integrated electronic user and access management in the belgian public, social and health care...
TRANSCRIPT
Integrated Electronic User and Access Management in the Belgian Public,
Social and Health Care Sector
Frank RobbenGeneral manager Crossroads Bank for Social SecurityCEO SmalsSint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected] CBSS: www.ksz.fgov.bePersonal website: www.law.kuleuven.ac.be/icri/frobben
2Frank Robben
Structure of the presentation• General overview of user and access management• Basic concepts related to user and access management• Choices made in Belgium
– Identification– Overall Information Security and Privacy Protection Policy– Policy Enforcement Model– User Management for citizens, professionals and companies– Access Management– Principle of “Circles of Trust“
• Transnational aspects– Needs– Proposal of a method– Proposal of concrete objectives
• Conclusion
3Frank Robben
General Overview• 3 Target Groups
– Citizens– Professionals– Companies and their service providers
• Different Aspects– User Management
• Registration of the identity• Authentication of the identity• Registration of characteristics and mandates• Verification of characteristics and mandates
– Access Management• Registration of authorizations• Verification of authorizations
4Frank Robben
User Management: Basic Concepts• Identity
– A number or a set of attributes of an entity that allows to know precisely who or what the entity (physical person, company,…) is
– An entity has only one identity, but this identity can be determined by several numbers or sets of attributes
• Characteristic– An attribute of an entity, other than the attributes determining its
identity, such as a capacity, a function in an organisation, a professional qualification,...
– An entity can have several characteristics
5Frank Robben
User Management: Basic Concepts• Mandate
– A right granted by an identified entity to another identified entity to perform well-defined legal actions in her name and for her account
– Is essentially a relationship between two entities– An entity can grant several mandates to several entities
• Registration– The process of determining the identity, a characteristic of an
entity or a mandate of an entity with sufficient certainty, before putting at the disposal means by which the identity can be authenticated, or the characteristic or the mandate can be verified
6Frank Robben
User Management: Basic Concepts• Authentication of the Identity
– The process of checking whether the identity that an entity pretends to have in order to use an electronic service, corresponds to the real identity
– The authentication of the identity can be done based on the verification of
• Knowledge (e.g. a password)• Possession (e.g. a certificate on an electronically readable card)• Biometrical characteristics• A combination of those
7Frank Robben
User Management: Basic Concepts• Verification of a characteristic or a mandate
– The process of checking whether a characteristic or a mandate that an entity pretends to have in order to use an electronic service, corresponds to a real characteristic or mandate of that entity
– The verification of a characteristic or a mandate can be done by• The same kind of means as those used for the authentication of the identity• Or, after the authentication of the identity, by consulting a database (authentic
source) that contains information about characteristics of mandates related to identified entities
8Frank Robben
Access Management: Basic Concepts
• Authorization– A permission to an entity to perform a defined action or to use a
defined service
• Authorization Group– A group of authorizations
• Role– A group of authorizations or authorization groups related to a
specific service
• Role Based Access– A method of assigning authorizations to entities by means of
authorization groups and roles, in order to simplify the management of authorizations and their assignment to entities
Authorization(Group)
RoleEntity Service
9Frank Robben
Choices made in Belgium• Identification• Overall Information Security and Privacy Protection Policy• Policy Enforcement Model• User Management for
– Citizens– Professionals– Companies
• Access Management• Principle of “Circles of Trust“
10Frank Robben
Identification• Identification number for every citizen and every company
– Characteristics• Unique
– Every entity in principle only has one identification number– The same identification number is not assigned to several entities
• Exhaustive– Every entity to be identified has an identification number
• Stable over time– Identification number should not contain variable characterics of the
identified entity– Identification number should not contain references to the identification
number or characteristics of other entities– Identification number should not change when a quality or characteristic
of the identified entity changes
