Towards an Economic Valuation of Telco-based Valuation of Telco - - PowerPoint PPT Presentation
Towards an Economic Valuation of Telco-based Valuation of Telco based Identity Management Enablers Enablers PrimeLife/IFIP Summer School 2010 Helsingborg, 2010-08-04 Kai Rannenberg, S ascha Koschinat, Andreas Albers, Gkhan
PrimeLife/IFIP Summer School 2010 Helsingborg, 2010-08-04
Kai Rannenberg, S ascha Koschinat, Andreas Albers, Gökhan Bal, Marvin Hegen, Christian Weber T-Mobile Chair of Mobile Business & Multilateral S ecurity
Institute of Business Informatics Goethe University Frankfurt www.m-chair.net
2
3
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
WG 1 WG 3
Assessment
WG 1 ISMS WG 4 WG 3 Security Evaluation WG 5 WG 4 Security Controls & Services
Guidelines
Identity Management & Privacy Technologies WG 2 Cryptography & Security Mechanisms
Techniques Product System Process Environment
4
WG 5 Identity Management & Privacy Technologies History
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
y
JTC 1 Plenary established
JTC 1 St d G P i T h l i (SGPT)
identify standardization needs
JTC 1 Pl l d t JTC 1 Plenary resolved to
Technologies area such as
5
WG 5 Identity Management & Privacy Technologies History
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
y
management (ISO/IEC 24760)
Privacy Technologies established T W k I P l
6
Identity Management (IdM) An early approach
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
„Fear not, for I have redeemed you; I have called you by name: you are mine.” [Isaiah 43:1]
σε εκαλεσα με το ονομα σου· εμου εισαι“ [Ησαιαν 43:1] [Ησαιαν 43:1]
t h ll d t b í tú “ te he llamado por tu nombre; mío eres tú.“ [Isaías 43 1 ]
ich habe dich bei deinem Namen gerufen; du bist mein!“ [Jesaja 43,1]
7
Identity Management (IdM) 2 sides of a medal with enormous economic potential
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
private, volunteer)
(pseudonyms): email accounts, SIM d B d
systems
SIM cards, eBay trade names, chat names, 2ndLife names, …)
g s a age e
help to
help to
p y y
same time
systems
identities
in the right context
systems
accounts
passwords
8
passwords
Identity Management (IdM) 2 sides of a medal with enormous economic potential
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
private, volunteer)
(pseudonyms): email SIM d B
systems
accounts, SIM cards, eBay trade names, chat names, 2ndLife names, …)
Diff ti t d id titi
g s a age e
help to
help to
p y p y y y
the same time
Identity management systems
identities
Identity management systems
accounts
9
identity in the right context
passwords
WG 5 Identity Management & Privacy Technologies Scope
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
p
10
WG 5 Identity Management & Privacy Technologies Programme of Work
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
Frameworks & Architectures
P i R f A hit t (ISO/IEC 29101 CD)
(ISO/IEC 29115 / ITU-T X.eaa, CD)
Protection Concepts
for authentication and authorization using group signatures (ISO/IEC 29191, WD)
Guidance on Context and Assessment
11
WG 5 Identity Management & Privacy Technologies Roadmap
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
12
13
Service Subscriber Service Provider
Network Operator Subscriber
partners
14
Administration
in a world of consortia
Service
… in a world of consortia
Subscriber Service Provider
Network Operator Subscriber Content
15
Content Provider
16
17
Service Subscriber Service Provider Network Operator Subscriber
18
Relying Customer Relying Party Telco Customer
19
20
Problem S tatement
Problem S tatement T i l bl i i b b i d
consumers, and governments and citizens:
Customer data is processed by various parties and in various ways.
f l i ffi i d i ff i
21
Motivation
Motivation A i l f bli dd d l li i dd i hi
situation by:
transaction partners (businesses and governments)
d l l li d l i under legal, compliance, and personal requirements
each transaction (IdM Enablers) to enable and enhance the respective IdM processes processes
transactions partners with adequate IdM Enablers
22
Obj ectives
Obj ectives Th IdM E bl C h d
some of these implications.
23
Internet S ervice Value Chain
Internet S ervice Value Chain
S ervice Request IdM Element S ervice Provision
q
24
S ervice Chain with IdM related S ervice Chain Element
Example - Age Verification
Example Age Verification
Service Providers’ problems:
End Customers’ problems:
Payment Enforcement
Convenience/ Usability
S ervice Request Age Verification S ervice Provision
„ Age >= 21? “
25
S ervice Chain with exemplary IdM related S ervice Chain Element Age Verification
Example - Age Verification
Example Age Verification
Customer Data Assets IdM Functional Capabilities
Verifi- cation Birth Date
IdM S ervice Provider „ Y es - Verified Age >= 21!“
S ervice Request Age Verification S ervice Provision
S ervice Chain with exemplary IdM related S ervice Chain Element Age Verification
26
27
Data Assets IdM Functional Capabilities Who could be in the role of providing IdM Enablers for business transactions between End
Data Asset
Customers and S ervice Providers?
