Belgian Federal Government - W. Van Assche

Identity and Access Mgmt and
electronic Identities
Belgian Federal Government
Walter Van Assche
January 16th, 2012
Chisinau
ELECTRONIC IDENTITY
(CARD)
Goal eID project
•
To give Belgian citizens an electronic identity
card enabling them to authenticate themselves
towards diverse applications and to put digital
signatures
Proof of identity
Signature tool
eID partners
The eID as an e-gov. building block
Belgian eID Project Time line
13 Dec 1999: European Directive 1999/93/EC on Electronic Signatures
22 Sept 2000: Council of Ministers approves eID card concept study
19 July 2001: Council of Ministers approves basic concepts (smart card, citizencertificates, no integration with SIS card, Ministry of Internal Affairs is
responsible for RRN’s infrastructure, pilot municipalities, helpdesk, card
production, legal framework,… Fedict for certification services
3 Jan 2002: Council of Ministers assigns RRN’s infrastructure to NV Steria
1999 2000 2001 2002
2002
27 Sept 2002: Council of
Ministers assigns card
production to NV Zetes,
certificate services to NV
Belgacom
31 March 2003: first 4 eID cards
issued to civil servants
9 May 2003: first pilot municipality
starts issuing eID cards
2003
2004 2005
2009
Start of 2009: all citizens have an eID
card
September 2005: all newly issued ID
cards are eID cards
27 September 2004: start of nation-wide roll-out
25 January 2004: start of pilot phase evaluation
25 July 2003: eleventh pilot municipality started
The eID “product family”
Kids-ID
eID
Foreigner-ID
The eID: results
•
eID:
– More than 8.6 Million cards issued (2nd wave)
•
Kids-ID:
– Potential: 1,3 Million cards
– More than 100.000 cards issued since March 2009
•
Foreigner-ID:
– Potential: 1,5 Million cards
– More than 150.000 cards issued since 2008
8
How
does
it
work?
Internet
1) Request
2) Redirect to ePortal
Login page
ePortal
User
6) Session Creation
5.2) Redirect with SAML
Response
External Firewall
Web Server
External Portal
5.1) Redirect with SAML
Response (Posting with
JavaScript)
Application
Server
External Firewall
3) Login in ePortal
Authentication page
4.1) Checking Credetials
Web Server
Federal ePortal
Application
Server
4.2) Checking Credetials
LDAP
Alternatives with different security
levels
•
–
–
–
–
•
Different security levels :
level 0 : Public access
level 1 : User name + Password
level 2 : User name + Password + Token
level 3 : Electronic identity card
Future evolutions (based on eID) :
– Mobile Identity
– One Time Password Generators?
Level 0
Level 1
Level 2
Level 3
IDENTITY AND ACCESS
MANAGEMENT IN EGOV
What is IAM?
A simple story…
Getting access
User
Application
© Fedict 2009. All rights reserved | p. 12
What is IAM?
A simple story…
Getting access
User
Application
Identification
& authentication
© Fedict 2009. All rights reserved | p. 13
What is IAM?
A simple story…
Getting access
NRN
Notarissen
KBO
…
User
Identification
& authentication
Attributes
(Name,
Company,…)
Application
What is IAM?
A simple story…
Getting access
NRN
Notarissen
KBO
…
User
Identification
& authentication
Attributes
(Name,
company,…)
Permissions
Applications
Roles
What is IAM?
A simple story…
Getting access
NRN
Notarissen
KBO
…
User
Identification
& authentication
Attributes
(Name,
Company,…)
Application
Permissions
Workflow
Granting access
Security Manager
Chief Security Mgr
Legal Representative
KBO
© Fedict 2009. All rights reserved | p. 16
Roles
IAM
…. In a complex reality
Process overview
Mandate
Management
Attestation
Manage
Identity
Reporting
Manage
Virtual
Identity
Risk
Definition
Request
Permission
Authenticate
Relying Party
Management
Manage
Organizationa
l Membership
Manage Role
Definition
Auditing
Manage
Permission
Manage
Contexts
Manage
Domains
© Fedict 2009. All rights reserved | p. 17
Relevance of IAM within
eGovernment context
Transparance:
Security:
• Granting of transparant
access to different
applications and
information sources of the
Belgian government
• Avoid unauthorized
access to information
sources and applications
of the federal government
Autonomy:
• Ensure the “uniqueness”
of each of the partners
Trust and
trustworthy:
• Decent service provider
Governance
structure:
• The rules and
agreements within an IAM
context
© Fedict 2009. All rights reserved | p. 18
Security management
>> An historical agreement
…..
An agreement is being defined between Belgian government partners, providing a
basis for an integrated security management
A joint security management platform will be offered as a managed service
All partners can participate in the steering group of the joint platform
© Fedict 2009. All rights reserved | p. 19
Federated context
>> co-existance
Federated context: Example
>> Digiflow
Context of Federale
OCMW
local governments
government
Getting access
NRN
Notarissen
KBO
…
User
Identification
& authentication
Attributes
(Name,
Company,…)
Permissions
© Fedict 2009. All rights reserved | p. 21
Digiflow
Federated context: Example
>> Tax on Web for accountants
Mandate Mgt
Getting access
NRN
KBO
…
User
Identification
& authentication
Attributes
(Name,
Company,…)
Tax on web
Permissions
Workflo
w
Granting access
Security Mgr
Head Security Mgr
Legal represetative
KBO
© Fedict 2009. All rights reserved | p. 22
Roles
Fedict IAM offering
Trusted Third Party
…
Application X
RR
BIS
Role
Admin
Admin
KBO
Authentic sources
FAS
Circle of Trust
Relying Party
User
Application A
Fedict IAM evolution
Current building blocks
Optimized building blocks
Self
Registration
CSAdmin
Role Definition
Management
Citizen Admin
Role Admin
User
Mgt
TUM Self
Service
Role
Mgt
Self
Management
User
Mgt
VOSync
Reporting
Reporting
Management
User Lifecycle
Management
Authentication
Authentication
MagmaWS
FAS+
FAS1
Organization
Assignment
Risk
Management
Magma
Attribute
Service
Role
Mgt
Role
Assignment
Relying Party
Management
Identification &
Authentication
Attribute
Publication
EU pilots that work on
cross-border interoperability
© fedict 2011. All rights reserved
Overview of LSP’s Collaborations
Transport
Infrastructure
Company ID
Citizen ID
Transport
Infrastructure
Company
Dossier
Citizen ID
Transport
Infrastructure
Citizen ID
Company ID
Company
Dossier
Citizen ID
Privacy
Privacy
Thank you
Fedict
Maria-Theresiastraat 1/3 Rue Marie-Thérèse
Brussel 1000 Bruxelles
TEL. +32 2 212 96 00 | FAX +32 2 212 96 99
info@fedict.belgium.be | www.fedict.belgium.be