e-id and identity management aspects in the belgian social sector frank robben general manager...

e-ID and identity management aspectsin the Belgian social sector

Frank RobbenGeneral Manager Crossroads Bank for Social SecurityGeneral Manager SmalS-MvMSint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected] website : www.ksz.fgov.bePersonal website: www.law.kuleuven.ac.be/icri/frobben

mailto:[email protected]

http://www.ksz.fgov.be/

http://www.law.kuleuven.ac.be/icri/frobben

ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 20062

Structure of the presentation

• actual environment

• electronic user and access management– eID: functions and additional needs– policy enforcement model

• SIS card and eID

• transnational aspects– needs: some use cases– proposal of concrete objectives


Actual environment• a network between all 2,000 social sector actors with a

secure connection to the internet and other public (e.g. FedMAN) and private (e.g. Isabel) networks

• a unique identification key– for every citizen, electronically readable from an electronic social

security card (SIS card) and an electronic identity card (eID)– for every company

• a task sharing between actors in the social sector and other sectors with regard to information management and information storage in authentic sources


Actual environment• 185 electronic services for mutual information exchange

amongst all actors in the social sector, defined after process optimization– nearly all direct or indirect (via citizens or companies) paper-

based information exchange between actors in the social sector has been abolished

– in 2005 half a billion electronic messages were exchanged amongst actors in the social sector, which saved as many paper exchanges

• an integrated portal site containing– electronic transactions for employers and citizens– information about the entire Belgian social security system– harmonized instructions and information model with regard to all

electronic transactions– a personal page for each company


Actual environment• 36 electronic services for employers, either based on the

electronic exchange of structured messages between software applications of the employers and software applications of actors in the social sector, or via the integrated portal site– 50 social security declaration forms have been abolished– in the remaining 30 declaration forms the number of headings

has on average been reduced to a third of the previous number– declarations are limited to 3 events

• immediate declaration of recruitment and discharge (only electronically)

• quarterly declaration of salary and working times (only electronically)

• 21 types of declarations of social risks (electronically or on paper)

– in 2005 15,7 million electronic declarations were made by all 220,000 employers, 98 % of which from application to application


Actual environment• 4 electronic services for citizens via the integrated portal

– 2 services to apply for social benefits– 2 services for consultation of social benefits– about 30 new services are foreseen

• an integrated multimodal contact centre supported by a customer relationship management tool

• an integrated e-workspace for professionals involved in the social sector with– e-teams– workflow throughout social sector actors (e.g. e-Leg)

• a datawarehouse with integrated information for research and policy support, and policy evaluation


Actual environment• coordination by the Crossroads Bank for Social Security

– definition of the vision and the strategy on E-government in the social sector and of the common principles related to information management

– definition, implementation and management of an interoperability framework

– secure messaging of several types of information (structured data, documents, images, metadata, …) with business logic and orchestration support

– coordination of business process reengineering– stimulation of service oriented applications– management of a reference directory for

• preventive control on the legitimacy of the information exchange

• organisation of the routing of information

• automatic communication of changes of information


Actual environment• reference directory

– directory of available services/information• which information/services are available at any institution depending

on the capacity in which a person/company is registered at each institution

– directory of authorisation policies• which users/applications are authorized to access which

information/services depending on the capacity in which a person/company is registered at each institution

– directory of data subjects• which persons/companies have personal files in which institutions

for which periods of time, and in which capacity they are registered

– subscription table• which users/applications want to automatically receive what

services in which situations for which persons/companies in which capacity


Electronic user & access management• eID

– electronic identification and authentication of the identity of physical persons over the age of 12 who are registered in the Belgian population registers

– electronic signature of these persons

• additional needs– electronic identification and authentication of the identity of

physical persons under the age of 12 or who are not registered in the Belgian population registers

– authentication of characteristics (e.g. a capacity, a function, a professional qualification)

– authentication of mandates between a legal or physical person to whom an electronic transaction relates and the person carrying out that transaction

– authorisation management– towards an eID based on biometrics ?