S ervice Providers
IdM Function Data Asset
IdM Function Asset
IdM S ervice Provider
becoming big players.
to enable win-win situations. T l h i i IdM Enabler
protect and respect their customers’ privacy than other players.
IdM Enabler
Enabler
Focus on Telcos!
28 28
Data Assets IdM Functional Capabilities Which Data Assets does a Telco possess?
d t
Data Asset
data.
pecifically they have even more and more valuable customer data concentrated in their databases than other businesses.
IdM Function Data Asset
IdM Function Asset
IdM S ervice Provider databases than other businesses.
(cf. H6.1.2) and Data Assets of
IdM Enabler IdM Enabler
Enabler
29 29
Basic Data
Identification Data
P d Communication Data
MS Detail R d Content Data
Context Data
Financial Data
W thi Device Data
Password
Record
Record
Worthiness
tatus
Data Assets
Data Asset
IdM S ervice Provider
30 30
Data Assets IdM Functional Capabilities 3. Which IdM Functions can a Telco already provide?
Data Asset
subset of IdM Functions.
requirements to provide their IdM Functions to a wide IdM
IdM Function Data Asset
IdM Function Asset
IdM S ervice Provider IdM Functions to a wide IdM ecosystem.
(cf. H6.1.2). IdM Enabler IdM Enabler
Enabler
31 31
Account Functions F d ti Attribute Functions V ifi ti Authentication Functions A th ti ti Authorization Functions A th i ti Policy Functions Editi
S O
ignedToken
IdM Functional Capabilities
IdM Function
IdM S ervice Provider
32
Data Assets IdM Functional Capabilities
Data Asset
IdM Function Data Asset
IdM Function Asset
IdM S ervice Provider 1. Which IdM Enablers can be provided by a Telco? IdM Enabler provided by a Telco? 2. How obvious is their economic relevance? 3. Which reasonable use cases exist for them? IdM Enabler
Enabler
for them? 4. How good is the chance to monetize these Enablers? 5. Which added values can be enabled?
33 33
6. How big is their economic potential?
34
1 D i i f f ibl IdM E bl S i O i 1. Description of feasible IdM Enabler S ervice Options 2. S takeholder identification and description (obj ectives etc.) 3 Identification and Analysis of the impacts of available IdM Enabler 3. Identification and Analysis of the impacts of available IdM Enabler S ervice Options on the stakeholders
4. Identification of Cause-Effect Chains between the stakeholders 5 Cost Benefit Overview from the perspective of the IdM S ervice 5. Cost Benefit Overview from the perspective of the IdM S ervice Provider 6. Cost Benefit Analysis for IdM S ervice Provider
35
36
37
Option 1 (CPI) - Customer provides age information
Option 1 (CPI) Customer provides age information
S ervice Request Age Verification S ervice Provision
S ervice Chain with exemplary IdM related S ervice Chain Element
Birth
Age Verification
Birth Date Request Bi th D t Birth Date Birth Date
38
Option 2 (TPC) - Telco provides verified age
information certificate to user
Birth Date Request Age >= 21
39
Verified Age >=21 - Token
Option 3 (TPI) - Telco provides verified age
information to S ervice Provider
Birth Date Request Verified Age >=21
40
Maximize performance and privacy (transaction speed, anonymity, ...)
to pay ) to pay, ...)
rate, ...)
