SlideShare a Scribd company logo

X-Road as a Platform to Exchange MyData

Petteri Kivimäki
Petteri Kivimäki

X-Road is an open source data exchange layer solution used by the national governments in Estonia and Finland. This presentation explains a concept how X-Road can be used as a technical platform to exchange MyData. In addition to the technology, also common principles and guidelines required by the concept are discussed.

Internet
1 of 15
Download to read offline
X-Road as a Platform to Exchange MyData PETTERI KIVIMÄKI, CTO 29TH AUGUST 2018
Table of Contents u MyData Roles u How Does X-Road Work? u X-Road as a Technical Platform for MyData u MyData via X-Road u What X-Road Does and Does Not Provide
MyData Roles Digital Identity MyData Operator Data Consent Consent Individual Consent • Individual – a person who authorizes data flows with consent. • MyData Operator – provides a MyData accounts that enable digital consent management. • Data Source – provides data about individuals. • Data Using Service – uses the data provided by data sources. Data Source Data Using Service Access Logs
How Does X-Road Work? Security Server Security Server Service Consumer Service Provider Signature and time-stamping of messages, logging Verify incoming messages, time-spamping, logging, access rights Central Services Registry of trusted parties (organizations, servers) Trust Services Validity of certificates (auth, sign) Time-stamping of messages X-Road Core Trust Services
X-Road as a Technical Platform for MyData Digital Identity MyData Operator Access Logs Consent Consent Individual Access Logs X-Road Security Server Data • Both consent and data are transferred via X-Road. • X-Road logs all the requests and the logs are used for providing a centralized view to access logs where the individual can see who has accessed his or her data. • X-Road provides • Organization level authentication • Machine to machine authentication • Standardized messaging model • Non-repudiation of messages • Access rights management • Address management and message routing • Transportation level encryption. Data Source Data Using Service
MyData via X-Road Security Server Security Server Data Source 3. Check access rights (global group) MyData Operator 1. Check consent (*) 4. Return response 2. Send request Access logs (*) Data Using Service 3.1 Check consent (*) (optional) Access logs (*) * Checking consents and transfering access logs is done via X-Road. All the registered data using services have access to all the registered data sources. Consents are used for managing authorizations to access the data of individuals.
MyData via X-Road u Consents are managed by the MyData Operator. u Every data source and data using service must implement the required MyData APIs and enable their services to be connected with MyData accounts. u X-Road client/service identifier must be stored by the MyData Operator. u Access rights to data sources are managed using X-Road global groups that are centrally managed by the X-Road operator. u Registered data using services are added as members of the global group by the X-Road operator. u Data sources grant the MyData global group access to their MyData services – all the members of the group then have access to the services.
MyData via X-Road u All the registered data using services have access to all the registered data sources. Consents are used for managing authorizations to access the data of individuals. u Data using service is responsible for checking the consent before sending a request. u No consent is found => no request is sent. u Consent is found => request is sent and the ID of the consent is included in the request (with other required parameters, e.g. user ID). u Data source trusts the data using service and does not re-check the validity of the consent. u Alternatively, data source may re-check the validity of the consent. Increases trust – and overhead.
MyData via X-Road u All the requests and responses are logged by X-Road. u Information related to MyData requests/responses (consent ID, data using service, data source, user ID identifying the individual, date/time etc.) is made accessible to the MyData Operator. u Individuals can view who has accessed their information through their MyData account. u Unauthorized use of individuals’ data can be automatically detected by analyzing the logs and is subject to penalties, e.g. exclusion from the service etc.
MyData via X-Road MyData Operator Data SourceData Using Service Central Server • Register data using service (subsystem): FI.COM.12345-6.Client • Add subsystem to MyData Clients global group • Publish data source: FI.COM.65432-1.Service.getData.v1 • Register data using service: FI.COM.12345-6.Client • Register data source: FI.COM.65432-1.Service.getData.v1 Certification Authority (CA) Security Server Security Server• Get auth and sign certificates. • Check validity. FI.COM.12345-6.Client FI.COM.65432-1.Service.getData.v1 MyData Clients (global group): FI.COM.12345-6.Client FI.GOV.XXXX.XXX FI.COM.XXXX.XXX . . Grant MyData Clients access to: FI.COM.65432-1.Service.getData.v1
MyData Account and Consents ID Individual Data Using Service Data Source User ID Validity Label Consent ID – random string Social security number X-Road client identifier of the data using service X-Road service identifier of the data source The ID identifying the individual in the data source, e.g. social security number, Facebook ID, Google ID etc. The period when the consent is valid. Example 619KOZDLS2 121275-123A FI.COM.12345-6.Client FI.COM.65432-1.Service.getData.v1 121275-123A 1.3.2018-31.12.2018 u Individuals manage consents through a MyData account. u X-Road identifiers are used for identifyind the data using service and data source (not visible to the user). u If social media user ID is used, the social media account must be confirmed and linked to the MyData account. In addition, the data source must define the ID that’s used for identifying the user. By default social security number is used.
X-Road Provides u Organization level authentication u Machine to machine authentication u Standardized messaging model u Non-repudiation of messages u Logging of messages u Access rights management u Address management and message routing u Transportation level encryption.
X-Road Does Not Provide u Semantic interoperability u Common business data models u Standardized business APIs u Implementation of the MyData Operator u Consent verification.
Questions?
WWW.NIIS.ORG petteri.kivimaki@niis.org +372 7130 802