Policy Enforcement Model

UserPolicy

Enforcement(PEP)

Application

Policy Decision(PDP)

Action on

application Decisionrequest

Decisionreply

Actionon

applicationPERMITTED

Policy Information (PIP)

Informationrequest/

reply

Policy Administration ( PAP)

Policyretrieval

Authentic source


Informationrequest/

reply

Policyrepository

Actionon

applicationDENIED

Manager

Policymanagement

Authentic source


Policy Enforcement Point (PEP)• intercepts the request for authorisation with all available

information about the user, the action being requested, the resources and the environment

• passes on the request for authorisation to the Policy Decision Point (PDP) and extracts a decision regarding authorisation

• grants access to the application and provides relevant credentials

UserPolicy

Enforcement(PEP)

Application


Action on

application Decisionrequest

Decisionreply

Actionon

applicationPERMITTED

Actionon

applicationDENIED


Policy Decision Point (PDP)• based on the request for authorisation received,

retrieves the appropriate authorisation policy from the Policy Administration Point(s) (PAP)

• evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP)

• takes the authorisation decision (permit/deny/not applicable) and sends it to the PEP

Policy Enforcement

(PEP)


Decisionrequest

Decisionreply


Informationrequest/

reply

Policy Administration( PAP)

Policyretrieval


Informationrequest/ reply


Policy Administration Point (PAP)

• environment to store and manage authorisation policies by authorised person(s) appointed by the application managers

• puts authorisation policies at the disposal of the PDP

PDPPAP

Policyretrieval

Manager

Policy management

Policyrepository


Policy Information Point (PIP)

• puts information at the disposal of the PDP in order to evaluate authorisation policies (authentic sources with characteristics, mandates, etc.)

PDP

PIP 1

Informationrequest/

reply

Authentic source

PIP 2

Authentic source

Informationrequest/

reply


eID and social security portal• all end-user applications are divided into categories

based on the required level of security– all applications can be used with the eID as a means of

electronic identification and authentication of identity– some applications can also be used (temporarily) on the basis of

a user-id, password and, where appropriate, a citizen token or a public servant token

• electronic signatures can be put with the eID

• the policy enforcement model is being implemented for the authentication of characteristics and mandates and for authorisation management


SIS card and eID• gradual replacement of the functions of the SIS card

once the following conditions have been fulfilled– function of electronic identification: overall availability of the eID– function of proof of the insurability in the health care sector

• secure on line access by the health care providers to the insurability information available at the sickness funds

• electronic identification and authentication of the identity, characteristics and mandates of the health care providers

• preservation of the SIS card or a similar solution for persons who do not possess an eID (persons not residing in Belgium, children under the age of 12, etc.)

• availability of readers that can read both the SIS-card and the eID


Transnational aspects

• need to be able to electonically– identify and authenticate the identity of all relevant entities

(physical persons, companies, …)– authenticate the relevant characteristics of the entities– authenticate that an entity has been mandated by another entity

to perform a legal action

• need to implement the objective and related actions from the interministerial statement about E-government in the EU issued on 24th November 2005


Interministerial statement

“By 2010 European citizens and business shall be able to benefit from secure means of electronic identification that maximise user convenience while respecting data protection regulations. Such means shall be made available under the responsibility of the Member States, but recognised across the EU.”


Interministerial statement: actions

• “Member States will, during 2006, agree a process and roadmap for achieving the electronic identity objectives and address the national and European legal barriers to the achievement of the electronic identity objectives; work in this area is essential for public administrations to deliver personalised electronic services with no ambiguity as to the user’s identity.”

• “Member States will, over the period 2006-2010, work towards the mutual recognition of national electronic identities by testing, piloting and implementing suitable technologies and methods.”


