Challenges for Identity Management Challenges for Identity Management and Trust and Trust inin Data Privacy andData Privacy andGovernment-Private Sector Government-Private Sector Information Sharing Systems for Information Sharing Systems for Critical Infrastructure ProtectionCritical Infrastructure Protection
John T. SaboJohn T. SaboDirector, Global Government RelationsDirector, Global Government RelationsCA, Inc.CA, Inc.Member, OASIS IDtrust Member Section Steering CommitteeMember, OASIS IDtrust Member Section Steering CommitteePresident, Information Technology-Information Sharing and President, Information Technology-Information Sharing and Analysis CenterAnalysis Center
www.oasis-open.org
The Emerging Challenge
Identity management challenges emerging from two distinct, but converging areas:
the networked sharing of sensitive information for critical infrastructure protection
Information (or data) privacy
Information Sharing Mandate from Government
“The objective of the information sharing life cycle is to provide timely and relevant information that security partners can use to make decisions and take necessary actions to manage [critical infrastructure] risks.”
(The U.S. National Infrastructure Protection Plan (NIPP) NIPP, pages 59-60)
Cross-sector Information Sharing Environment
Transportation
Big Business
Governments
Banks/Finance
Mom & Pop Candies
Small Business
Mom & Pop Candies
People
Phone
SatelliteHomes
Energy/Power
Fax
WALL ST.Securities.Wall Street/The
City
What is Information Sharing? Information - what
descriptions and definitions of information sharing products Sharing Entities - who
entities and individuals who comprise the information sharing infrastructure and their responsibilities
Sharing Mechanisms - how the business processes and technical communications
mechanisms used by information sharing entities Originator Control
operational information sharing policies and rules for cross- sector and sector-government sharing
Vetting and Trust security and privacy policies, standards and controls needed to
establish and maintain a trusted information sharing environment
The Information Sharing “community”
Information Sharing for Critical Infrastructure Protection
Involves many partners Involves sensitive information Crosses company, organization, sector and geo-political
boundaries Requires agreements about who, what, how, and attention to
data protection components Must add value to participants Must be resilient Must be available Must be secure Must be trusted
Problems and Issues Growing Data privacy tensions exist in the use of
personally identifiable information and sensitive business information for ‘national security’ purposes
Use in cross-domain programs and applications Crossing government and business boundaries Assurances of basic information privacy and business
confidentiality principles Concerns over access and use of sensitive information
The implementation of information sharing systems is exposing threats to privacy
Data protection Commissioners Advocacy organizations
www.oasis-open.org
Relationship to Personal Information Society is increasingly driven by and dependent
on personal information personal information is continuously collected,
processed, used, and shared Information about finances, health, communications,
behaviors and transportation -- increasingly integrated into virtual databases of varying data quality
Governments express interest in such information for national security purposes
The use of this data for government purposes increases concerns as the potential for harm to the individual increases
For example - deny access to flight or entry to a country based on multiple information sources
Examples of Personal Information
Financial Consumers leave a trail every time they use credit and debit cards for purchases
Communications ServicesThe increase in the use communications technology has created a vast amount of telecommunications traffic. Each call is logged, tracked, billed and stored, creating an unparalleled data set.
Location Data
Telecommunications can yield even more information – the individual’s location.
TransactionsInformation and services purchased are recorded and mapped to individuals, creating an electronic web of money, communications, locations, and goods and services.
Interagency Exchanges
Government agencies may acquire commercial data through a variety of processes, including their authority for taxing, licensing, or monitoring.
State Emergency Operation Center
Homeland Security Operations
56 FBI Field offices
FBI Tips Program
Criminal JusticeInformation System
Terrorist ThreatIntegration Center
FBI National Joint Terrorism Task Force
Suspicious activity reported by publicor member
FBI Counter Terrorism Watch
FEMA
DHSPrivate Sector
DHS Threat Analysis
DHSState & Local
State & Local
Information (JRIES)
Operations (LEO)
Private Sector
Example: the U.S. National Homeland Security Network”
Complex and Imprecise Privacy Laws, Directives, Policies
US Privacy Act of 1974 The OECD Guidelines – Principles UN Guidelines Concerning Personalized Computer Files EU Directive 95/46/EC Information Privacy Principles Canadian Standards Association Model Code International Labour Organization (ILO) Code of Practice
on the Protection of Workers’ Personal Data US-EU Safe Harbor Privacy Principles Ontario Privacy Diagnostic Tool Australian Privacy Act – National Privacy Principles The AICPA/CICA Privacy Framework Japan Personal Information Protection Act APEC Privacy Framework . . . .
PervasiveNetworked Devices
Privacy Context: Policies Are Trailing Technology and Practices
Industry
Society
Regulation
Evolving nature and concepts of Privacy
Technology
Standards Information Society
NationalSecurity
Digital Economy
Forces
Privacy Principles/Practices (many with clear Identity Management linkages)
Accountability Notice Consent Collection Limitation Use Limitation Disclosure Access and
Correction
Data Quality Enforcement Openness Anonymity Data Flow Sensitivity Security/Safeguards
Source: www.istpa.org“Making Privacy Operational….”
Relative State of Privacy and Security Standards
Privacy standards – essentially at very early state Issues of definitions and taxonomy Focus on ‘front-end’ data collection and Web (such as
Platform for Privacy Preferences (P3P) Today heavy focus on data minimization as a practice Unclear policy and operational relationship between security
and privacy
Privacy and security often conflated data breach
Security – much more developed frameworks, standards – ITU, ISO, OASIS, IETF, W3C, etc.) mechanisms, products
ISTPA Privacy Framework potentially important – www.istpa.org
Convergence of Information Sharing and Privacy
Business and personal information protection may require similar security controls
Despite different motivations Separate policies and technologies
Not integrated, no common understandings No single “ownership” or infrastructure architecture
Convergence being forced in information sharing systems
Data privacy concerns heightening awareness
Starting Point: Identity and Trust Foundation
Trust is core component of operational information sharing and data privacy
Identity and access management foundation necessary
Need for interoperability across information sharing domains
federated or loosely-coupled, but trusted Standards-based
Little attention to this in the information sharing community
What Can Be Done? Work must begin now - the information sharing
infrastructures being implemented have serious security and privacy vulnerabilities
Need to take an overview of identity and trust standards in the context of loosely-connected systems and infrastructures
What is relationship of OASIS and other standards to a solution – SAML 2.0, Liberty, WS-Security, WS-Federation, XACML, others?
Is there a need for a new framework or meta standard? Today’s workshop speakers discuss potentially important
work underway that might be usable for identity management issues emerging in information sharing and privacy systems
How can the OASIS IDtrust Member Section play a role – EKMI, PKIA, DSS-X or other initiatives?