Recommended

Mule Runtime: Performance Tuning
Mule Runtime: Performance Tuning Mule Runtime: Performance Tuning
Mule Runtime: Performance Tuning
MuleSoft
 
Comparison of MQTT and DDS as M2M Protocols for the Internet of Things
Comparison of MQTT and DDS as M2M Protocols for the Internet of ThingsComparison of MQTT and DDS as M2M Protocols for the Internet of Things
Comparison of MQTT and DDS as M2M Protocols for the Internet of Things
Real-Time Innovations (RTI)
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
DDS Tutorial -- Part I
DDS Tutorial -- Part IDDS Tutorial -- Part I
DDS Tutorial -- Part I
Angelo Corsaro
 
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Gaurav Sethi
 
TriHUG October: Apache Ranger
TriHUG October: Apache RangerTriHUG October: Apache Ranger
TriHUG October: Apache Ranger
trihug
 
Open Cloud Consortium Overview (01-10-10 V6)
Open Cloud Consortium Overview (01-10-10 V6)Open Cloud Consortium Overview (01-10-10 V6)
Open Cloud Consortium Overview (01-10-10 V6)
Robert Grossman
 
Distributed Algorithms with DDS
Distributed Algorithms with DDSDistributed Algorithms with DDS
Distributed Algorithms with DDS
Angelo Corsaro
 

Recommended

Mule Runtime: Performance Tuning
Mule Runtime: Performance Tuning Mule Runtime: Performance Tuning
Mule Runtime: Performance Tuning
MuleSoft
 
Comparison of MQTT and DDS as M2M Protocols for the Internet of Things
Comparison of MQTT and DDS as M2M Protocols for the Internet of ThingsComparison of MQTT and DDS as M2M Protocols for the Internet of Things
Comparison of MQTT and DDS as M2M Protocols for the Internet of Things
Real-Time Innovations (RTI)
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
ThousandEyes
 
DDS Tutorial -- Part I
DDS Tutorial -- Part IDDS Tutorial -- Part I
DDS Tutorial -- Part I
Angelo Corsaro
 
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Mulesoft with ELK (Elastic Search, Log stash, Kibana)
Gaurav Sethi
 
TriHUG October: Apache Ranger
TriHUG October: Apache RangerTriHUG October: Apache Ranger
TriHUG October: Apache Ranger
trihug
 
Open Cloud Consortium Overview (01-10-10 V6)
Open Cloud Consortium Overview (01-10-10 V6)Open Cloud Consortium Overview (01-10-10 V6)
Open Cloud Consortium Overview (01-10-10 V6)
Robert Grossman
 
