Maximal reuse of information – No data replication – Administrations cannot re-request data already available • Integrated system for user and access management – eID for all – Citizens & organizations – Autonomous management of access & use policies
  • 5. Design Decisions – Benefits • Guaranteed interoperability enhances security! – Modularity respects each organization’s sovereignty • Prevents vender-lock-in – Exchanging information using standard and open protocols and data formats • Guaranteed flexibility – Modularity allows updating and following • Security standards • Good/best practices
  • 6. Identification & Authentication • Unique identification of – Citizens – Professionals – Companies and other Service Providers (public and private sector) • eID for all: Authentication & Identification tokens – Federal token – eID card – Belgian citizens & foreigners – Other tokens – companies, organizations, individuals
  • 7. eID Card Types Citizens Kids Aliens eID card Kids-ID Foreigners’ card
  • 8. eID Card Content PKI Citizen Identity Data ID ADDRESS Authentication Signature RRN RRN Root CA SIGNATURE SIGNATURE CA 140x200 Pixels RRN 8 BPP 3.224 Bytes RRN = National Register
  • 9. eID Card = 4 Functions • Non-electronic 1. Visible Identification of a person • Electronic Enabler of eServices 2. Digital identification • Data capture 3. Prove your identity • Authentication signature eFunctionality 4. Digitally sign information • Non-repudiation signature
  • 10. Levels of Assurance (LoA) of Authentication • Federated identity management model – E.g., Shibboleth, Liberty Alliance, CardSpace… LoA 4+ Setting access policies (qualified plus biometric) LoA 4 Sensitive medical records (e.g. HIV), (qualified cert with smart card EAL4+) Consultant notes containing opinions. Ability to Break the Glass. Bank to bank transfers LoA 3 Patient confidential records (non- (2-factor authentication, non-qualified sensitive) cert, EAL4 smart card) LoA 2 Some Internet banking applications (one time password) System administration LoA 1 Retrieve degree certificate. Completing (uid/password, Verisign Class 1 cert) public service employment application LoA 0 Public data (no authentication)
  • 11. eID – Level 3 + 4
  • 13. How to Choose a Security Level? • Responsibility of the service provider under supervision of the Privacy Commission • Based on risk assessment and depending on – Type of processing: communication, consultation, alteration,… – Scope of the service: does the processing only concern the user or also concern other persons ? – Degree of sensitivity of the data processed – Possible impact of the processing • In addition to right security level – Use of an electronic & time-stamped signature might be needed
  • 14. Interoperable & Secure by Design • Mandates & authorization credentials based on open standards, e.g., – XACML – SAML • Revocation services setup by mandate manager and certification authority – OCSP – CRL • Certificates, Signatures and timestamps, e.g., – X.509 – XADES-* • Communication protocols – SSL/TLS
  • 15. XAXML – Allow/Deny Service Requests… Joe Policy Enforcement Point Service Provider 6 1 Execute OK Service Y Execute Service Y Check Policy Compliance 2  5 Permit / Deny Service Request Authorization Domain 3 4 Retrieve Relevant Retrieve Policy Policies Validation Information Policy Decision Point Policy Information Policy Access Point Point
  • 16. Generic Policy Enforcement Model XACML-based Action on application DENIED Policy Action on application User Enforcement PERMITTED (PEP) Application Action on application Decision Decision Request Reply Information Policy Request/Reply Retrieval Policy Decision (PDP) Information Request/Reply Policy Management Policy Administration Policy Information Policy Information (PAP) (PIP) (PIP) Manager Policy Repository Authentic Source Authentic Source Slide inspired by Frank Robben
  • 17. Re-using Architecture Be-Health Social sector Non social FPS USER USER (CBSS) USER (FedICT) APPLICATIONS APPLICATIONS APPLICATIONS Authen - Authorization Authen - Authorization Authen - Authorization tication PEP WebApp tication PEP WebApp tication PEP WebApp Role Role Role Mapper XYZ Mapper XYZ Mapper XYZ Role Role Role Mapper Mapper Mapper DB DB DB PDP Role PDP Role PDP Role PAP PAP PAP Role Provider Role Provider ‘’Kephas’’ Role Provider ‘’Kephas’’ Provider DB ‘’Kephas’’ Provider DB Provider DB PIP PIP PIP PIP PIP PIP PIP PIP PIP Attribute Attribute Attribute Attribute Attribute Attribute Attribute Attribute Attribute Provider Provider Provider Provider Provider Provider Provider Provider Provider Management Management DB DB DB Management DB DB DB DB RIZIV UMAF Bailiffs XYZ XYZ Mandates XYZ VAS Mandates XYZ VAS VAS Slide inspired by Frank Robben
  • 18. Conclusion • eGovernment Services are accessible – Via open standards – With strong authentication & access management • Federated system permits use of common basic services securely – Without losing any autonomy! • System allows permanent evolution – Continuously changing user & organization requirements
  • 19. Food for Thought • Trust is Good – Control is Better!
  • 20. Th@nk you! Danny De Cock Researcher Applied Cryptography Danny.DeCock@esat.kuleuven.be Slides: www.godot.be/slides © fedict 2011. All rights reserved
  • 21. eID Card Issuing Procedure Card Personalizer (CP) Card Initializer (CI) (5) (4) (6) (10a”) (8) National Certification Register (RRN) (9) Authority (CA) (10a’) (3) (7) Municipality (2) (0) (10b) Citizen PIN & PUK (11) Face to face identification (1) Citizen (12) (13)
  • 22. eID Certificates Hierarchy 2048-bit RSA 2048-bit RSA 1024-bit RSA Card Administration: Certificates for update address, key Government web servers, pair generation, store signing citizen files, public certificates,… information,…
  • 23. Abstract eGovernment Ecosystem A F C Context 1 E D H G B Introducting Belgian eID Cards & eGovernment Slide 24 16 January 2012 Context 2 Context 3