11Frank Robben
Identification• Art. 8, 7 Directive 95/46/EC: "Member States shall
determine the conditions under which a national identification number or any other identifier of general application may be processed"– Evolution towards meaningless identification numbers– Unique identification numbers of citizens can only be used by
instances authorized by a sectoral committee of the national privacy commission
– In some sensitive sectors (e.g. justice, health, …), the identification number can be a specific number derived from the unique number of the citizen
– Regulation on interconnection of personal data
• Registration of the identity of citizens by the municipalities• Registration of the identity of companies by company
counters
12Frank Robben
Overall Security and Privacy Protection Policy
• Overall policy on information security and privacy protection for eGovernment– Security, integrity and confidentiality of government information
are ensured by integrating ICT measures with structural, organizational, physical, personnel screening and other security measures according to agreed policies
– Every public institution has an information security and privacy protection department with an advising, documenting, stimulating and control mission
– Personal information is only used for purposes compatible with the purposes of the collection of the information
– Personal information is only accessible to authorized institutions and users according to business needs, legislative or policy requirements
13Frank Robben
Overall Security and Privacy Protection Policy• Overall policy on information security and privacy
protection for eGovernment– The communication of personal information by government
bodies to third parties has to be authorized by the competent sectoral committee of the privacy commission, designated by Parliament, after having checked whether the communication conditions (e.g. purpose limitation, proportionality) are met
– The authorizations to communicate personal information are public
– Every actual electronic communication of personal information by a government body is preventively checked on compliance with the existing authorizations by an independent institution managing the interoperability framework used for the communication (clearing house function)
– Every concrete electronic communication of personal information by a government body is logged by the clearing house, to be able to trace possible abuse afterwards
14Frank Robben
Overall Security and Privacy Protection Policy
• Overall policy on information security and privacy protection for eGovernment– Every time information is used to take a decision, the used
information is communicated to the concerned person together with the decision
– Every person has right to access and correct his own personal data
15Frank Robben
Policy Enforcement Model
InformationRequest/Reply
PolicyRetrieval
Authentic Source
InformationRequest/Reply
PolicyRepository
Manager
PolicyManagement
Authentic Source
PolicyEnforcement
(PEP)Action on
application
DecisionRequest
DecisionReply
Action onapplication
PERMITTED
Action onapplicationDENIED
UserApplication
Policy Decision(PDP)
Policy Administration(PAP)
Policy Information(PIP)
Policy Information(PIP)
16Frank Robben
Policy Enforcement Point (PEP)• Intercepts the request for authorization with all available
information about the user, the requested action, the resources and the environment
• Passes on the request for authorization to the Policy Decision Point (PDP) and extracts a decision regarding authorization
• Grants access to the application and provides relevant credentials
PolicyEnforcement
(PEP)Action on
application
DecisionRequest
DecisionReply
Action onapplication
PERMITTED
Action onapplicationDENIED
UserApplication
Policy Decision(PDP)
17Frank Robben
Policy Decision Point (PDP)• Based on the request for authorization received, retrieves
the appropriate authorization policy from the Policy Administration Point(s) (PAP)
• Evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP)
• Takes the authorization decision (permit/deny/not applicable) and sends it to the PEP
Information Request/Reply
Policy Retrieval Information Request/Reply
Decision RequestDecision Reply
Policy Decision (PDP)
Policy Administration (PAP) Policy Information (PIP)Policy Information (PIP)
Policy Enforcement (PEP)
18Frank Robben
Policy Administration Point (PAP)• Environment to store and manage authorization policies
by authorised person(s) appointed by the application managers
• Puts authorization policies at the disposal of the PDP
PolicyRetrieval
PolicyRepository
Manager
AuthorizationManagement
Policy Decision(PDP)
Policy Administration(PAP)
19Frank Robben
Policy Information Point (PIP)
• Puts information at the disposal of the PDP in order to evaluate authorization policies (authentic sources with characteristics, mandates, etc.)
