Integrated Electronic User and Access Management in the Belgian Public, Social and Health Care Sector Frank Robben General manager Crossroads Bank for Social Security CEO Smals Sint-Pieterssteenweg 375 B-1040 Brussels Website CBSS: Personal website:

2 Frank Robben Structure of the presentation General overview of user and access management Basic concepts related to user and access management Choices made in Belgium –Identification –Overall Information Security and Privacy Protection Policy –Policy Enforcement Model –User Management for citizens, professionals and companies –Access Management –Principle of “Circles of Trust“ Transnational aspects –Needs –Proposal of a method –Proposal of concrete objectives Conclusion

3 Frank Robben General Overview 3 Target Groups –Citizens –Professionals –Companies and their service providers Different Aspects –User Management Registration of the identity Authentication of the identity Registration of characteristics and mandates Verification of characteristics and mandates –Access Management Registration of authorizations Verification of authorizations

4 Frank Robben User Management: Basic Concepts Identity –A number or a set of attributes of an entity that allows to know precisely who or what the entity (physical person, company,…) is –An entity has only one identity, but this identity can be determined by several numbers or sets of attributes Characteristic –An attribute of an entity, other than the attributes determining its identity, such as a capacity, a function in an organisation, a professional qualification,... –An entity can have several characteristics

5 Frank Robben User Management: Basic Concepts Mandate –A right granted by an identified entity to another identified entity to perform well-defined legal actions in her name and for her account –Is essentially a relationship between two entities –An entity can grant several mandates to several entities Registration –The process of determining the identity, a characteristic of an entity or a mandate of an entity with sufficient certainty, before putting at the disposal means by which the identity can be authenticated, or the characteristic or the mandate can be verified

6 Frank Robben User Management: Basic Concepts Authentication of the Identity –The process of checking whether the identity that an entity pretends to have in order to use an electronic service, corresponds to the real identity –The authentication of the identity can be done based on the verification of Knowledge (e.g. a password) Possession (e.g. a certificate on an electronically readable card) Biometrical characteristics A combination of those

7 Frank Robben User Management: Basic Concepts Verification of a characteristic or a mandate –The process of checking whether a characteristic or a mandate that an entity pretends to have in order to use an electronic service, corresponds to a real characteristic or mandate of that entity –The verification of a characteristic or a mandate can be done by The same kind of means as those used for the authentication of the identity Or, after the authentication of the identity, by consulting a database (authentic source) that contains information about characteristics of mandates related to identified entities

8 Frank Robben Access Management: Basic Concepts Authorization –A permission to an entity to perform a defined action or to use a defined service Authorization Group –A group of authorizations Role –A group of authorizations or authorization groups related to a specific service Role Based Access –A method of assigning authorizations to entities by means of authorization groups and roles, in order to simplify the management of authorizations and their assignment to entities Authorization (Group) Role Entity Service

9 Frank Robben Choices made in Belgium Identification Overall Information Security and Privacy Protection Policy Policy Enforcement Model User Management for –Citizens –Professionals –Companies Access Management Principle of “Circles of Trust“

10 Frank Robben Identification Identification number for every citizen and every company –Characteristics Unique –Every entity in principle only has one identification number –The same identification number is not assigned to several entities Exhaustive –Every entity to be identified has an identification number Stable over time –Identification number should not contain variable characterics of the identified entity –Identification number should not contain references to the identification number or characteristics of other entities –Identification number should not change when a quality or characteristic of the identified entity changes

11 Frank Robben Identification Art. 8, 7 Directive 95/46/EC: "Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed" –Evolution towards meaningless identification numbers –Unique identification numbers of citizens can only be used by instances authorized by a sectoral committee of the national privacy commission –In some sensitive sectors (e.g. justice, health, …), the identification number can be a specific number derived from the unique number of the citizen –Regulation on interconnection of personal data Registration of the identity of citizens by the municipalities Registration of the identity of companies by company counters

12 Frank Robben Overall Security and Privacy Protection Policy Overall policy on information security and privacy protection for eGovernment –Security, integrity and confidentiality of government information are ensured by integrating ICT measures with structural, organizational, physical, personnel screening and other security measures according to agreed policies –Every public institution has an information security and privacy protection department with an advising, documenting, stimulating and control mission –Personal information is only used for purposes compatible with the purposes of the collection of the information –Personal information is only accessible to authorized institutions and users according to business needs, legislative or policy requirements