( , y , )
41
Option 2 (TPC) vs. Option 1 (CPI)
Customer Perspective
Benefits Costs Additional Data Minimisation (more Privacy) Additional efforts for Hardware and/or Software L i k f d t i b S i P id Additi l ff t f T l gi t ti Lower risk of data misuse by S ervice Providers Additional efforts for Telco registration Higher trust in S ervice Providers (as they demonstrate privacy-friendliness) Additional registration fees and/or charges for service usage Additional guaranteed compliance with regulation Higher duration of transactions (possibly one Additional guaranteed compliance with regulation Higher duration of transactions (possibly one- time for S ervice Provider registration) Higher convenience for being compliant with regulation Additional trust relationship to Telco required / risk of data misuse by Telco Additional risk of missing availability of a service due to failure of Customer or Telco infrastructure
42
Option 2 (TPC) vs. Option 1 (CPI)
S ervice Provider Perspective
Benefits Costs Benefits Costs Higher trust/lower risk by Customers higher customer loyalty more new customers more revenues Fewer possibilities for commercialization of customer data Additional compliance with regulation assured by Telco Less information about customers less potential for advertising, personalisation, profiling, targeting etc. Lower risk of payment losses through minors Additional risk of missing availability of a service Lower risk of payment losses through minors Additional risk of missing availability of a service due to failure of Customer or Telco infrastructure Fewer efforts for infrastructure implementation Higher duration of transactions (possibly one- and operation time for S ervice Provider registration) Fewer efforts for Customer support
43
Option 2 (TPC) vs. Option 1 (CPI)
Telco Perspective
Benefits Costs Additional Value Added S ervice for Customers Higher Customer loyalty More new Customers
More revenues
Additional efforts for development and
Customers Higher market entry barriers for possible business Additional efforts for development and Higher market entry barriers for possible business rivals Additional efforts for development and
ervice Infrastructure (data bases, etc.) Additional efforts for development and p
Billing, critical mass of Customers and S ervice Providers etc.) Additional efforts for correction of incorrect age Additional efforts for correction of incorrect age verifications (liability guarantee for Customers and S ervice Providers) Additional efforts for Customer S upport
44
A i l k h ld ’ d b fi h ff h
y g g p interdependencies need to be considered
between the stakeholders’ costs and benefits between the stakeholders costs and benefits
costs and benefits of Option 2 (TPC) vs. Option 1 (CPI) will be presented in order to reflect their effect on the other stakeholders’ costs and benefits
elected Customers’ costs and benefits: S elected Customers costs and benefits:
by Telco)
by Telco)
45
Option 2 (TPC) vs. Option 1 (CPI)
Customer Service Provider Telco Costs Benefits Costs Benefits Costs Benefits
Lower risk of data misuse by Service Providers More new customers More revenues More new customers Higher customer l lt Higher level of Data Minimisation / higher trust in Service Providers Higher customer loyalty Additional guaranteed compliance with l ti loyalty More revenues regulation Fewer penalties for non-compliance with regulation Fewer possibilities for commercialisation of user data Less information about customers Less potentials for advertising, personalisation, profiling, targeting etc. Fewer revenues Fewer Service Providers Less Service Provider Fewer revenues Additional trust relationship to Telco required / risk of data misuse by Telco loyalty Fewer new customers Lower customer loyalty Measures to generate trust/ incentives Higher costs
46
Maximize performance and privacy (transaction speed, anonymity, ...)
to pay ) to pay, ...)
rate, ...)
( , y , )
47
Option 2 (TPC) vs Option 1 (CPI)
Option 2 (TPC) vs. Option 1 (CPI)
Customer:
ervice Providers (trust, data misuse)
More Privacy friendly transactions (data minimisation, privacy)
S ervice Provider:
Lower risks with respect to Customer and regulations (compliance, payment losses)
Telco:
ervice Provider incentives, i f t t )
infrastructure)
48
Option 3 (TPI) vs. Option 1 (CPI)
Customer Perspective
Benefits Costs
Addi i l D Mi i i i ( P i ) L P i b f dditi l k l d Additional Data Minimisation (more Privacy) Less Privacy, because of additional knowledge
and additional knowledge of Service Providers about Customers` Telco Lower risk of data misuse by S ervice Providers Additional efforts for Telco registration Higher trust in S ervice Providers Higher duration of transactions (possibly one- time for S ervice Provider registration) Additional guaranteed compliance with regulation Additional trust relationship to Telco required / Additional risk of data misuse by Telco Higher convenience for being compliant with regulation Additional risk of missing availability of a service due to failrure of Telco infrastructure regulation due to failrure of Telco infrastructure Less control about personal data provision / Bigger knowledge about business relationships by Service Provider and Telco (less Privacy)
49
Option 3 (TPI) vs. Option 1 (CPI)
S ervice Provider Perspective
Benefits Costs
