swiss high security identity solutions towards trusted web services: trust management framework...
Post on 04-Jan-2016
216 Views
Preview:
TRANSCRIPT
Swiss High Security Identity Solutions
Towards Trusted Web Services:
Trust management framework using Public Key Infrastructure Technology
Towards Trusted Web Services:
Trust management framework using Public Key Infrastructure Technology
London – November 2006
Swiss High Security Identity Solutions
• CertifyID BlackBox
• WISeKey
• Identity (r)Evolution
Swiss High Security Identity Solutions
The Company
• Company Details– Founded in 1999– Headquarters in Geneva, Switzerland
• Competence & Activites– Global and Neutral Trust Model
• Based on principles of neutrality and strategic global relationships
– InfoSec Projects• Global PKI Deployments• World’s First Internet e-Voting Project• Digital Video Broadcasting MHP Security Framework• Secure Video Processing Alliance
– High Security Data Centres – Trust Centre Solution
• Windows Certificate Services and technology stack
Swiss High Security Identity Solutions
Intelligent cities Securing DestiNY USA, and Incheon,
South Korea
e-Voting first ever binding
Internet Vote
Developing Countries Deploying
infrastructures with the ITU
Digital TV Securing the Digital Video Broadcasting Infrastructure
&Secure Video
Processor Alliance
Object eIDs Securing object (luxury goods, construction materials)
National ID Systems
ID cards, drivers permits, health
cards, passports...
Getting There…
Swiss High Security Identity Solutions
• CertifyID BlackBox
• WISeKey
• Identity (r)Evolution
Swiss High Security Identity Solutions
Problem Statement
• The Internet was built without a way to know who and what you are connecting to– Everyone offering an internet service has had to come
up with a workaround– Patchwork of identity one-offs– Not fair blaming the user – no framework, no control
• We are “Missing the identity layer”• Digital identity currently exists in a world without
synergy because of identity silos
Swiss High Security Identity Solutions
identity 0.0
Swiss High Security Identity Solutions
Identity 0.0
Swiss High Security Identity Solutions
• Resides on a Trusted Third Party– E.g. Confédération suisse
• Asymetric relationship– No direct link with the issuer upon its utilisation
• Usable on a massive scale• Optimal in terms of respect of the sphere of
privacy• Controlable by its holder
Identity 0.0
Swiss High Security Identity Solutions
identity 0.01.0/
Swiss High Security Identity Solutions
Service Driven Model
Swiss High Security Identity Solutions
• Specific to each use case – One use – One identity
• Controlled by a Third Party
• Absence of sphere of privacy
• Reutilisation impossible / complex
• Limited confidence / trust
Identity 1.0
Swiss High Security Identity Solutions
Identity Crisis
Swiss High Security Identity Solutions
eID
Confusion
Complexity
Cost
Multiplication
Swiss High Security Identity Solutions
• Phishing
• Pharming
50 millions identities estimated stolen during the first quarter 2005
Identity Theft
Swiss High Security Identity Solutions
identity 1.02.0/
Swiss High Security Identity Solutions
User Centric Model
Swiss High Security Identity Solutions
Example of a Digital ID
Jordi Jordi AymerichAymerich
4159 6234 6224159 6234 622Member Level: PlatinumMember Level: PlatinumMember Since: 1997Member Since: 1997Code: 625Code: 625Valid Through: 7/2006Valid Through: 7/2006
traveluxtravelux
X.509
Swiss High Security Identity Solutions
Example of a Digital Identity
Swiss High Security Identity Solutions““Identity Management is Identity Management is
not only about not only about specifications and specifications and
technologies…technologies…
Its also addressing Its also addressing national issues”national issues”
““Identity Management is Identity Management is not only about not only about
specifications and specifications and technologies…technologies…
Its also addressing Its also addressing national issues”national issues”
Swiss High Security Identity Solutions
Reducerisks
DelegatedAdmin
AutomateProcesses
Centralize
Helpdesk
Pre-auditchecks
Achieve“Compliance”
SOX
BASEL II
HIPPA
PCI-DSS…..