13 Frank Robben Overall Security and Privacy Protection Policy Overall policy on information security and privacy protection for eGovernment –The communication of personal information by government bodies to third parties has to be authorized by the competent sectoral committee of the privacy commission, designated by Parliament, after having checked whether the communication conditions (e.g. purpose limitation, proportionality) are met –The authorizations to communicate personal information are public –Every actual electronic communication of personal information by a government body is preventively checked on compliance with the existing authorizations by an independent institution managing the interoperability framework used for the communication (clearing house function) –Every concrete electronic communication of personal information by a government body is logged by the clearing house, to be able to trace possible abuse afterwards

14 Frank Robben Overall Security and Privacy Protection Policy Overall policy on information security and privacy protection for eGovernment –Every time information is used to take a decision, the used information is communicated to the concerned person together with the decision –Every person has right to access and correct his own personal data

15 Frank Robben Policy Enforcement Model Information Request/Reply Policy Retrieval Authentic Source Information Request/Reply Policy Repository Manager Policy Management Authentic Source Policy Enforcement (PEP) Action on application Decision Request Decision Reply Action on application PERMITTED Action on application DENIED User Application Policy Decision (PDP) Policy Administration (PAP) Policy Information (PIP) Policy Information (PIP)

16 Frank Robben Policy Enforcement Point (PEP) Intercepts the request for authorization with all available information about the user, the requested action, the resources and the environment Passes on the request for authorization to the Policy Decision Point (PDP) and extracts a decision regarding authorization Grants access to the application and provides relevant credentials Policy Enforcement (PEP) Action on application Decision Request Decision Reply Action on application PERMITTED Action on application DENIED User Application Policy Decision (PDP)

17 Frank Robben Policy Decision Point (PDP) Based on the request for authorization received, retrieves the appropriate authorization policy from the Policy Administration Point(s) (PAP) Evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP) Takes the authorization decision (permit/deny/not applicable) and sends it to the PEP Information Request/Reply Policy Retrieval Information Request/Reply Decision Request Decision Reply Policy Decision (PDP) Policy Administration (PAP) Policy Information (PIP) Policy Enforcement (PEP)

18 Frank Robben Policy Administration Point (PAP) Environment to store and manage authorization policies by authorised person(s) appointed by the application managers Puts authorization policies at the disposal of the PDP Policy Retrieval Policy Repository Manager Authorization Management Policy Decision (PDP) Policy Administration (PAP)

19 Frank Robben Policy Information Point (PIP) Puts information at the disposal of the PDP in order to evaluate authorization policies (authentic sources with characteristics, mandates, etc.) Information Request/Reply Authentic Source Information Request/Reply Authentic Source Policy Decision (PDP) Policy Information (PIP) Policy Information (PIP)

20 Frank Robben APPLICATIONS AuthorisationAuthen- tication PEP Role Mapper USER PAP ‘’Kephas’’ Role Mapper DB PDP Role Provider PIP Attribute Provider Role Provider DB UMAF PIP Attribute Provider DB XYZ WebApp XYZ APPLICATIONS AuthorisationAuthen- tication PEP Role Mapper USER WebApp XYZ PIP Attribute Provider PAP ‘’Kephas’’ Role Mapper DB PDP Role Provider Role Provider DB Management VAS PIP Attribute Provider DB XYZ PIP Attribute Provider DB Gerechts- deurwaar- ders PIP Attribute Provider DB Mandaten Be-Health APPLICATIONS AuthorisationAuthen- tication PEP Role Mapper USER PAP ‘’Kephas’’ Provider DB Mandaten Social sector (CBSS) Non social FPS (FedICT) Management VAS DB XYZ Architecture

21 Frank Robben Citizens LevelRegistration Identity citizens Authentication Identity citizens Services 0None Public information/services 1Online by input national identification number, number of the identity card and number of the social security card User number and password chosen by the user Lowly sensitive information/services 2Level 1 + with URL for activation sent to an address mentioned by the citizen and paper token sent to the residence of the citizen as registered in the national register Level 1 + input of an arbitrarily asked string mentioned on the paper token (contains 24 strings) Medium sensitive information/services 3Physical visit at the municipality in order to get the eID Authentication certificate of the EID + password per session Highly sensitive information/services 4Physical visit at the municipality in order to get the eID Authentication certificate of the EID + signature certificate on the EID + password per transaction Services requiring an electronic signature

