1 Proprietary - British Business Federation Authority –

office@federatedbusiness.org

Establishing Trust Across International Communities

6 Feb 2013

info@federatedbusiness.org

www.federatedbusiness.org

Proprietary - British Business Federation Authority – office@federatedbusiness.org

Strategic Drivers - Industry

1. Business is becoming more collaborative and international

2. Increasing legal, regulatory and commercial requirements for accountability and information protection in regulated industries

3. Information protection requires access control

4. Access control requires identity, authentication and authorisation, which are the basis of trust

5. Trust across multiple organisations requires federation

– Organisations have to be considered trustworthy to trust each other

– Organisations need a common language of business to understand each other

6. Federation requires collaborative governance and agreed Common Policy

7. US and European federation bodies are pressing ahead and setting federation standards, leveraging national ID activities

8. UK needs a governance body for federated trust for UK industry

Process

Information

Application

Data

Infrastructure

Organisation A

Process

Information

Application

Data

Infrastructure

Organisation B

Competition

Collaboration

Cyber world collaborates to support normal Business use of cyberspace

Business World

Node A Node B

Process

Information

Application

Data

Infrastructure

Process

Information

Application

Data

Infrastructure

Competition

Collaboration

Cyber World

4 British Business Federation Authority -

office@federatedbusiness.org

ID Fraud = a top EU crime enabler McAfee: $1 trillion/year cybercrime (rising $2 trl)

UK fraud > £73bn EU fraud > €500bn

If we are not winning, we must be losing

Strategic Drivers - International

Proprietary - British Business Federation Authority – office@federatedbusiness.org

To collaborate and share information, each organisation must be Trustworthy. Each organisation’s ID management must be internally homogeneous & externally interoperable. If compliant, they can then federate, based on common policies, procedures and mechanisms

Audit

Identity Proofing & Verification Credentialing Authentication

• Are you who you say you are?

Authorization

• Are you authorized to access my information?

• Can your organization prove this to me?

Business

Industry & Governments

Identity Proofing & Vetting Credentialing Authentication Identity Proofing & Vetting Credentialing Authentication

Identity Proofing & Vetting Credentialing Authentication

Citizenship ID & Right to Work documents from different nations

UK FR DE

Note:

• Authentication gives Reliability of Identity

• Authorisation gives Assurance of Trustworthiness

IT HR

6 British Business Federation Authority -

office@federatedbusiness.org

Citizen Consumer

Employee - Industry Employee - Gov

4 Contexts of Identity Plus:

•Device ID

•Organisation ID

•Software Authentication

•Data Authentication

Proprietary - British Business Federation Authority – office@federatedbusiness.org

Citizen e-ID

1.European Digital Agenda requires all citizens to have a citizen e-ID for public purposes in all member states.

1. A few states have successful and valued e-ID. e.g. Estonia, Belgium

2. More have e-ID for state (infrequent) use, with limited value and adoption/activity. e.g. Austria, Sweden

3. Most have plans

4. One has no plans. UK

2.STORK began as technical interoperability pilot for government issued credentials, based on Mutual Recognition. It has no meaningful Common Policy and no liability model.

3.New draft EU regulation requires nations to accept credentials from Notified Schemes of other nations, and pay then pass liability back to the issuing state.

4.Real issue is foreigners

Proprietary - British Business Federation Authority – office@federatedbusiness.org

Basics…

We need to identify ourselves to others, and vice versa, in a wide range of situations and particularly for electronic activities.

We require different Levels of Assurance. 1. LoA 4. Extra measures. 3 factor authentication (with second

biometric). Strong hardware token. Optional federated Physical Access Control. Used in highly secure situations.

2. LoA 3. High confidence in identity. Legally robust non-

repudiation. 2 Factor Authentication E.g. employee authentication, digital signature, ID based encryption, secure email.

3. LoA 2. Some confidence of Identity. Expect some failures. Financial liability model E.g. credit cards, Know Your Customer.

4. LoA 1. Self assertion. E.g. mickey.mouse@microsoft.com.

9 British Business Federation Authority -

office@federatedbusiness.org

Citizen

Consumer

Employee - Gov Employee - Industry

9/11

HSPD 12

FIPS 201 - PIV

FIPS 201 – PIV - Interoperable

ITU-T/ISO 24760/29115

Supply chain collaboration

CertiPath/SAFEBioPharma

Kantara Initiative Identity Assurance

Framework

Borders

Police

NATO

SESAR

Legal

Energy

Pharma

Aero space

?

3 4

3 4

1 2

Hardly used = weak business case?

OIX

Google

Facebook 1

1

Credit cards

HACC? NFC??

2

3

2 3

NSTIC ?