Distributed Algorithms with DDS
Distributed Algorithms with DDSDistributed Algorithms with DDS
Distributed Algorithms with DDS
Angelo Corsaro
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
Gabriella Davis
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution Service
Angelo Corsaro
 
Azure data factory
Azure data factoryAzure data factory
Azure data factory
BizTalk360
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
Torsten Lodderstedt
 
Big Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWAREBig Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWARE
Fernando Lopez Aguilar
 
DW2020 Data Models - FIWARE Platform
DW2020 Data Models - FIWARE PlatformDW2020 Data Models - FIWARE Platform
DW2020 Data Models - FIWARE Platform
Fernando Lopez Aguilar
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
Load balancer in mule
Load balancer in muleLoad balancer in mule
Load balancer in mule
Ramakrishna kapa
 
NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017
NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017
NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017
Amazon Web Services
 
DDS In Action Part II
DDS In Action Part IIDDS In Action Part II
DDS In Action Part II
Angelo Corsaro
 
The Journey to Data Mesh with Confluent
The Journey to Data Mesh with ConfluentThe Journey to Data Mesh with Confluent
The Journey to Data Mesh with Confluent
confluent
 
Introduction to Streaming Analytics
Introduction to Streaming AnalyticsIntroduction to Streaming Analytics
Introduction to Streaming Analytics
Guido Schmutz
 
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
Royston Lobo
 
Building Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta LakeBuilding Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta Lake
Databricks
 
On prem to cloud hub migration (updated)
On prem to cloud hub migration (updated)On prem to cloud hub migration (updated)
On prem to cloud hub migration (updated)
Sandeep Deshmukh
 
DDS QoS Unleashed
DDS QoS UnleashedDDS QoS Unleashed
DDS QoS Unleashed
Angelo Corsaro
 
Using ibm mq in managed file transfer environments final
Using ibm mq in managed file transfer environments finalUsing ibm mq in managed file transfer environments final
Using ibm mq in managed file transfer environments final
Leif Davidsen
 
Cloud adoption and rudiments
Cloud adoption and rudimentsCloud adoption and rudiments
Cloud adoption and rudiments
gaurav jain
 
Zenoh: The Genesis
Zenoh: The GenesisZenoh: The Genesis
Zenoh: The Genesis
Angelo Corsaro
 
180926 ihan webinar 2
180926 ihan webinar 2180926 ihan webinar 2
180926 ihan webinar 2
Sitra the Finnish Innovation Fund
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
SergeyWalsh
 

More Related Content

What's hot

Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
 
NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017
NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017
NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017
Amazon Web Services
 
DDS In Action Part II
DDS In Action Part IIDDS In Action Part II
DDS In Action Part II
Angelo Corsaro
 
Introduction to Streaming Analytics
Introduction to Streaming AnalyticsIntroduction to Streaming Analytics
Introduction to Streaming Analytics
Guido Schmutz
 
Building Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta LakeBuilding Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta Lake
Databricks
 
DDS QoS Unleashed
DDS QoS UnleashedDDS QoS Unleashed
DDS QoS Unleashed
Angelo Corsaro
 

What's hot (20)

A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
 
The Data Distribution Service
The Data Distribution ServiceThe Data Distribution Service
The Data Distribution Service
 
Azure data factory
Azure data factoryAzure data factory
Azure data factory
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
Big Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWAREBig Data and Machine Learning with FIWARE
Big Data and Machine Learning with FIWARE
 
DW2020 Data Models - FIWARE Platform
DW2020 Data Models - FIWARE PlatformDW2020 Data Models - FIWARE Platform
DW2020 Data Models - FIWARE Platform
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Load balancer in mule
Load balancer in muleLoad balancer in mule
Load balancer in mule
 
NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017
NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017
NEW LAUNCH! Introducing Amazon Kinesis Video Streams - ABD216 - re:Invent 2017
 