22 Frank Robben eID

23 Frank Robben Citizen token

24 Frank Robben Citizens At the moment, a citizen only has access to –Public information and services –Non-public services regarding himself Thus, only need of –Registration of the identity –Authentication of the identity at a level adapted to the sensitivity degree of the service (For the time being) no need for –Verification of characteristics –Verification of mandates

25 Frank Robben Professionals Who? –Employees of public services and social security institutions –Specific professions: health care providers (medical doctors, pharmacists,…), notaries, bailiffs, accountants,… –... Registration and authentication of the identity –In principle same system as the citizens system –For employees of public services and social security institutions, the paper token at level 2 is sent to the information security officer of the public service or the social security institution that employs the employee and is delivered to the employee by this information security officer

26 Frank Robben Professionals Registration of characteristics and mandates –Designation by the government, for every (type of) characteristic(s) or mandate(s), of an appropriate body (called the registration authority) that has the responsibility to register the characteristic or the mandate with sufficient certainty –Storage of the characteristic or the mandate by the registration authority into an authentic source (PIP) accessible to all interested parties Verification of characteristics and mandates –Consultation of the relevant authentic sources (PIP) accessible to all interested parties –In case of use of the paper token, also arbitrarily requested string mentioned on the paper token

27 Frank Robben Companies LevelIdentity Registration of mandataries of companies Identity Authentication of mandataries of companies Services 0None Public information/services 1Local administrator: signed (electronic) form to the National Office for Social Security by the company for whom the person acts as a local administrator other mandataries: registration by the local administrator User number and password chosen by the user Lowly or medium sensitive information/services 2Physical visit at the municipality in order to get the eID Authentication certificate on the eID + password per session Highly sensitive information/services 3Physical visit at the municipality in order to get the eID Authentication certificate on the eID + signature certificate on the eID + password per transaction Services requiring an electronic signature

28 Frank Robben Registration of Mandates for Companies Authentic source (PIP) at the National Office for Social Security accessible to all interested parties containing –For every company, the mandate of his local administrator to use certain information/services in the name of the company –For every company, any mandates of external service providers (social secretariats, accountants, …) to use certain information/services in the name of the company –For every service provider, the mandate of his local administrator to use certain information/services in the name of the service provider –Possibility for the local administrator to designate sub-local administrators for clusters of information/services –Possibility for the (sub-)local administrators of companies/service providers to grant mandates to other employees of the company/service provider to use certain information/services in the name of the company/service provider

29 Frank Robben Authorizations Registration –Storage in an authentic source of authorization rules (PAP) by the provider of the electronic service, specifying which types of processing may be executed related to the service under which conditions (e.g. characteristics, mandates, …) during which periods of time Verification –Consultation of the relevant authentic sources of authorizations (PAP) accessible to all interested parties

30 Frank Robben How to Choose a Security Level? Responsibility of the provider of an electronic service under supervision of the Privacy Commission Based on a risk assessment and dependent from a.o. –The type of processing: communication, consultation, alteration,… –The scope of the service: does the processing only concern the user or also concern other persons ? –The degree of sensitivity of the data processed –The possible impact of the processing On top of the security level, the use of an electronic signature might be needed in order to preserve the provider of the service against disputes In the social sector and the federal government: decision of the Board of Directors of the Crossroads Bank for Social Security set down in a user regulation

31 Frank Robben Principle of “Circles of Trust" Aim –To avoid unnecessary centralization –To avoid unnecessary threats to the protection of the privacy –To avoid multiple similar controls and registration of loggings Method: division of tasks between the entities associated with the electronic service, including clear agreements on –Who is in charge of which authentications, verifications and controls by which means –How the results of the authentications, verifications and controls can be safely exchanged electronically between the entities concerned –Who keeps which log files –How to ensure that in case of an investigation, on one’s own initiative or in response to a complaint, a complete tracing can be realized in order to know which physical person has used which service or transaction concerning which citizen or company, when, through which channel and for which purposes

32 Frank Robben Transnational Aspects Huge need to be able to electronically –Identify and authenticate the identity of all relevant foreign entities (physical persons, companies, …) –Verify the relevant characteristics of the foreign entities –Verify that an entity has been mandated by another foreign entity to perform a legal action Need to implement the objective and related actions from the inter-ministerial statement about eGovernment in the EU issued on 24th November 2005

33 Frank Robben Inter-ministerial statement “By 2010 European citizens and business shall be able to benefit from secure means of electronic identification that maximise user convenience while respecting data protection regulations. Such means shall be made available under the responsibility of the Member States, but recognised across the EU.”