InformationRequest/Reply
Authentic Source
InformationRequest/Reply
Authentic Source
Policy Decision(PDP)
Policy Information(PIP)
Policy Information(PIP)
20Frank Robben
APPLICATIONS
AuthorisationAuthen-tication PEP
Role Mapper
USER
PAP‘’Kephas’’
RoleMapper
DB
PDPRole
Provider
PIPAttributeProvider
RoleProvider
DB
UMAF
PIPAttributeProvider
DBXYZ
WebAppXYZ
APPLICATIONS
AuthorisationAuthen -tication PEP
Role Mapper
USER
WebAppXYZ
PIPAttributeProvider
PAP‘’Kephas’’
RoleMapper
DB
PDPRole
Provider
RoleProvider
DB
ManagementVAS
PIPAttributeProvider
DBXYZ
PIPAttributeProvider
DBGerechts-deurwaar-
ders
PIPAttributeProvider
DBMandaten
Be-Health
APPLICATIONS
AuthorisationAuthen -tication PEP
Role Mapper
USER
PAP‘’Kephas’’
RoleMapper
DB
PDPRole
Provider
PIPAttributeProvider
RoleProvider
DB
RIZIV
PIPAttributeProvider
DBXYZ
WebAppXYZ
ManagementVAS
PIPAttributeProvider
DBMandaten
Social sector(CBSS)
Non social FPS(FedICT)
ManagementVAS
DBXYZ
Architecture
21Frank Robben
CitizensLevel Registration
Identity citizens
Authentication
Identity citizens
Services
0 None None Public information/services
1 Online by input national identification number, number of the identity card and number of the social security card
User number and password chosen by the user
Lowly sensitive information/services
2 Level 1 + e-mail with URL for activation sent to an e-mail address mentioned by the citizen and paper token sent to the residence of the citizen as registered in the national register
Level 1 + input of an arbitrarily asked string mentioned on the paper token (contains 24 strings)
Medium sensitive information/services
3 Physical visit at the municipality in order to get the eID
Authentication certificate of the EID + password per session
Highly sensitive information/services
4 Physical visit at the municipality in order to get the eID
Authentication certificate of the EID + signature certificate on the EID + password per transaction
Services requiring an electronic signature
24Frank Robben
Citizens• At the moment, a citizen only has access to
– Public information and services– Non-public services regarding himself
• Thus, only need of– Registration of the identity– Authentication of the identity at a level adapted to the sensitivity
degree of the service
• (For the time being) no need for– Verification of characteristics– Verification of mandates
25Frank Robben
Professionals• Who?
– Employees of public services and social security institutions– Specific professions: health care providers (medical doctors,
pharmacists,…), notaries, bailiffs, accountants,…– ...
• Registration and authentication of the identity– In principle same system as the citizens system– For employees of public services and social security institutions,
the paper token at level 2 is sent to the information security officer of the public service or the social security institution that employs the employee and is delivered to the employee by this information security officer
26Frank Robben
Professionals• Registration of characteristics and mandates
– Designation by the government, for every (type of) characteristic(s) or mandate(s), of an appropriate body (called the registration authority) that has the responsibility to register the characteristic or the mandate with sufficient certainty
– Storage of the characteristic or the mandate by the registration authority into an authentic source (PIP) accessible to all interested parties
• Verification of characteristics and mandates– Consultation of the relevant authentic sources (PIP) accessible to
all interested parties– In case of use of the paper token, also arbitrarily requested string
mentioned on the paper token
27Frank Robben
CompaniesLevel Identity Registration
of mandataries
of companies
Identity Authentication of mandataries
of companies
Services
0 None None Public information/services
1 Local administrator: signed (electronic) form to the National Office for Social Security by the company for whom the person acts as a local administrator
other mandataries: registration by the local administrator
User number and password chosen by the user
Lowly or medium sensitive information/services
2 Physical visit at the municipality in order to get the eID
Authentication certificate on the eID + password per session
Highly sensitive information/services
3 Physical visit at the municipality in order to get the eID
Authentication certificate on the eID + signature certificate on the eID + password per transaction
Services requiring an electronic signature
