e-ID and identity management aspectsin the Belgian social sector
Frank RobbenGeneral Manager Crossroads Bank for Social SecurityGeneral Manager SmalS-MvMSint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected] website : www.ksz.fgov.bePersonal website: www.law.kuleuven.ac.be/icri/frobben
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 20062
Structure of the presentation
• actual environment
• electronic user and access management– eID: functions and additional needs– policy enforcement model
• SIS card and eID
• transnational aspects– needs: some use cases– proposal of concrete objectives
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 20063
Actual environment• a network between all 2,000 social sector actors with a
secure connection to the internet and other public (e.g. FedMAN) and private (e.g. Isabel) networks
• a unique identification key– for every citizen, electronically readable from an electronic social
security card (SIS card) and an electronic identity card (eID)– for every company
• a task sharing between actors in the social sector and other sectors with regard to information management and information storage in authentic sources
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 20064
Actual environment• 185 electronic services for mutual information exchange
amongst all actors in the social sector, defined after process optimization– nearly all direct or indirect (via citizens or companies) paper-
based information exchange between actors in the social sector has been abolished
– in 2005 half a billion electronic messages were exchanged amongst actors in the social sector, which saved as many paper exchanges
• an integrated portal site containing– electronic transactions for employers and citizens– information about the entire Belgian social security system– harmonized instructions and information model with regard to all
electronic transactions– a personal page for each company
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 20065
Actual environment• 36 electronic services for employers, either based on the
electronic exchange of structured messages between software applications of the employers and software applications of actors in the social sector, or via the integrated portal site– 50 social security declaration forms have been abolished– in the remaining 30 declaration forms the number of headings
has on average been reduced to a third of the previous number– declarations are limited to 3 events
• immediate declaration of recruitment and discharge (only electronically)
• quarterly declaration of salary and working times (only electronically)
• 21 types of declarations of social risks (electronically or on paper)
– in 2005 15,7 million electronic declarations were made by all 220,000 employers, 98 % of which from application to application
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 20066
Actual environment• 4 electronic services for citizens via the integrated portal
– 2 services to apply for social benefits– 2 services for consultation of social benefits– about 30 new services are foreseen
• an integrated multimodal contact centre supported by a customer relationship management tool
• an integrated e-workspace for professionals involved in the social sector with– e-teams– workflow throughout social sector actors (e.g. e-Leg)
• a datawarehouse with integrated information for research and policy support, and policy evaluation
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 20067
Actual environment• coordination by the Crossroads Bank for Social Security
– definition of the vision and the strategy on E-government in the social sector and of the common principles related to information management
– definition, implementation and management of an interoperability framework
– secure messaging of several types of information (structured data, documents, images, metadata, …) with business logic and orchestration support
– coordination of business process reengineering– stimulation of service oriented applications– management of a reference directory for
• preventive control on the legitimacy of the information exchange
• organisation of the routing of information
• automatic communication of changes of information
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 20068
Actual environment• reference directory
– directory of available services/information• which information/services are available at any institution depending
on the capacity in which a person/company is registered at each institution
– directory of authorisation policies• which users/applications are authorized to access which
information/services depending on the capacity in which a person/company is registered at each institution
– directory of data subjects• which persons/companies have personal files in which institutions
for which periods of time, and in which capacity they are registered
– subscription table• which users/applications want to automatically receive what
services in which situations for which persons/companies in which capacity
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 20069
Electronic user & access management• eID
– electronic identification and authentication of the identity of physical persons over the age of 12 who are registered in the Belgian population registers
– electronic signature of these persons
• additional needs– electronic identification and authentication of the identity of
physical persons under the age of 12 or who are not registered in the Belgian population registers
– authentication of characteristics (e.g. a capacity, a function, a professional qualification)
– authentication of mandates between a legal or physical person to whom an electronic transaction relates and the person carrying out that transaction
– authorisation management– towards an eID based on biometrics ?