DDS In Action Part II
DDS In Action Part IIDDS In Action Part II
DDS In Action Part II
 
The Journey to Data Mesh with Confluent
The Journey to Data Mesh with ConfluentThe Journey to Data Mesh with Confluent
The Journey to Data Mesh with Confluent
 
Introduction to Streaming Analytics
Introduction to Streaming AnalyticsIntroduction to Streaming Analytics
Introduction to Streaming Analytics
 
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
MuleSoft Online meetup - An expert's guide to Runtime fabric - August 2020
 
Building Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta LakeBuilding Reliable Data Lakes at Scale with Delta Lake
Building Reliable Data Lakes at Scale with Delta Lake
 
On prem to cloud hub migration (updated)
On prem to cloud hub migration (updated)On prem to cloud hub migration (updated)
On prem to cloud hub migration (updated)
 
DDS QoS Unleashed
DDS QoS UnleashedDDS QoS Unleashed
DDS QoS Unleashed
 
Using ibm mq in managed file transfer environments final
Using ibm mq in managed file transfer environments finalUsing ibm mq in managed file transfer environments final
Using ibm mq in managed file transfer environments final
 
Cloud adoption and rudiments
Cloud adoption and rudimentsCloud adoption and rudiments
Cloud adoption and rudiments
 
Zenoh: The Genesis
Zenoh: The GenesisZenoh: The Genesis
Zenoh: The Genesis
 

Similar to X-Road as a Platform to Exchange MyData

Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
SergeyWalsh
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
WSO2
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
gueste4e93e3
 
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Amazon Web Services
 
Iiw east openidentityforopengovfinal
Iiw east openidentityforopengovfinalIiw east openidentityforopengovfinal
Iiw east openidentityforopengovfinal
MaryIIW
 

Similar to X-Road as a Platform to Exchange MyData (20)

180926 ihan webinar 2
180926 ihan webinar 2180926 ihan webinar 2
180926 ihan webinar 2
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
 
Product Identification Service
Product Identification ServiceProduct Identification Service
Product Identification Service
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Practical Federated Identity
Practical Federated Identity Practical Federated Identity
Practical Federated Identity
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial Services
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices World
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
 
IDM in telecom industry
IDM in telecom industryIDM in telecom industry
IDM in telecom industry
 
Truzzt whitepaper a4_einzel_20200311
Truzzt whitepaper a4_einzel_20200311Truzzt whitepaper a4_einzel_20200311
Truzzt whitepaper a4_einzel_20200311
 
Trust Your Supplier - trust your product in the supply chain
Trust Your Supplier - trust your product in the supply chain Trust Your Supplier - trust your product in the supply chain
Trust Your Supplier - trust your product in the supply chain
 
Resilient Network Systems - Trust Network Overview Slides - July 2014
Resilient Network Systems - Trust Network Overview Slides - July 2014Resilient Network Systems - Trust Network Overview Slides - July 2014
Resilient Network Systems - Trust Network Overview Slides - July 2014
 
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
 
Final Poster C4 G
Final Poster C4 GFinal Poster C4 G
Final Poster C4 G
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
 
Iiw east openidentityforopengovfinal
Iiw east openidentityforopengovfinalIiw east openidentityforopengovfinal
Iiw east openidentityforopengovfinal
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access management
 
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
 

More from Petteri Kivimäki

2016-09-16-NationalArchitectureForDigitalServices
2016-09-16-NationalArchitectureForDigitalServices2016-09-16-NationalArchitectureForDigitalServices
2016-09-16-NationalArchitectureForDigitalServices
Petteri Kivimäki
 
2016-09-23-KaPA ja avoin lähdekoodi
2016-09-23-KaPA ja avoin lähdekoodi2016-09-23-KaPA ja avoin lähdekoodi
2016-09-23-KaPA ja avoin lähdekoodi
Petteri Kivimäki
 
