swiss high security identity solutions towards trusted web services: trust management framework...

Swiss High Security Identity Solutions

Towards Trusted Web Services:

Trust management framework using Public Key Infrastructure Technology

Towards Trusted Web Services:

Trust management framework using Public Key Infrastructure Technology

London – November 2006


• CertifyID BlackBox

• WISeKey

• Identity (r)Evolution


The Company

• Company Details– Founded in 1999– Headquarters in Geneva, Switzerland

• Competence & Activites– Global and Neutral Trust Model

• Based on principles of neutrality and strategic global relationships

– InfoSec Projects• Global PKI Deployments• World’s First Internet e-Voting Project• Digital Video Broadcasting MHP Security Framework• Secure Video Processing Alliance

– High Security Data Centres – Trust Centre Solution

• Windows Certificate Services and technology stack


Intelligent cities Securing DestiNY USA, and Incheon,

South Korea

e-Voting first ever binding

Internet Vote

Developing Countries Deploying

infrastructures with the ITU

Digital TV Securing the Digital Video Broadcasting Infrastructure

&Secure Video

Processor Alliance

Object eIDs Securing object (luxury goods, construction materials)

National ID Systems

ID cards, drivers permits, health

cards, passports...

Getting There…


• CertifyID BlackBox

• WISeKey



Problem Statement

• The Internet was built without a way to know who and what you are connecting to– Everyone offering an internet service has had to come

up with a workaround– Patchwork of identity one-offs– Not fair blaming the user – no framework, no control

• We are “Missing the identity layer”• Digital identity currently exists in a world without

synergy because of identity silos


identity 0.0


Identity 0.0


• Resides on a Trusted Third Party– E.g. Confédération suisse

• Asymetric relationship– No direct link with the issuer upon its utilisation

• Usable on a massive scale• Optimal in terms of respect of the sphere of

privacy• Controlable by its holder

Identity 0.0


identity 0.01.0/


Service Driven Model


• Specific to each use case – One use – One identity

• Controlled by a Third Party

• Absence of sphere of privacy

• Reutilisation impossible / complex

• Limited confidence / trust

Identity 1.0


Identity Crisis


eID

Confusion

Complexity

Cost

Multiplication


• Phishing

• Pharming

50 millions identities estimated stolen during the first quarter 2005

Identity Theft


identity 1.02.0/


User Centric Model


Example of a Digital ID

Jordi Jordi AymerichAymerich

4159 6234 6224159 6234 622Member Level: PlatinumMember Level: PlatinumMember Since: 1997Member Since: 1997Code: 625Code: 625Valid Through: 7/2006Valid Through: 7/2006

traveluxtravelux

X.509


Example of a Digital Identity

Swiss High Security Identity Solutions““Identity Management is Identity Management is

not only about not only about specifications and specifications and

technologies…technologies…

Its also addressing Its also addressing national issues”national issues”

““Identity Management is Identity Management is not only about not only about

specifications and specifications and technologies…technologies…

Its also addressing Its also addressing national issues”national issues”


Reducerisks

DelegatedAdmin

AutomateProcesses

Centralize

Helpdesk

Pre-auditchecks

Achieve“Compliance”

SOX

BASEL II

HIPPA

PCI-DSS…..

ImproveService and productivity

DataAccuracy

SelfService

Federation

Singlesign-on

ServiceProvisioning

ImproveSecurity

ProtectData

SecureAccess

StrongAuthn

Roles

ProtectSystems


Source : Kerry Shackelford -www.KLSConsultingLLC.com

European Union data protection

directive

EU Data Protection Directive


Section 404 of the Sarbanes-Oxley directive obliges companies to formalise all of the

processes that could impact their finances

Sarbanes Oxley


Drivers – proof points

Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice

SOX, HIPAA, GLB, Basel II, Title 21 CFR Part 11, EU Data Protection…

$15.5 billion spend in 2005 on compliance (analyst estimate)

One half of all enterprises have SOA under development

Web services spending growing 45% CAGR (analyst estimate)

Increasing incidence of identity theft (E.g. Phishing scams)

Identity theft costs banks and credit card issuers $1.2 billion per year

On average employees need access to 16 apps and systems

Companies spend $20-30 per user per year for PW resets


Entreprises et employees

Suppliers

PartnersDistant Employees

Clients

Enterprise Networks


Web Services = +vulnerable zones

• Identity management and authentication– How to establish trusted authorities for handling identities? – What form of identities to use? – UID/password or strong authentication? – Digital certificates? – How to validate identities? – How to federate across trusted authorities?

• Access Control– What services and methods can be consumed by requesting

application? – Shall dynamic data determine access rights? – Groups based, roles based, resource based, combination

thereof?


+vulnerable zones = +security needs

• Data Privacy– What regulatory requirements apply, do I even know?– How is data privacy to be enforced? – What level of data encryption is necessary – internal storage at

rest, over the internal network, over external networks, transfer to partner network?