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200610
Policy Enforcement Model
UserPolicy
Enforcement(PEP)
Application
Policy Decision(PDP)
Action on
application Decisionrequest
Decisionreply
Actionon
applicationPERMITTED
Policy Information (PIP)
Informationrequest/
reply
Policy Administration ( PAP)
Policyretrieval
Authentic source
Policy Information (PIP)
Informationrequest/
reply
Policyrepository
Actionon
applicationDENIED
Manager
Policymanagement
Authentic source
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200611
Policy Enforcement Point (PEP)• intercepts the request for authorisation with all available
information about the user, the action being requested, the resources and the environment
• passes on the request for authorisation to the Policy Decision Point (PDP) and extracts a decision regarding authorisation
• grants access to the application and provides relevant credentials
UserPolicy
Enforcement(PEP)
Application
Policy Decision(PDP)
Action on
application Decisionrequest
Decisionreply
Actionon
applicationPERMITTED
Actionon
applicationDENIED
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200612
Policy Decision Point (PDP)• based on the request for authorisation received,
retrieves the appropriate authorisation policy from the Policy Administration Point(s) (PAP)
• evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP)
• takes the authorisation decision (permit/deny/not applicable) and sends it to the PEP
Policy Enforcement
(PEP)
Policy Decision(PDP)
Decisionrequest
Decisionreply
Policy Information (PIP)
Informationrequest/
reply
Policy Administration( PAP)
Policyretrieval
Policy Information (PIP)
Informationrequest/ reply
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200613
Policy Administration Point (PAP)
• environment to store and manage authorisation policies by authorised person(s) appointed by the application managers
• puts authorisation policies at the disposal of the PDP
PDPPAP
Policyretrieval
Manager
Policy management
Policyrepository
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200614
Policy Information Point (PIP)
• puts information at the disposal of the PDP in order to evaluate authorisation policies (authentic sources with characteristics, mandates, etc.)
PDP
PIP 1
Informationrequest/
reply
Authentic source
PIP 2
Authentic source
Informationrequest/
reply
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200615
eID and social security portal• all end-user applications are divided into categories
based on the required level of security– all applications can be used with the eID as a means of
electronic identification and authentication of identity– some applications can also be used (temporarily) on the basis of
a user-id, password and, where appropriate, a citizen token or a public servant token
• electronic signatures can be put with the eID
• the policy enforcement model is being implemented for the authentication of characteristics and mandates and for authorisation management
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200616
SIS card and eID• gradual replacement of the functions of the SIS card
once the following conditions have been fulfilled– function of electronic identification: overall availability of the eID– function of proof of the insurability in the health care sector
• secure on line access by the health care providers to the insurability information available at the sickness funds
• electronic identification and authentication of the identity, characteristics and mandates of the health care providers
• preservation of the SIS card or a similar solution for persons who do not possess an eID (persons not residing in Belgium, children under the age of 12, etc.)
• availability of readers that can read both the SIS-card and the eID
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200617
Transnational aspects
• need to be able to electonically– identify and authenticate the identity of all relevant entities
(physical persons, companies, …)– authenticate the relevant characteristics of the entities– authenticate that an entity has been mandated by another entity
to perform a legal action
• need to implement the objective and related actions from the interministerial statement about E-government in the EU issued on 24th November 2005
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200618
Interministerial statement
“By 2010 European citizens and business shall be able to benefit from secure means of electronic identification that maximise user convenience while respecting data protection regulations. Such means shall be made available under the responsibility of the Member States, but recognised across the EU.”
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200619
Interministerial statement: actions
• “Member States will, during 2006, agree a process and roadmap for achieving the electronic identity objectives and address the national and European legal barriers to the achievement of the electronic identity objectives; work in this area is essential for public administrations to deliver personalised electronic services with no ambiguity as to the user’s identity.”
• “Member States will, over the period 2006-2010, work towards the mutual recognition of national electronic identities by testing, piloting and implementing suitable technologies and methods.”