28Frank Robben
Registration of Mandates for Companies• Authentic source (PIP) at the National Office for Social
Security accessible to all interested parties containing – For every company, the mandate of his local administrator to use
certain information/services in the name of the company– For every company, any mandates of external service providers
(social secretariats, accountants, …) to use certain information/services in the name of the company
– For every service provider, the mandate of his local administrator to use certain information/services in the name of the service provider
– Possibility for the local administrator to designate sub-local administrators for clusters of information/services
– Possibility for the (sub-)local administrators of companies/service providers to grant mandates to other employees of the company/service provider to use certain information/services in the name of the company/service provider
29Frank Robben
Authorizations• Registration
– Storage in an authentic source of authorization rules (PAP) by the provider of the electronic service, specifying which types of processing may be executed related to the service under which conditions (e.g. characteristics, mandates, …) during which periods of time
• Verification– Consultation of the relevant authentic sources of authorizations
(PAP) accessible to all interested parties
30Frank Robben
How to Choose a Security Level?• Responsibility of the provider of an electronic service
under supervision of the Privacy Commission• Based on a risk assessment and dependent from a.o.
– The type of processing: communication, consultation, alteration,…
– The scope of the service: does the processing only concern the user or also concern other persons ?
– The degree of sensitivity of the data processed– The possible impact of the processing
• On top of the security level, the use of an electronic signature might be needed in order to preserve the provider of the service against disputes
• In the social sector and the federal government: decision of the Board of Directors of the Crossroads Bank for Social Security set down in a user regulation
31Frank Robben
Principle of “Circles of Trust"• Aim
– To avoid unnecessary centralization
– To avoid unnecessary threats to the protection of the privacy
– To avoid multiple similar controls and registration of loggings
• Method: division of tasks between the entities associated with the electronic service, including clear agreements on– Who is in charge of which authentications, verifications and controls by
which means
– How the results of the authentications, verifications and controls can be safely exchanged electronically between the entities concerned
– Who keeps which log files
– How to ensure that in case of an investigation, on one’s own initiative or in response to a complaint, a complete tracing can be realized in order to know which physical person has used which service or transaction concerning which citizen or company, when, through which channel and for which purposes
32Frank Robben
Transnational Aspects
• Huge need to be able to electronically– Identify and authenticate the identity of all relevant foreign entities
(physical persons, companies, …)– Verify the relevant characteristics of the foreign entities– Verify that an entity has been mandated by another foreign entity
to perform a legal action
• Need to implement the objective and related actions from the inter-ministerial statement about eGovernment in the EU issued on 24th November 2005
33Frank Robben
Inter-ministerial statement
“By 2010 European citizens and business shall be able to benefit from secure means of electronic identification that maximise user convenience while respecting data protection regulations. Such means shall be made available under the responsibility of the Member States, but recognised across the EU.”
34Frank Robben
Inter-ministerial Statement: Actions
• “Member States will, during 2006, agree a process and roadmap for achieving the electronic identity objectives and address the national and European legal barriers to the achievement of the electronic identity objectives; work in this area is essential for public administrations to deliver personalised electronic services with no ambiguity as to the user’s identity.”
• “Member States will, over the period 2006-2010, work towards the mutual recognition of national electronic identities by testing, piloting and implementing suitable technologies and methods.”