ImproveService and productivity
DataAccuracy
SelfService
Federation
Singlesign-on
ServiceProvisioning
ImproveSecurity
ProtectData
SecureAccess
StrongAuthn
Roles
ProtectSystems
Swiss High Security Identity Solutions
Source : Kerry Shackelford -www.KLSConsultingLLC.com
European Union data protection
directive
EU Data Protection Directive
Swiss High Security Identity Solutions
Section 404 of the Sarbanes-Oxley directive obliges companies to formalise all of the
processes that could impact their finances
Sarbanes Oxley
Swiss High Security Identity Solutions
Drivers – proof points
Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice
SOX, HIPAA, GLB, Basel II, Title 21 CFR Part 11, EU Data Protection…
$15.5 billion spend in 2005 on compliance (analyst estimate)
One half of all enterprises have SOA under development
Web services spending growing 45% CAGR (analyst estimate)
Increasing incidence of identity theft (E.g. Phishing scams)
Identity theft costs banks and credit card issuers $1.2 billion per year
On average employees need access to 16 apps and systems
Companies spend $20-30 per user per year for PW resets
Swiss High Security Identity Solutions
Entreprises et employees
Suppliers
PartnersDistant Employees
Clients
Enterprise Networks
Swiss High Security Identity Solutions
Web Services = +vulnerable zones
• Identity management and authentication– How to establish trusted authorities for handling identities? – What form of identities to use? – UID/password or strong authentication? – Digital certificates? – How to validate identities? – How to federate across trusted authorities?
• Access Control– What services and methods can be consumed by requesting
application? – Shall dynamic data determine access rights? – Groups based, roles based, resource based, combination
thereof?
Swiss High Security Identity Solutions
+vulnerable zones = +security needs
• Data Privacy– What regulatory requirements apply, do I even know?– How is data privacy to be enforced? – What level of data encryption is necessary – internal storage at
rest, over the internal network, over external networks, transfer to partner network?
• Network Security– Internal network must be protected, how?– Firewall policy implementation, enforcement points?– Examine packet content, data content?
Swiss High Security Identity Solutions
Addressed by specifications
• SAML• WS-*• XML- XML
Encryption / Digital Signature
• SOAP• SSL, TLS• PKIX • Liberty Alliance• etc
• Most conservative companies are hesitant to deploy widespread web services
• But for those that do deploy, the use of common standards such as the following are essential:
SSL, TLS
XML (Encryption, Digital Signature)
SOAP
WSDL
SAML
Swiss High Security Identity Solutions““It is not only about It is not only about specifications and specifications and
technologies…technologies…
Its also about addressing Its also about addressing business and trust business and trust
problems”problems”
““It is not only about It is not only about specifications and specifications and
technologies…technologies…
Its also about addressing Its also about addressing business and trust business and trust
problems”problems”
Swiss High Security Identity Solutions
• PKI Deployment
• WISeKey
• Identity (r)Evolution
Swiss High Security Identity Solutions
Core PKI Services
assurance to an entity that data has not been altered between “there” and “here” or between “then” and “now”
assurance to an entity that data has not been altered between “there” and “here” or between “then” and “now”
assurance to an entity that no one can read a particular piece of data except the
intended receiver
assurance to an entity that no one can read a particular piece of data except the
intended receiver
assurance to one entity that another entity is who he, she, or it claims to beassurance to one entity that another
entity is who he, she, or it claims to be
a public key infrastructure (PKI) is an arrangement that provides for trusted third party vouching for user identities
IntegrityIntegrity
ConfidentialityConfidentiality
AuthenticationAuthentication
Swiss High Security Identity Solutions
One of the Best Foundations
Swiss High Security Identity Solutions
Certificate usage
Data Encryption
Intranet/ExtranetAccess Management
Mobile Data Encryption
Digital Identity
Digital Signature
Email EncryptionAnd signature
Access Control
User management
Swiss High Security Identity Solutions
… but not the only answer
• Certificates are commonly accepted and used as official issued virtual IDs
• CardSpace and other systems extends this so that other identity providers can provide identity claims with Privacy
• RP can be hidden from IP• User controls release of information
• Examples – Health, Travel etc.