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200620
Some use cases• individual residing in Member State A is temporarily
employed (posted) in Member State B– the employer or his representative has to ask for authorization
from the competent social security institution of Member State A– the competent social security institution of Member State A
(electronically) sends an E101-form to the competent social security institution of Member State B
=> need for (interrelated) identification of the employer, his representative and the employee in both Member States, need for authentication of the characteristic "employer" and need for authentication of the mandate of the representative
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200621
Some use cases• individual residing in Member State A works, studies or
looks for work in Member State B => need for (interrelated) identification of the individual in both Member States
• individual residing in Member State A simultaneously works in various other Member States => need for (interrelated) identification of the individual in all Member States
• individual residing in Member State A needs health care in member State B (form E111, (e)EHIC) => need for (interrelated) identification of the individual in both Member States
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200622
Some use cases• individual residing in Member State A has to exchange
(in an electronic way) data with public authorities in Member State B => need for (interrelated) identification of the individual in both Member States
• employer or his representative residing in Member State A has to exchange (in an electronic way) data about his employees with public authorities in Member State B => need for (interrelated) identification in both Member States of the employer, his representative and the employees, need for authentication of the characteristic of "employer" and need for authentication of the mandate of the representative
IST R&D for federated, multi-level,
secure eIDM
Modinis study
Identify user benefits,awareness, promotion
formulate vision
Testbeds / pilots, e.g. in CIPe-procurement, health info networks
eTEN, IDABC testbeds
specifications
CEN eIDM standardisation
link to ECC
IDABC businessattestations study
IDABC e-signstudies
2006 2007 2008 2009 2010
eIDMat national level
User awareness and acceptance
eIDTerminology &
Objectives
Definition of eID
Authentication Model & Levels
Personal Data Ownership
Model
eID Role Management
Equal Treatment of national eIDs
Common eIDM
Framework
Federated eID Management
EU provisions: Recognition of national eIDs
Technical
Semantic
Organisational
country inputs
Authentication levels overview
(ENISA)
Use Cases(eProcurement,, migrant workers)
Wide awareness campaign
Explain role of e-sign Directive
CECas ‘lead user’
Validation andkey applications
Europeaninter-
operability
eID management at national level
Legal certainty
Common principles, minimal norms
Network and IT security
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200624
Proposal of concrete objectives• internationally, authentication levels are established in
relation to identity, characteristics and mandates• each country has registration procedures for establishing
the identity of individuals residing in their own country, according to the internationally established authentication levels
• each country has registration procedures for establishing the identity of legal entities and actual associations that are established in their own country, according to the internationally established authentication levels
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200625
Proposal of concrete objectives• each country makes available to each individual, each
legal entity and each actual association for whom/which the identity is established in accordance with the registration procedures, the means by which the concerned entity can produce and prove its identity (whether or not in a particular context) locally or remotely, verbally, visually and electronically on the territory of the country in question, without that entity’s identity being confused with the identity of another individual person, legal entity or actual association in that country
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200626
Proposal of concrete objectives• each country has registration procedures for establishing
the type of characteristics indicated by an internationally accredited body, according to the internationally established authentication levels
• each country has registration procedures for establishing the mandate of an individual to represent a legal entity or actual association, and the other types of mandates that are indicated by an internationally accredited body, according to the internationally established authentication levels
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200627
Proposal of concrete objectives• each country has the necessary systems to produce and
prove the characteristics and mandates of individuals, legal entities and actual associations that have been established according to the registration procedures (whether or not in a particular context), locally or remotely, verbally, visually and electronically on the territory of the country in question, either with the permission of the concerned entity or in accordance with a statutory or legal provision
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200628
Proposal of concrete objectives• under the coordination of the European Commission, the
Member States of the EU develop EU standards and specifications to ensure the semantic and technical interoperability of resources for producing and proving electronically the identity, characteristics and mandates through or in relation to individuals, legal entities and actual associations on the territory of other Member States
ADAPID project (ADvanced APplications for electronic IDentity cards) - Tuesday 26th September 200629
More information
• social security portalwww.socialsecurity.be
• website Crossroads Bank for Social Securitywww.ksz.fgov.be
• personal website of the speakerwww.law.kuleuven.ac.be/icri/frobben