34 Frank Robben Inter-ministerial Statement: Actions “Member States will, during 2006, agree a process and roadmap for achieving the electronic identity objectives and address the national and European legal barriers to the achievement of the electronic identity objectives; work in this area is essential for public administrations to deliver personalised electronic services with no ambiguity as to the user’s identity.” “Member States will, over the period , work towards the mutual recognition of national electronic identities by testing, piloting and implementing suitable technologies and methods.”

35 Frank Robben Some Use Cases Individual residing in Member State A is temporarily employed (posted) in Member State B –The employer or his representative has to ask for authorization from the competent social security institution of Member State A –The competent social security institution of Member State A (electronically) sends an E101-form to the competent social security institution of Member State B => Need for (interrelated) identification of the employer, his representative and the employee in both Member States, need for authentication of the characteristic "employer" and need for authentication of the mandate of the representative

36 Frank Robben Some Use Cases Individual residing in Member State A works, studies or looks for work in Member State B => need for (interrelated) identification of the individual in both Member States Individual residing in Member State A simultaneously works in various other Member States => need for (interrelated) identification of the individual in all Member States Individual residing in Member State A needs health care in member State B (form E111, (e)EHIC) => need for (interrelated) identification of the individual in both Member States

37 Frank Robben Some Use Cases Individual residing in Member State A has to exchange (in an electronic way) data with public authorities in Member State B => need for (interrelated) identification of the individual in both Member States Employer or his representative residing in Member State A has to exchange (in an electronic way) data about his employees with public authorities in Member State B => need for (interrelated) identification in both Member States of the employer, his representative and the employees, need for authentication of the characteristic of "employer" and need for authentication of the mandate of the representative

38 Frank Robben Proposal of a Method Method of Open Coordination –The Member States and the European Commission define common objectives and a common timing to meet the objectives –Each Member State makes a national action plan in order to meet the objectives within the agreed time frame –Each Member State periodically reports to the European Commission about the national status questionis in meeting the objectives and about the execution of the national action plan –The European Commission makes a sound synthesis of the national reports –If needed, the European Commission proposes, based on the recommendations of the Member States, amendments to adjust the objectives –The European Commission organises the exchange of best practices between Member States

39 Frank Robben Proposal of Concrete Objectives Internationally, authentication levels are established in relation to identity, characteristics and mandates Each country has registration procedures for establishing the identity of individuals residing in their own country, according to the internationally established authentication levels Each country has registration procedures for establishing the identity of legal entities and actual associations that are established in their own country, according to the internationally established authentication levels

40 Frank Robben Proposal of Concrete Objectives Each country makes available to each individual, each legal entity and each actual association for whom/which the identity is established in accordance with the registration procedures, the means by which the concerned entity can produce and prove its identity (whether or not in a particular context) locally or remotely, verbally, visually and electronically on the territory of the country in question, without that entity’s identity being confused with the identity of another individual person, legal entity or actual association in that country

41 Frank Robben Proposal of Concrete Objectives Each country has registration procedures for establishing the type of characteristics indicated by an internationally accredited body, according to the internationally established authentication levels Each country has registration procedures for establishing the mandate of an individual to represent a legal entity or actual association, and the other types of mandates that are indicated by an internationally accredited body, according to the internationally established authentication levels

42 Frank Robben Proposal of Concrete Objectives Each country has the necessary systems to produce and prove the characteristics and mandates of individuals, legal entities and actual associations that have been established according to the registration procedures (whether or not in a particular context), locally or remotely, verbally, visually and electronically on the territory of the country in question, either with the permission of the concerned entity or in accordance with a statutory or legal provision

43 Frank Robben Proposal of Concrete Objectives Under the coordination of the European Commission, the Member States of the EU develop EU standards and specifications to ensure the semantic and technical interoperability of resources for producing and proving electronically the identity, characteristics and mandates through or in relation to individuals, legal entities and actual associations on the territory of other Member States

44 Frank Robben Conclusion An integrated system for user and access management for citizens, professionals and companies exists in Belgium Based on a well coordinated assignment of tasks to the most appropriate bodies Accessible via open standards The system permits the use of common basic services without loss of autonomy The system permanently evolves according to ever changing user requirements

45 Frank Robben More information Personal website Frank Robben – Website Crossroads Bank for Social Security – Website Smals – Website Federal Public Service for Information and Communication Technology (FedICT) – Electronic identity card –

you! Any questions?