identity and access mgmt and electronic identities belgian federal government walter van assche...
TRANSCRIPT
Identity and Access Mgmt and electronic Identities
Belgian Federal Government
Walter Van Assche
January 16th, 2012
Chisinau
ELECTRONIC IDENTITY (CARD)
Goal eID project• To give Belgian citizens an electronic identity
card enabling them to authenticate themselves towards diverse applications and to put digital signatures
Proof of identity
Signature tool
eID partners
The eID as an e-gov. building block
Belgian eID Project Time line22 Sept 2000: Council of Ministers approves eID card concept study22 Sept 2000: Council of Ministers approves eID card concept study
2000
19 July 2001: Council of Ministers approves basic concepts (smart card, citizen-19 July 2001: Council of Ministers approves basic concepts (smart card, citizen-certificates, no integration with SIS card, certificates, no integration with SIS card, Ministry of Internal Affairs is is responsible for RRN’s infrastructure, pilot municipalities, helpdesk, card responsible for RRN’s infrastructure, pilot municipalities, helpdesk, card production, legal framework,… production, legal framework,… Fedict for certification servicesfor certification services
2001
Start of 2009: Start of 2009: all citizens have an eID an eID cardcard
2009
13 Dec 1999: European Directive 1999/93/EC on Electronic Signatures13 Dec 1999: European Directive 1999/93/EC on Electronic Signatures
1999
3 Jan 2002: Council of Ministers assigns RRN’s infrastructure to 3 Jan 2002: Council of Ministers assigns RRN’s infrastructure to NV Steria
2002
27 Sept 2002: Council of 27 Sept 2002: Council of Ministers assigns card Ministers assigns card production to production to NV Zetes, , certificate services to certificate services to NV Belgacom
2002
9 May 2003: 9 May 2003: first pilot municipality starts issuing eID cardsstarts issuing eID cards 25 July 2003: 25 July 2003: eleventh pilot municipality started started
31 March 2003: 31 March 2003: first 4 eID cards issued to civil servants issued to civil servants
2003 2004
25 January 2004: start of 25 January 2004: start of pilot phase evaluation
September 2005: September 2005: all newly issued ID cards are eID cards
2005
27 September 2004: start of 27 September 2004: start of nation-wide roll-out
The eID “product family”
Kids-ID
Foreigner-ID
eID
8
The eID: results• eID:– More than 8.6 Million cards issued (2nd wave)
• Kids-ID: – Potential: 1,3 Million cards– More than 100.000 cards issued since March 2009
• Foreigner-ID:– Potential: 1,5 Million cards– More than 150.000 cards issued since 2008
Internet
Web ServerExternal Portal
ApplicationServer
Web ServerFederal ePortal
ePortalUser
LDAP
External Firewall
ApplicationServer
1) Request
3) Login in ePortalAuthentication page
4.2) Checking Credetials
2) Redirect to ePortalLogin page
5.1) Redirect with SAMLResponse (Posting with
JavaScript)
5.2) Redirect with SAMLResponse
External Firewall
4.1) Checking Credetials
6) Session Creation
How does it work?
Alternatives with different security levels
• Different security levels :– level 0 : Public access– level 1 : User name + Password– level 2 : User name + Password + Token– level 3 : Electronic identity card
• Future evolutions (based on eID) :– Mobile Identity– One Time Password Generators?