Good Federation

10 British Business Federation Authority -

office@federatedbusiness.org

13

Potential Gov & Ind CSPs

EADS/Cassidian, Citi, Entrust,

SAFE/BioPharma, Symantec,

Trustis

Early Adopters

Cross Certified Orgs:

MOD

NHS

NPIA/Police

DWP+

LoA 2+ Brokers

CertiPath Aero/Def

UK PKI Bridge

SAFE-BioPharma

Potential UK CSPs:

Citi, EADS, Entrust,

Symantec,

(Emerging Bridge)

Level 3+ Identity Federations (PKI) - a UK

perspective

Potential UK CSPs:

Citi, EADS, Entrust,

Symantec,

Verizon Business+

Other Potential National Bridges

or CAs:

USA, Australia, Canada, NZ, NL,

BE, FR, DE, IT+, NO, SWE, ESP

Interpol, EU, NATO

Any nation could put itself at the centre…

National &

Inter-

national

Allies &

Industry

Partners

BBFA – Big Picture…

Legend:

Two way trust

One way trust

Level 32

Level 3 Dept A

PSN trust

B C D

Root CA

??

Level 3+

Potential Gov Shared

Service Providers

Early Adopters

Cross Certified Orgs:

MOD; NHS; Police; UKBA+

CertiPath

Aero/Def

UK PKI

Bridge

SAFE-

BioPharma

(Emerging

Bridge)

Other Potential

National Bridges or

CA:

11

Level 2

G-

Digital

Hub

DWP

HMRC

Financial Sector

Corporate

Credentials? Companies paying tax

Consumer

credentials

&

attributes?

Citizen access Gov

services

Root Authentication

Broker

Other Central

Gov

Other Local

Gov Level 2

Dept – Dept trust - PSIIF

Broker

IdP

Credential re-use – 15M

taxpayers?

Broker

IdP

Proprietary - British Business Federation Authority – office@federatedbusiness.org

ISO/IEC JTC1 SC27 WG5 – Identity Management & Privacy Technologies

ISO 29100 – Privacy framework

ISO 29101 – Privacy reference architecture

ISO 29115 – Entity authentication assurance framework (contains ID

definitions)

ISO 29146 – A framework for access management

ISO 29191 – Proposal on requirements on relative anonymity with identity escrow model for authentication and authorization using group signatures

ISO 24760 - A framework for identity management -- Part 1: Terminology and concepts

ISO 24760 - A Framework for Identity Management -- Part 2: Reference architecture and requirements

ISO 24760 - A Framework for Identity Management – Part 3: Practice

ISO 24761 - Authentication context for biometrics

ISO 29003 - Identity Proofing of Persons, Organisations, Devices and Software

Plus TCG Trusted Platform Module 1.2 and 2.0

MNE7 – Access to the Global Commons

of Cyber Space

Collaborative Cyber

Situational Awareness

(CCSA)

Expanding to 25+ nations – mil, ind & gov

New multinational CCSA organisation being planned 19-21 Feb 13

Collaborative Cyber Situational Awareness (CCSA)

14 Proprietary - British Business Federation Authority –

office@federatedbusiness.org

3.2 – Information Sharing Framework (ISF)

1 – High Assurance Federated Trust

2 – Critical Controls (Normality)

3 – Incident Operations Taxonomy

4 – Cyber SA Triage process

5 – Prioritised communications

ISO & ITU(T) standards

IETF standard <> ENISA

NATO ID Strategy, NATO Cyber Strategy, EU Cybersecurity

Strategy

US CERT & NCCIC

Police, aerospace & defence, health implementations ….

Process

Information

Application

Data

Infrastructure

Organisation A

Process

Information

Application

Data

Infrastructure

Organisation B

Competition

Collaboration

Cyber world collaborates to support normal Business use of cyberspace

Business World

Node A Node B

Process

Information

Application

Data

Infrastructure

Process

Information

Application

Data

Infrastructure

Competition

Collaboration

Cyber World

16 Proprietary - British Business Federation Authority –

office@federatedbusiness.org

Nine Challenges from Europe’s Piecemeal Approach

1. The E Commission needs to coordinate internally and externally focused views 2. The E Commission could be doing more to reflect the global context. Technology, business,

consumers do. So do criminals

3. The E Commission needs to work more collaboratively with nations. They can only afford to do things one way

4. The E Commission should focus on all aspects of Person Identity, not just citizen

5. The E Commission must address Organisational ID

6. The E Commission must consider federation for global business. Mutual Recognition is not enough

7. The E Commission must take account of international standards. UN agrees

8. The draft EC Regulation treats the digital signature as separate from identity, which creates a major fraud attack vector, particularly at high assurance. Digital signatures are an attribute of an identity

9. The EU Cyber Security Strategy and national strategies must mention Trust, identity and authentication, so that gov-gov, gov-business, business-business and supply chains can work. The Single Market depends on this