Secure Identity Changes in a Changing World S Id tit Ch i Ch i - - PowerPoint PPT Presentation

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

S Id tit Ch i Ch i W ld Secure Identity Changes in a Changing World WG 5 Id tit M t & P i T h l i Identity Management & Privacy Technologies within SC 27 – IT Security Techniques

RSA Japan 2008-04-24, Tokyo, Japan

• Prof. Dr. Kai Rannenberg

Convener WG 5 Goethe University Frankfurt Germany

1

Goethe University Frankfurt, Germany www.m-chair.net

WGs within ISO/IEC JTC 1/SC 27 – IT Security Techniques

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

IT Security Techniques

WG 1 WG 3

Assessment

WG 1 ISMS WG 4 WG 3 Security Evaluation WG 5 WG 4 Security Controls & Services

Guidelines

Identity Management & Privacy Technologies WG 2 Cryptography & Security Mechanisms

Techniques Product System Process Environment

2

WG 5 Identity Management & Privacy Technologies History

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

y

October 2003

JTC 1 Plenary established

JTC 1 St d G P i T h l i (SGPT) JTC 1 Study Group on Privacy Technologies (SGPT) for one year period of time (until October 2004) to identify standardization needs

October 2004

JTC 1 Pl l d t JTC 1 Plenary resolved to

disband SGPT assign to SC 27 further activities in the Privacy Technologies area such as

a further inventory a report back to the November 2006 JTC 1 Plenary

3

WG 5 Identity Management & Privacy Technologies History

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

y

SC 27 ti iti (i t JTC 1‘ t SC 27 activities (in response to JTC 1‘s request from October 2004) October 2004

Study Period on Identity Management established

May 2005

Study Period on Privacy established Study Period on Privacy established New Work Item Proposal: A framework for identity management (ISO/IEC 24760)

M 2006 May 2006

New Working Group 5 on Identity Management and Privacy Technologies established T W k I P l Two new Work Item Proposals

A privacy framework (ISO/IEC 29100) A privacy reference architecture (ISO/IEC 29101)

4

WG 5 Identity Management & Privacy Technologies Scope

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

p

D l t d i t f Development and maintenance of standards and guidelines addressing security aspects of Identity management Identity management Biometrics and P i Privacy

5

Identity Management (IdM) 2 sides of a medal with enormous economic potential

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

p

People live their life Organisations aim to sort out

in different roles (professional, private, volunteer) using different identities (pseudonyms): email accounts, SIM d B d User Accounts in different IT systems Authentication Rights management SIM cards, eBay trade names, chat names, 2ndLife names, …)

Differentiated identities

g s a age e Access control

• Unified identities

help to

protect

privacy, especially anonymity personal security/safety

Unified identities help to

ease administration manage customer relations

p y y

enable reputation building at the same time

Identity management systems

support users using role based

Identity management

support users using role based identities help to present the “right” identity in the right context

Identity management systems

ease single-sign-on by unify accounts solve the problems of multiple

6

solve the problems of multiple passwords

Identity Management (IdM) 2 sides of a medal with enormous economic potential

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

p

People live their life Organisations aim to sort out

in different roles (professional, private, volunteer) using different identities (pseudonyms): email SIM d B User Accounts in different IT systems Authentication Rights management accounts, SIM cards, eBay trade names, chat names, 2ndLife names, …)

Diff ti t d id titi

g s a age e Access control

• Unified identities

Differentiated identities help to

protect

privacy, especially anonymity

Unified identities help to

ease administration manage customer relations

p y p y y y personal security/safety

enable reputation building at the same time

Identity management Identity management Identity management systems

support users using role based identities help to present the “right”

Identity management systems

ease single-sign-on by unify accounts solve the problems of multiple

7

help to present the right identity in the right context solve the problems of multiple passwords

WG 5 Identity Management & Privacy Technologies Programme of Work

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

Frameworks & Architectures

A Framework for Identity Management (ISO/IEC 24760, WD) A Privacy Framework (ISO/IEC 29100, WD) A P i R f A hit t (ISO/IEC 29101 WD) A Privacy Reference Architecture (ISO/IEC 29101, WD) A Framework for Access Management (ISO/IEC 29146, WD)

P t ti C t Protection Concepts

Biometric template protection (ISO/IEC 24745, WD) Access Control Mechanisms (Study Period)

Guidance on Context and Assessment

Authentication Context for Biometrics (ISO/IEC 24761, FDIS) Entity Authentication Assurance (ISO/IEC 29115 WD) Entity Authentication Assurance (ISO/IEC 29115, WD) Privacy Capability Maturity Models (Study Period)

8

WG 5 Identity Management & Privacy Technologies Roadmap

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

p

9

WG 5 Identity Management & Privacy Technologies WD 24760

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

Titl A f k f id tit t Title: A framework for identity management Co-editors: Christophe Stenuit (Belgium) Rosa Garcia Ontoso (Spain) Rosa Garcia Ontoso (Spain) Scope: p This standard aims to provide a framework for the definition of identity and the secure, reliable, and private management of identity information private management of identity information. This framework should be applicable to individuals as well as organizations of all types and sizes, in any environment and regardless of the nature of any environment and regardless of the nature of the activities they are involved in.