More trust by Customers higher customer loyalty more new customers more revenues Fewer possibilities for commercialization of customer data Additional compliance with regulation assured by Telco Less information about customers Less potentials for advertising, personalisation, Telco potentials for advertising, personalisation, profiling, targeting etc. Lower risk of payment losses through minors Higher duration of transactions (possibly one- time for S ervice Provider registration) Fewer efforts for infrastructure implementation and operation Additional costs for implementation and
Fewer efforts for Customer support Additional registration fees and/or charges for service usage service usage Additional business relationship to Telco additional possibility for new Marketing & Sales- channel customer base of Telco Additional risk of missing availability of a service due to failure of Telco infrastructure Additional efforts to provide incentives for customers
50
Option 3 (TPI) vs. Option 1 (CPI) 1
Telco Perspective
Benefits Costs Additional Value Added S ervice for Customers and S ervice Providers Higher customer loyalty More new customers More revenues Additional efforts for development and operation
ervice Infrastructure (data bases, S ervice Provider Interface etc.) Additional business relationships to Service Additional efforts for development and operation Additional business relationships to Service Providers additional possibility for new Marketing & Sales-channels customer base of Service Providers Additional efforts for development and operation
mass of Customers and S ervice Providers etc.) Hi h k t t b i f ibl b i Additi l ff t f ti f i t Higher market entry barriers for possible business rivals Additional efforts for correction of incorrect age verifications (liability guarantee for Users and S ervice Providers) Additional efforts for Customer S upport
51
I h f ll i h C Eff Ch i f O i 3 (TPI)
Option 1 (CPI) will be presented
elected Customers’ costs and benefits:
by Telco)
52
Option 3 (TPI) vs. Option 1 (CPI)
Customer Service Provider Telco Costs Benefits Costs Benefits Costs Benefits
Lower risk of data misuse by Service Providers More new customers More revenues More new customers Higher cutomer l lit Higher level of Data Minimisation / higher trust in Service Providers Higher customer loyality Additional guaranteed compliance with l ti loyality More revenues regulation Less penalties for non-compliance with regulation Fewer possibilities for commercialisation of user data Less information about customers Less potential for advertising, personalisation, profiling, targeting etc. Fewer revenues Fewer Service Providers Less Service Provider Fewer revenues Additional trust relationship to Telco required / risk of data misuse by Telco loyality Fewer new customers Lower customer loyality Measures to generate trust/ Incentives Higher costs
53
Maximize performance and privacy (transaction speed, anonymity, ...)
to pay ) to pay, ...)
rate, ...)
( , y , )
54
Option 3 (TPI) vs Option 1 (CPI)
Option 3 (TPI) vs. Option 1 (CPI)
Customer:
ervice Providers (trust)
S ervice Provider: S ervice Provider:
( p , p y )
Telco:
ervice Provider customer base, customer loyalty, new customers) Addi i l ff (i f S i P id S i P id i i
ervice Provider, S ervice Provider incentives, infrastructure)
55
Option 3 (TPI) vs Option 2 (TPC)
Option 3 (TPI) vs. Option 2 (TPC) I i O i 1 (CPI) O i 2 (TPC) d O i 3 (TPI)
lead to approximately the same costs and benefits.
, g p advantageousness of each option.
O ti 2 (TPC): Th T l d t ff d th d l t i l t ti
and operation of the service infrastructure that the Customer requires (hardware, software).
Option 3 (TPI) : The Telco needs to afford the development, implementation, and operation of the service infrastructure that the Service Provider requires (online interface).
56
Option 3 (TPI) vs Option 2 (TPC)
Option 3 (TPI) vs. Option 2 (TPC) Al th C Eff t Ch i f th l t d t d b fit f
Option 2 (TPC) and Option 3 (TPI) lead to approximately the same results Diff l b i l f h d
benefits.
misuse by the Telco seems to be lower, because of additional possibilities to control the personal data flow.
sophisticated evaluation methods and more concrete option scenarios. Al th f th d b d lit ti l ti th d
(e.g. quantitative ones) needs to be considered because of the
57
58
C B fi A l i d C Eff Ch i i i i l
evaluation approach.
same analysis framework.
59
common identity framework: A User-Centric Identit y Metasystem y y y
: Future of Identity in the Information S
Deliverable 3.6: S tudy on ID Documents; 2006; www.fidis.net
O/ IEC JTC 1/ S C 27/ WG 5: Identity Management and Privacy Technologies; www j tc1sc27 din de Technologies; www.j tc1sc27.din.de
: Privacy and Identity Management for Community S ervices; www.picos-proj ect.eu
j t proj ect.eu
www.primelife.eu
ecurity – A concept and examples Kai Rannenberg: Multilateral S ecurity A concept and examples for balanced security; Pp. 151-162 in: Proceedings of the 9th ACM New S ecurity Paradigms Workshop 2000, S eptember 19-21, 2000 Cork, Ireland; ACM Press; IS BN 1-58113-260-3
Kai Rannenberg: Identity management in mobile cellular networks and related applications; Information S ecurity Technical Report;
S N 1363-4127
ecurity @ Goethe University Frankfurt; www m-chair-net
60
Goethe University Frankfurt; www.m chair net