2015-11-20-Avoimet lisenssit ja parhaat käytännöt julkisen hallinnon ICTssä -...
2015-11-20-Avoimet lisenssit ja parhaat käytännöt julkisen hallinnon ICTssä -...2015-11-20-Avoimet lisenssit ja parhaat käytännöt julkisen hallinnon ICTssä -...
2015-11-20-Avoimet lisenssit ja parhaat käytännöt julkisen hallinnon ICTssä -...
Petteri Kivimäki
 
2014-12-01-Kansallinen palveluväylä
2014-12-01-Kansallinen palveluväylä2014-12-01-Kansallinen palveluväylä
2014-12-01-Kansallinen palveluväylä
Petteri Kivimäki
 
Evaluating Open Source Software - New Library Sytem for Finnish Libraries in ...
Evaluating Open Source Software - New Library Sytem for Finnish Libraries in ...Evaluating Open Source Software - New Library Sytem for Finnish Libraries in ...
Evaluating Open Source Software - New Library Sytem for Finnish Libraries in ...
Petteri Kivimäki
 

More from Petteri Kivimäki (6)

2016-09-16-NationalArchitectureForDigitalServices
2016-09-16-NationalArchitectureForDigitalServices2016-09-16-NationalArchitectureForDigitalServices
2016-09-16-NationalArchitectureForDigitalServices
 
2016-09-23-KaPA ja avoin lähdekoodi
2016-09-23-KaPA ja avoin lähdekoodi2016-09-23-KaPA ja avoin lähdekoodi
2016-09-23-KaPA ja avoin lähdekoodi
 
2015-11-20-Avoimet lisenssit ja parhaat käytännöt julkisen hallinnon ICTssä -...
2015-11-20-Avoimet lisenssit ja parhaat käytännöt julkisen hallinnon ICTssä -...2015-11-20-Avoimet lisenssit ja parhaat käytännöt julkisen hallinnon ICTssä -...
2015-11-20-Avoimet lisenssit ja parhaat käytännöt julkisen hallinnon ICTssä -...
 
X-Road in Finland & REST Gateway
X-Road in Finland & REST GatewayX-Road in Finland & REST Gateway
X-Road in Finland & REST Gateway
 
2014-12-01-Kansallinen palveluväylä
2014-12-01-Kansallinen palveluväylä2014-12-01-Kansallinen palveluväylä
2014-12-01-Kansallinen palveluväylä
 
Evaluating Open Source Software - New Library Sytem for Finnish Libraries in ...
Evaluating Open Source Software - New Library Sytem for Finnish Libraries in ...Evaluating Open Source Software - New Library Sytem for Finnish Libraries in ...
Evaluating Open Source Software - New Library Sytem for Finnish Libraries in ...
 

Recently uploaded

Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 

Recently uploaded (12)

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Stay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design TrendsStay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design Trends
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 