10

WG 5 Identity Management & Privacy Technologies ISO/IEC 24760 A Framework for Identity Management

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

y g

Identity concepts Identity concepts

Identity (Unification vs. Differentiation) Identity References Identity References Identifiers

Id tit t Identity management

Identity Lifecycle Provisioning vs. Choice of Identities

Identity management and IT Identity management and information security Related IT security concepts

11

Related IT security concepts

WG 5 Identity Management & Privacy Technologies FDIS 24761

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

Titl A th ti ti t t f bi t i Title: Authentication context of biometrics Editor: Asahiko Yamada (Japan) Scope: This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), by which the service provider (verifier) can judge whether the biometric verification j g result is acceptable or not. The structure and the data elements are defined.

12

WG 5 Identity Management & Privacy Technologies ISO/EC 24761 Authentication context of biometrics

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

The structure and the data elements are being defined based on e.g. the following assumptions: Th d bi i ifi i h ll The targeted biometric verification process shall be executed by one or more BPUs (Biometric Process Units) Process Units). Each BPU shall assure a uniform security level within that BPU within that BPU. A secure communication channel among all the subject interconnected such as BPUs, the service j , requester (claimant), and the service provider (verifier) shall not be assumed.

13

WG 5 Identity Management & Privacy Technologies WD 29100

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

Titl A i f k Title: A privacy framework Editor: Stefan Weiss (Germany) Scope: Aims at providing a framework for defining privacy safeguarding requirements as they relate to PII safeguarding requirements as they relate to PII (personally identifiable information) processed by any information and communication system in any jurisdiction. To be applicable on an international level and addresses system specific issues on a high level. Puts organizational, technical, procedural and regulatory aspects in perspective.

14

WG 5 Identity Management & Privacy Technologies ISO/IEC 29100 A Privacy Framework

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

y

PII = Personally Identifiable Information e so a y de t ab e

• at o

Privacy Preferences Privacy Requirements Privacy Principles y p

Consent and Choice Openness, Transparency and Notice Accountability Purpose Specification Purpose Specification Collection Limitation Use, Retention and Disclosure Limitation Data Minimisation Accuracy and Quality Accuracy and Quality Individual Participation and Access Security Safeguards Compliance

Privacy Aspects within the Data Processing Lifecycles

Collect, Transfer, Use, Store, Archive, Dispose

Relating Privacy to IT Security

15

WG 5 Identity Management & Privacy Technologies ISO/IEC 29100 A Privacy Framework

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

y

Privacy Principles Privacy Principles

Consent and Choice Openness, Transparency and Notice p , p y Accountability Purpose Specification C ll ti Li it ti Collection Limitation Use, Retention and Disclosure Limitation Data Minimisation Data Minimisation Accuracy and Quality Individual Participation and Access p Security Safeguards Compliance

16

WG 5 Identity Management & Privacy Technologies ISO/IEC 29100 A Privacy Framework

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

y

P i A t ithi th D t Privacy Aspects within the Data Processing Lifecycles

Collect Transfer Transfer Use St Store Archive Dispose

17

WG 5 Identity Management & Privacy Technologies Topics

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

• p cs

Privacy technologies A Privacy Framework A Privacy Reference Architecture Privacy infrastructures Anonymity and credentials Specific Privacy Enhancing Technologies (PETs) Privacy Engineering Biometrics Protection of biometric data

18

Authentication techniques

WG 5 Identity Management & Privacy Technologies Liaisons and collaboration

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

Liaison with organizations and committees dealing with specific requirements and guidelines for services and applications e g : and guidelines for services and applications, e.g.:

JTC 1/SC 17/WG 4 Integrated circuit card with contacts JTC 1/SC 17/WG 11 Application of biometrics to cards and personal identification pp p JTC 1/SC 37 Biometrics ISO TC 68/SC 2 Financial Services Security ITU T SG 13 N t ti t k ITU-T SG 13 Next generation networks ITU-T SG 17 Security, languages and telecommunication software ITU-T JCA Identity Management FIDIS (Future of Identity in the Information Society) PrimeLife PICOS (Privacy in Community Services) Libert Alliance Liberty Alliance The International Conference of Data Protection and Privacy Commissioners The Open Group (IdM Forum and Jericho Forum)

19

WG 5 Identity Management & Privacy Technologies

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies

de t ty a age e t & acy ec

• og es

Thank you very much for your interest y y y Further reading Further reading

www.jtc1sc27.din.de/en SD6 Gl f IT S it T i l SD6 Glossary of IT Security Terminology SD7 Catalogue of SC 27 Standards & Projects Kai.Rannenberg@m-chair.net

20