35Frank Robben
Some Use Cases• Individual residing in Member State A is temporarily
employed (posted) in Member State B– The employer or his representative has to ask for authorization
from the competent social security institution of Member State A– The competent social security institution of Member State A
(electronically) sends an E101-form to the competent social security institution of Member State B
=> Need for (interrelated) identification of the employer, his representative and the employee in both Member States, need for authentication of the characteristic "employer" and need for authentication of the mandate of the representative
36Frank Robben
Some Use Cases• Individual residing in Member State A works, studies or
looks for work in Member State B => need for (interrelated) identification of the individual in both Member States
• Individual residing in Member State A simultaneously works in various other Member States => need for (interrelated) identification of the individual in all Member States
• Individual residing in Member State A needs health care in member State B (form E111, (e)EHIC) => need for (interrelated) identification of the individual in both Member States
37Frank Robben
Some Use Cases• Individual residing in Member State A has to exchange (in
an electronic way) data with public authorities in Member State B => need for (interrelated) identification of the individual in both Member States
• Employer or his representative residing in Member State A has to exchange (in an electronic way) data about his employees with public authorities in Member State B => need for (interrelated) identification in both Member States of the employer, his representative and the employees, need for authentication of the characteristic of "employer" and need for authentication of the mandate of the representative
38Frank Robben
Proposal of a Method• Method of Open Coordination
– The Member States and the European Commission define common objectives and a common timing to meet the objectives
– Each Member State makes a national action plan in order to meet the objectives within the agreed time frame
– Each Member State periodically reports to the European Commission about the national status questionis in meeting the objectives and about the execution of the national action plan
– The European Commission makes a sound synthesis of the national reports
– If needed, the European Commission proposes, based on the recommendations of the Member States, amendments to adjust the objectives
– The European Commission organises the exchange of best practices between Member States
39Frank Robben
Proposal of Concrete Objectives• Internationally, authentication levels are established in
relation to identity, characteristics and mandates• Each country has registration procedures for establishing
the identity of individuals residing in their own country, according to the internationally established authentication levels
• Each country has registration procedures for establishing the identity of legal entities and actual associations that are established in their own country, according to the internationally established authentication levels
40Frank Robben
Proposal of Concrete Objectives• Each country makes available to each individual, each
legal entity and each actual association for whom/which the identity is established in accordance with the registration procedures, the means by which the concerned entity can produce and prove its identity (whether or not in a particular context) locally or remotely, verbally, visually and electronically on the territory of the country in question, without that entity’s identity being confused with the identity of another individual person, legal entity or actual association in that country
41Frank Robben
Proposal of Concrete Objectives• Each country has registration procedures for establishing
the type of characteristics indicated by an internationally accredited body, according to the internationally established authentication levels
• Each country has registration procedures for establishing the mandate of an individual to represent a legal entity or actual association, and the other types of mandates that are indicated by an internationally accredited body, according to the internationally established authentication levels
42Frank Robben
Proposal of Concrete Objectives• Each country has the necessary systems to produce and
prove the characteristics and mandates of individuals, legal entities and actual associations that have been established according to the registration procedures (whether or not in a particular context), locally or remotely, verbally, visually and electronically on the territory of the country in question, either with the permission of the concerned entity or in accordance with a statutory or legal provision
43Frank Robben
Proposal of Concrete Objectives• Under the coordination of the European Commission, the
Member States of the EU develop EU standards and specifications to ensure the semantic and technical interoperability of resources for producing and proving electronically the identity, characteristics and mandates through or in relation to individuals, legal entities and actual associations on the territory of other Member States
44Frank Robben
Conclusion• An integrated system for user and access management
for citizens, professionals and companies exists in Belgium
• Based on a well coordinated assignment of tasks to the most appropriate bodies
• Accessible via open standards• The system permits the use of common basic services
without loss of autonomy• The system permanently evolves according to ever
changing user requirements
45Frank Robben
More information• Personal website Frank Robben
– http://www.law.kuleuven.ac.be/icri/frobben
• Website Crossroads Bank for Social Security– http://www.ksz.fgov.be
• Website Smals– http://smals.be
• Website Federal Public Service for Information and Communication Technology (FedICT)– http://www.fedict.be
• Electronic identity card– http://eid.belgium.be/nl/navigation/12000/index.html