Some use cases• individual residing in Member State A is temporarily

employed (posted) in Member State B– the employer or his representative has to ask for authorization

from the competent social security institution of Member State A– the competent social security institution of Member State A

(electronically) sends an E101-form to the competent social security institution of Member State B

=> need for (interrelated) identification of the employer, his representative and the employee in both Member States, need for authentication of the characteristic "employer" and need for authentication of the mandate of the representative


Some use cases• individual residing in Member State A works, studies or

looks for work in Member State B => need for (interrelated) identification of the individual in both Member States

• individual residing in Member State A simultaneously works in various other Member States => need for (interrelated) identification of the individual in all Member States

• individual residing in Member State A needs health care in member State B (form E111, (e)EHIC) => need for (interrelated) identification of the individual in both Member States


Some use cases• individual residing in Member State A has to exchange

(in an electronic way) data with public authorities in Member State B => need for (interrelated) identification of the individual in both Member States

• employer or his representative residing in Member State A has to exchange (in an electronic way) data about his employees with public authorities in Member State B => need for (interrelated) identification in both Member States of the employer, his representative and the employees, need for authentication of the characteristic of "employer" and need for authentication of the mandate of the representative

IST R&D for federated, multi-level,

secure eIDM

Modinis study

Identify user benefits,awareness, promotion

formulate vision

Testbeds / pilots, e.g. in CIPe-procurement, health info networks

eTEN, IDABC testbeds

specifications

CEN eIDM standardisation

link to ECC

IDABC businessattestations study

IDABC e-signstudies

2006 2007 2008 2009 2010

eIDMat national level

User awareness and acceptance

eIDTerminology &

Objectives

Definition of eID

Authentication Model & Levels

Personal Data Ownership

Model

eID Role Management

Equal Treatment of national eIDs

Common eIDM

Framework

Federated eID Management

EU provisions: Recognition of national eIDs

Technical

Semantic

Organisational

country inputs

Authentication levels overview

(ENISA)

Use Cases(eProcurement,, migrant workers)

Wide awareness campaign

Explain role of e-sign Directive

CECas ‘lead user’

Validation andkey applications

Europeaninter-

operability

eID management at national level

Legal certainty

Common principles, minimal norms

Network and IT security


Proposal of concrete objectives• internationally, authentication levels are established in

relation to identity, characteristics and mandates• each country has registration procedures for establishing

the identity of individuals residing in their own country, according to the internationally established authentication levels

• each country has registration procedures for establishing the identity of legal entities and actual associations that are established in their own country, according to the internationally established authentication levels


Proposal of concrete objectives• each country makes available to each individual, each

legal entity and each actual association for whom/which the identity is established in accordance with the registration procedures, the means by which the concerned entity can produce and prove its identity (whether or not in a particular context) locally or remotely, verbally, visually and electronically on the territory of the country in question, without that entity’s identity being confused with the identity of another individual person, legal entity or actual association in that country


Proposal of concrete objectives• each country has registration procedures for establishing

the type of characteristics indicated by an internationally accredited body, according to the internationally established authentication levels

• each country has registration procedures for establishing the mandate of an individual to represent a legal entity or actual association, and the other types of mandates that are indicated by an internationally accredited body, according to the internationally established authentication levels


Proposal of concrete objectives• each country has the necessary systems to produce and

prove the characteristics and mandates of individuals, legal entities and actual associations that have been established according to the registration procedures (whether or not in a particular context), locally or remotely, verbally, visually and electronically on the territory of the country in question, either with the permission of the concerned entity or in accordance with a statutory or legal provision


Proposal of concrete objectives• under the coordination of the European Commission, the

Member States of the EU develop EU standards and specifications to ensure the semantic and technical interoperability of resources for producing and proving electronically the identity, characteristics and mandates through or in relation to individuals, legal entities and actual associations on the territory of other Member States


More information

• social security portalwww.socialsecurity.be

• website Crossroads Bank for Social Securitywww.ksz.fgov.be

• personal website of the speakerwww.law.kuleuven.ac.be/icri/frobben

http://www.socialsecurity.be/

http://www.ksz.fgov.be/

http://www.law.kuleuven.ac.be/icri/frobben

e-id and identity management aspects in the belgian social sector frank robben general manager...

Documents

electronic services

social sector actors

electronic identity

electronic declarations

electronic transactions

electronic messages

information slide

social risks