Swiss High Security Identity Solutions
Distributed trust
CertifyID Blackbox™ is an innovative way to reduce the cost of deployingand managing a CA in a trusted environment
“Traditional” classical model WISeKey model
• High cost and complexity in managing certificates
• Little integration between professional CA and corporate database
• Takes advantage of existing corporate “identity management” infrastructure
• Certificate lifecycle easier to manage
• Easy integration with corporate systems
“Professional” /Outsourced CA“Professional” /Outsourced CA
Certificate holder/Business user
Certificate holder/Business user
RootWISeKey / OISTE
CA
RootWISeKey / OISTE
CA
Certificate holder/Business user
Certificate holder/Business user
Corporate[MS Server-based]
CA
Corporate[MS Server-based]
CA
Swiss High Security Identity Solutions
Swiss Federal Government:Supervisory
Authority
Independent Auditor:
Annual audit
Policy Approval Authority
Operator:
Country A Country B Country C Country D
Governance
National Sovereignty
The CertifyID Trust Model
Swiss High Security Identity Solutions
Blackbox™ offering
The CertifyID Blackbox™ offers a complete and affordable out-of-the-box solution for establishing a Trusted Identity Infrastructure dedicated to your organization.
provides issued identities with global recognition & trust
database redundancy and high availability services for Certification Authorities (CAs) on the Microsoft platform
publish and monitor the Certificate Revocation List (CRL).
Enterprise applications integration
Guardian XMGuardian XM
Trust ServiceTrust Service
Web Services APIWeb Services API
CRL ManagerCRL Manager
Swiss High Security Identity Solutions
Blackbox™ benefits
Low cost – solution is cheaper than traditional PKI solution
Ease of use –
based on Microsoft’s Certification Services wizard-based installation – no PKI know-how necessary simplified certificate management – transparent to users data resiliency
Integration –
tight integration with company’s Active Directory easy integration with corporate applications through web
services API Totally standards based – PKIX, X.509, CRL, OCSP
Extended Trust Model –
internally managed issuance of e-IDs (confidentiality) inclusion in community of trust for inter-company
recognition of e-IDs
Swiss High Security Identity Solutions
WISeKey Trust Model
• Use existing Trust Parties - digitizing their current processes – Analog to Digital Trust
• Technically achieved through the sharing of a root certificate by high authenticate Certification Authorities
• Flexible and scalable development of distributed trust communities
• Neutral root certificate ownership, administered by a neutral forum providing global recognition and inter-operability
• Achieve high security via technical controls, security hardware modules, auditing mechanisms
• Affordable, Low cost, ease of use, portability
Swiss High Security Identity Solutions
Conclusions
• eID is happening– Continues to drive more secure architectures on the Internet.– Many countries are playing a leader role
• Scenarios include– Many eGovernment applications
• National eID card & Social security & Health & Tax etc.– Many Corporate to Corporate applications– Essential for Protecting Web Services– Increasing use in Identity management and Privacy Protection
• Technology for driving affordable government and business Trusted eID management and web services is available today!– OISTE Trust Model + WISeKey CertifyID Products
Swiss High Security Identity Solutions
WISeKey S.A
WISeKey S.A - World Trade Center II - 29, route de Pré-Bois CP 885 1215 Geneva, Switzerland
Tel: +41 22 594 30 00 - Fax: +41 22 594 30 01
e-mail: info@wisekey.com - www.wisekey.com
Questions
Swiss High Security Identity Solutions
top related