• Network Security– Internal network must be protected, how?– Firewall policy implementation, enforcement points?– Examine packet content, data content?


Addressed by specifications

• SAML• WS-*• XML- XML

Encryption / Digital Signature

• SOAP• SSL, TLS• PKIX • Liberty Alliance• etc

• Most conservative companies are hesitant to deploy widespread web services

• But for those that do deploy, the use of common standards such as the following are essential:

SSL, TLS

XML (Encryption, Digital Signature)

SOAP

WSDL

SAML

Swiss High Security Identity Solutions““It is not only about It is not only about specifications and specifications and


Its also about addressing Its also about addressing business and trust business and trust

problems”problems”

““It is not only about It is not only about specifications and specifications and


Its also about addressing Its also about addressing business and trust business and trust

problems”problems”


• PKI Deployment

• WISeKey



Core PKI Services

assurance to an entity that data has not been altered between “there” and “here” or between “then” and “now”

assurance to an entity that data has not been altered between “there” and “here” or between “then” and “now”

assurance to an entity that no one can read a particular piece of data except the

intended receiver

assurance to an entity that no one can read a particular piece of data except the

intended receiver

assurance to one entity that another entity is who he, she, or it claims to beassurance to one entity that another

entity is who he, she, or it claims to be

a public key infrastructure (PKI) is an arrangement that provides for trusted third party vouching for user identities

IntegrityIntegrity

ConfidentialityConfidentiality

AuthenticationAuthentication


One of the Best Foundations


Certificate usage

Data Encryption

Intranet/ExtranetAccess Management

Mobile Data Encryption

Digital Identity

Digital Signature

Email EncryptionAnd signature

Access Control

User management


… but not the only answer

• Certificates are commonly accepted and used as official issued virtual IDs

• CardSpace and other systems extends this so that other identity providers can provide identity claims with Privacy

• RP can be hidden from IP• User controls release of information

• Examples – Health, Travel etc.


Distributed trust

CertifyID Blackbox™ is an innovative way to reduce the cost of deployingand managing a CA in a trusted environment

“Traditional” classical model WISeKey model

• High cost and complexity in managing certificates

• Little integration between professional CA and corporate database

• Takes advantage of existing corporate “identity management” infrastructure

• Certificate lifecycle easier to manage

• Easy integration with corporate systems

“Professional” /Outsourced CA“Professional” /Outsourced CA

Certificate holder/Business user


RootWISeKey / OISTE

CA

RootWISeKey / OISTE

CA



Corporate[MS Server-based]

CA

Corporate[MS Server-based]

CA


Swiss Federal Government:Supervisory

Authority

Independent Auditor:

Annual audit

Policy Approval Authority

Operator:

Country A Country B Country C Country D

Governance

National Sovereignty

The CertifyID Trust Model


Blackbox™ offering

The CertifyID Blackbox™ offers a complete and affordable out-of-the-box solution for establishing a Trusted Identity Infrastructure dedicated to your organization.

provides issued identities with global recognition & trust

database redundancy and high availability services for Certification Authorities (CAs) on the Microsoft platform

publish and monitor the Certificate Revocation List (CRL).

Enterprise applications integration

Guardian XMGuardian XM

Trust ServiceTrust Service

Web Services APIWeb Services API

CRL ManagerCRL Manager


Blackbox™ benefits

Low cost – solution is cheaper than traditional PKI solution

Ease of use –

based on Microsoft’s Certification Services wizard-based installation – no PKI know-how necessary simplified certificate management – transparent to users data resiliency

Integration –

tight integration with company’s Active Directory easy integration with corporate applications through web

services API Totally standards based – PKIX, X.509, CRL, OCSP

Extended Trust Model –

internally managed issuance of e-IDs (confidentiality) inclusion in community of trust for inter-company

recognition of e-IDs


WISeKey Trust Model

• Use existing Trust Parties - digitizing their current processes – Analog to Digital Trust

• Technically achieved through the sharing of a root certificate by high authenticate Certification Authorities

• Flexible and scalable development of distributed trust communities

• Neutral root certificate ownership, administered by a neutral forum providing global recognition and inter-operability

• Achieve high security via technical controls, security hardware modules, auditing mechanisms

• Affordable, Low cost, ease of use, portability


Conclusions

• eID is happening– Continues to drive more secure architectures on the Internet.– Many countries are playing a leader role

• Scenarios include– Many eGovernment applications

• National eID card & Social security & Health & Tax etc.– Many Corporate to Corporate applications– Essential for Protecting Web Services– Increasing use in Identity management and Privacy Protection

• Technology for driving affordable government and business Trusted eID management and web services is available today!– OISTE Trust Model + WISeKey CertifyID Products


WISeKey S.A

WISeKey S.A - World Trade Center II - 29, route de Pré-Bois CP 885 1215 Geneva, Switzerland

Tel: +41 22 594 30 00 - Fax: +41 22 594 30 01

e-mail: [email protected] - www.wisekey.com

Questions

swiss high security identity solutions towards trusted web services: trust management framework...

Documents