420 likes | 561 Views
Towards Trusted Web Services: Trust management framework using Public Key Infrastructure Technology. London – November 2006. WISeKey. CertifyID BlackBox. Identity (r)Evolution. The Company. Company Details Founded in 1999 Headquarters in Geneva, Switzerland Competence & Activites
E N D
Towards Trusted Web Services:Trust management framework using Public Key Infrastructure Technology London – November 2006
WISeKey • CertifyID BlackBox • Identity (r)Evolution
The Company • Company Details • Founded in 1999 • Headquarters in Geneva, Switzerland • Competence & Activites • Global and Neutral Trust Model • Based on principles of neutrality and strategic global relationships • InfoSec Projects • Global PKI Deployments • World’s First Internet e-Voting Project • Digital Video Broadcasting MHP Security Framework • Secure Video Processing Alliance • High Security Data Centres • Trust Centre Solution • Windows Certificate Services and technology stack
Getting There… e-Voting first ever binding Internet Vote Developing Countries Deploying infrastructures with the ITU Digital TV Securing the Digital Video Broadcasting Infrastructure & Secure Video Processor Alliance Object eIDs Securing object (luxury goods, construction materials) Intelligent cities Securing DestiNY USA, and Incheon, South Korea National ID SystemsID cards, drivers permits, health cards, passports...
WISeKey • CertifyID BlackBox • Identity (r)Evolution
Problem Statement • The Internet was built without a way to know who and what you are connecting to • Everyone offering an internet service has had to come up with a workaround • Patchwork of identity one-offs • Not fair blaming the user – no framework, no control • We are “Missing the identity layer” • Digital identity currently exists in a world without synergy because of identity silos
Identity 0.0 • Resides on a Trusted Third Party • E.g. Confédération suisse • Asymetric relationship • No direct link with the issuer upon its utilisation • Usable on a massive scale • Optimal in terms of respect of the sphere of privacy • Controlable by its holder
identity 0.0 1.0 /
Identity 1.0 • Specific to each use case • One use – One identity • Controlled by a Third Party • Absence of sphere of privacy • Reutilisation impossible / complex • Limited confidence / trust
Multiplication eID Cost Complexity Confusion
Identity Theft • Phishing • Pharming 50 millions identities estimated stolen during the first quarter 2005
identity 1.0 2.0 /
Example of a Digital ID Jordi Aymerich X.509 travelux 4159 6234 622 Member Level: Platinum Member Since: 1997Code: 625 Valid Through: 7/2006
“Identity Management is not only about specifications and technologies… Its also addressing national issues”
DataAccuracy DelegatedAdmin SelfService AutomateProcesses Reduce risks Improve Service and productivity Federation Centralize Singlesign-on Helpdesk ServiceProvisioning Pre-auditchecks ProtectSystems SOX Achieve“Compliance” Improve Security Roles BASEL II StrongAuthn HIPPA SecureAccess PCI-DSS ….. ProtectData
EU Data Protection Directive European Union data protection directive Source : Kerry Shackelford -www.KLSConsultingLLC.com
Sarbanes Oxley Section 404 of the Sarbanes-Oxley directive obliges companies to formalise all of the processes that could impact their finances
Drivers – proof points Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice
Suppliers Clients Distant Employees Partners Enterprise Networks Entreprises et employees
Web Services = +vulnerable zones • Identity management and authentication • How to establish trusted authorities for handling identities? • What form of identities to use? • UID/password or strong authentication? • Digital certificates? • How to validate identities? • How to federate across trusted authorities? • Access Control • What services and methods can be consumed by requesting application? • Shall dynamic data determine access rights? • Groups based, roles based, resource based, combination thereof?
+vulnerable zones = +security needs • Data Privacy • What regulatory requirements apply, do I even know? • How is data privacy to be enforced? • What level of data encryption is necessary – internal storage at rest, over the internal network, over external networks, transfer to partner network? • Network Security • Internal network must be protected, how? • Firewall policy implementation, enforcement points? • Examine packet content, data content?