Level 0
Level 1
Level 2
Level 3
IDENTITY AND ACCESS MANAGEMENT IN EGOV
UserApplication
Getting access
© Fedict 2009. All rights reserved | p. 12
What is IAM?A simple story…
UserApplication
Identification& authentication
Getting access
© Fedict 2009. All rights reserved | p. 13
What is IAM?A simple story…
UserApplication
Identification & authentication
Attributes(Name,Company,…)
NRNNRNKBOKBO
NotarissenNotarissen……
Getting access
What is IAM?A simple story…
UserApplications
Identification & authentication
Attributes(Name,company,…)
NRNNRNKBOKBO
NotarissenNotarissen……
Getting access
What is IAM?A simple story…
Permissions
Roles
Chief Security Mgr
UserApplication
Identification & authentication
Attributes(Name,Company,…)
NRNNRNKBOKBO
NotarissenNotarissen……
Getting access
Legal Representative
KBO
Granting access
© Fedict 2009. All rights reserved | p. 16
What is IAM?A simple story…
Permissions
Wor
kflo
w
Security Manager
Roles
© Fedict 2009. All rights reserved | p. 17
IAM…. In a complex reality
Manage IdentityManage Identity
Manage Virtual Identity
Manage Virtual Identity
AttestationAttestation
ReportingReporting
Risk Definition
Risk Definition
Relying Party
Management
Relying Party
Management
AuditingAuditing
Manage Organizatio
nal Membership
Manage Organizatio
nal Membership
Manage Role
Definition
Manage Role
Definition
Manage Permission
Manage Permission
Mandate Managemen
t
Mandate Managemen
t
Manage DomainsManage Domains
Manage ContextsManage Contexts
Request Permission
Request Permission
Authenticate
Authenticate
Process overview
© Fedict 2009. All rights reserved | p. 18
Relevance of IAM within eGovernment context
© Fedict 2009. All rights reserved | p. 19
Security management>> An historical agreement
An agreement is being defined between Belgian government partners, providing a basis for an integrated security management
A joint security management platform will be offered as a managed service
All partners can participate in the steering group of the joint platform
…..
Federated context >> co-existance
Context of OCMW Context of Federale governmentContext of local governments
© Fedict 2009. All rights reserved | p. 21
Federated context: Example>> Digiflow
UserDigiflow
Identification& authentication
Attributes(Name,Company,…)
NRNNRNKBOKBO
NotarissenNotarissen……
Permissions
Getting access
UserTax on web
Identification & authentication
Attributes(Name,Company,…)
NRNNRNKBOKBO
……
Getting access
Legal represetative
Head Security Mgr
Permissions
Security Mgr
Roles
Wor
kflo
w
KBO
Granting access
© Fedict 2009. All rights reserved | p. 22
Federated context: Example>> Tax on Web for accountants
Mandate Mgt
Fedict IAM offeringTrusted Third Party
Auth
entic so
urce
s
Circle
of T
rustFA
SFA
SR
ole
A
dm
inR
ole
A
dm
in
Application AApplication A
Application XApplication X
RRRR
BISBIS
KBOKBO
User
Relying P
artyR
elying Party
Admin
……
Fedict IAM evolutionCurrent building blocks Optimized building blocks
RoleMgt
Authentication
UserMgt
RoleAdmin
Citizen Admin
TUM SelfService
Magma
MagmaWS
FAS1FAS+
Attribute Service
CSAdmin
VOSync
Reporting
RoleMgt
Authentication
UserMgt
Self Registration
Self Management
User Lifecycle Management Risk
Management
Role DefinitionManagement
Role Assignment
Organization Assignment
Identification & Authentication
Attribute Publication
Relying Party Management
Reporting Management
EU pilots that work on cross-border interoperability
© fedict 2011. All rights reserved
eDelivery
eSafe
Company Dossier
Citizen IDCi
tizen
ID
Com
pany
ID
eSignature
Privacy
TransportInfrastructure
Company Dossier
Citizen ID
Citi
zen
ID
Com
pany
ID
Privacy
TransportInfrastructure
eDoc
ContainerseID le
gal
entitiesVisible Digita
l
SignaturesSyndica
tion,
eDirecto
ries
Tran
spor
t In
fras
truc
ture
Overview of LSP’s Collaborations
Thank you
FedictMaria-Theresiastraat 1/3 Rue Marie-Thérèse
Brussel 1000 Bruxelles
TEL. +32 2 212 96 00 | FAX +32 2 212 96 99
[email protected] | www.fedict.belgium.be