X-Road as a Platform to Exchange MyData

  • 1. X-Road as a Platform to Exchange MyData PETTERI KIVIMÄKI, CTO 29TH AUGUST 2018
  • 2. Table of Contents u MyData Roles u How Does X-Road Work? u X-Road as a Technical Platform for MyData u MyData via X-Road u What X-Road Does and Does Not Provide
  • 3. MyData Roles Digital Identity MyData Operator Data Consent Consent Individual Consent • Individual – a person who authorizes data flows with consent. • MyData Operator – provides a MyData accounts that enable digital consent management. • Data Source – provides data about individuals. • Data Using Service – uses the data provided by data sources. Data Source Data Using Service Access Logs
  • 4. How Does X-Road Work? Security Server Security Server Service Consumer Service Provider Signature and time-stamping of messages, logging Verify incoming messages, time-spamping, logging, access rights Central Services Registry of trusted parties (organizations, servers) Trust Services Validity of certificates (auth, sign) Time-stamping of messages X-Road Core Trust Services
  • 5. X-Road as a Technical Platform for MyData Digital Identity MyData Operator Access Logs Consent Consent Individual Access Logs X-Road Security Server Data • Both consent and data are transferred via X-Road. • X-Road logs all the requests and the logs are used for providing a centralized view to access logs where the individual can see who has accessed his or her data. • X-Road provides • Organization level authentication • Machine to machine authentication • Standardized messaging model • Non-repudiation of messages • Access rights management • Address management and message routing • Transportation level encryption. Data Source Data Using Service
  • 6. MyData via X-Road Security Server Security Server Data Source 3. Check access rights (global group) MyData Operator 1. Check consent (*) 4. Return response 2. Send request Access logs (*) Data Using Service 3.1 Check consent (*) (optional) Access logs (*) * Checking consents and transfering access logs is done via X-Road. All the registered data using services have access to all the registered data sources. Consents are used for managing authorizations to access the data of individuals.
  • 7. MyData via X-Road u Consents are managed by the MyData Operator. u Every data source and data using service must implement the required MyData APIs and enable their services to be connected with MyData accounts. u X-Road client/service identifier must be stored by the MyData Operator. u Access rights to data sources are managed using X-Road global groups that are centrally managed by the X-Road operator. u Registered data using services are added as members of the global group by the X-Road operator. u Data sources grant the MyData global group access to their MyData services – all the members of the group then have access to the services.
  • 8. MyData via X-Road u All the registered data using services have access to all the registered data sources. Consents are used for managing authorizations to access the data of individuals. u Data using service is responsible for checking the consent before sending a request. u No consent is found => no request is sent. u Consent is found => request is sent and the ID of the consent is included in the request (with other required parameters, e.g. user ID). u Data source trusts the data using service and does not re-check the validity of the consent. u Alternatively, data source may re-check the validity of the consent. Increases trust – and overhead.
  • 9. MyData via X-Road u All the requests and responses are logged by X-Road. u Information related to MyData requests/responses (consent ID, data using service, data source, user ID identifying the individual, date/time etc.) is made accessible to the MyData Operator. u Individuals can view who has accessed their information through their MyData account. u Unauthorized use of individuals’ data can be automatically detected by analyzing the logs and is subject to penalties, e.g. exclusion from the service etc.
  • 10. MyData via X-Road MyData Operator Data SourceData Using Service Central Server • Register data using service (subsystem): FI.COM.12345-6.Client • Add subsystem to MyData Clients global group • Publish data source: FI.COM.65432-1.Service.getData.v1 • Register data using service: FI.COM.12345-6.Client • Register data source: FI.COM.65432-1.Service.getData.v1 Certification Authority (CA) Security Server Security Server• Get auth and sign certificates. • Check validity. FI.COM.12345-6.Client FI.COM.65432-1.Service.getData.v1 MyData Clients (global group): FI.COM.12345-6.Client FI.GOV.XXXX.XXX FI.COM.XXXX.XXX . . Grant MyData Clients access to: FI.COM.65432-1.Service.getData.v1
  • 11. MyData Account and Consents ID Individual Data Using Service Data Source User ID Validity Label Consent ID – random string Social security number X-Road client identifier of the data using service X-Road service identifier of the data source The ID identifying the individual in the data source, e.g. social security number, Facebook ID, Google ID etc. The period when the consent is valid. Example 619KOZDLS2 121275-123A FI.COM.12345-6.Client FI.COM.65432-1.Service.getData.v1 121275-123A 1.3.2018-31.12.2018 u Individuals manage consents through a MyData account. u X-Road identifiers are used for identifyind the data using service and data source (not visible to the user). u If social media user ID is used, the social media account must be confirmed and linked to the MyData account. In addition, the data source must define the ID that’s used for identifying the user. By default social security number is used.
  • 12. X-Road Provides u Organization level authentication u Machine to machine authentication u Standardized messaging model u Non-repudiation of messages u Logging of messages u Access rights management u Address management and message routing u Transportation level encryption.
  • 13. X-Road Does Not Provide u Semantic interoperability u Common business data models u Standardized business APIs u Implementation of the MyData Operator u Consent verification.