Addressed by specifications • SAML • WS-* • XML- XML Encryption / Digital Signature • SOAP • SSL, TLS • PKIX • Liberty Alliance • etc • Most conservative companies are hesitant to deploy widespread web services • But for those that do deploy, the use of common standards such as the following are essential: • SSL, TLS • XML (Encryption, Digital Signature) • SOAP • WSDL • SAML
“It is not only about specifications and technologies… Its also about addressing business and trust problems”
WISeKey • PKI Deployment • Identity (r)Evolution
Core PKI Services a public key infrastructure (PKI) is an arrangement that provides for trusted third party vouching for user identities Authentication assurance to one entity that another entity is who he, she, or it claims to be Integrity assurance to an entity that data has not been altered between “there” and “here” or between “then” and “now” Confidentiality assurance to an entity that no one can read a particular piece of data except the intended receiver
Email Encryption And signature Access Control User management Mobile Data Encryption Digital Signature Data Encryption Digital Identity Intranet/Extranet Access Management Certificate usage
… but not the only answer • Certificates are commonly accepted and used as official issued virtual IDs • CardSpace and other systems extends this so that other identity providers can provide identity claims with Privacy • RP can be hidden from IP • User controls release of information • Examples – Health, Travel etc.
Distributed trust CertifyID Blackbox™ is an innovative way to reduce the cost of deployingand managing a CA in a trusted environment “Traditional” classical model WISeKey model • Takes advantage of existing corporate “identity management” infrastructure • Certificate lifecycle easier to manage • Easy integration with corporate systems Root WISeKey / OISTE CA • High cost and complexity in managing certificates • Little integration between professional CA and corporate database “Professional” / Outsourced CA Corporate [MS Server-based] CA Certificate holder/ Business user Certificate holder/ Business user
The CertifyID Trust Model Swiss Federal Government: Supervisory Authority Independent Auditor: Annual audit Policy Approval Authority Governance Operator: National Sovereignty Country D Country A Country B Country C
Guardian XM database redundancy and high availability services for Certification Authorities (CAs) on the Microsoft platform Web Services API Enterprise applications integration Trust Service CRL Manager provides issued identities with global recognition & trust publish and monitor the Certificate Revocation List (CRL). Blackbox™ offering The CertifyID Blackbox™ offers a complete and affordable out-of-the-box solution for establishing a Trusted Identity Infrastructure dedicated to your organization.
Blackbox™ benefits • Low cost – solution is cheaper than traditional PKI solution • Ease of use – • based on Microsoft’s Certification Services • wizard-based installation – no PKI know-how necessary • simplified certificate management – transparent to users • data resiliency • Integration – • tight integration with company’s Active Directory • easy integration with corporate applications through web services API • Totally standards based – PKIX, X.509, CRL, OCSP • Extended Trust Model – • internally managed issuance of e-IDs (confidentiality) • inclusion in community of trust for inter-company recognition of e-IDs
WISeKey Trust Model • Use existing Trust Parties - digitizing their current processes – Analog to Digital Trust • Technically achieved through the sharing of a root certificate by high authenticate Certification Authorities • Flexible and scalable development of distributed trust communities • Neutral root certificate ownership, administered by a neutral forum providing global recognition and inter-operability • Achieve high security via technical controls, security hardware modules, auditing mechanisms • Affordable, Low cost, ease of use, portability
Conclusions • eID is happening • Continues to drive more secure architectures on the Internet. • Many countries are playing a leader role • Scenarios include • Many eGovernment applications • National eID card & Social security & Health & Tax etc. • Many Corporate to Corporate applications • Essential for Protecting Web Services • Increasing use in Identity management and Privacy Protection • Technology for driving affordable government and business Trusted eID management and web services is available today! • OISTE Trust Model + WISeKey CertifyID Products
Questions WISeKey S.A WISeKey S.A - World Trade Center II - 29, route de Pré-Bois CP 885 1215 Geneva, Switzerland Tel: +41 22 594 30 00 - Fax: +41 22 594 30 01 e-mail: info@wisekey.com - www.wisekey.com