Integrated Electronic User and Access Management in the Belgian Public,

Social and Health Care Sector

Frank RobbenGeneral manager Crossroads Bank for Social SecurityCEO SmalsSint-Pieterssteenweg 375B-1040 BrusselsE-mail: Frank.Robben@ksz.fgov.beWebsite CBSS: www.ksz.fgov.bePersonal website: www.law.kuleuven.ac.be/icri/frobben

2Frank Robben

Structure of the presentation• General overview of user and access management• Basic concepts related to user and access management• Choices made in Belgium

– Identification– Overall Information Security and Privacy Protection Policy– Policy Enforcement Model– User Management for citizens, professionals and companies– Access Management– Principle of “Circles of Trust“

• Transnational aspects– Needs– Proposal of a method– Proposal of concrete objectives

• Conclusion

3Frank Robben

General Overview• 3 Target Groups

– Citizens– Professionals– Companies and their service providers

• Different Aspects– User Management

• Registration of the identity• Authentication of the identity• Registration of characteristics and mandates• Verification of characteristics and mandates

– Access Management• Registration of authorizations• Verification of authorizations

4Frank Robben

User Management: Basic Concepts• Identity

– A number or a set of attributes of an entity that allows to know precisely who or what the entity (physical person, company,…) is

– An entity has only one identity, but this identity can be determined by several numbers or sets of attributes

• Characteristic– An attribute of an entity, other than the attributes determining its

identity, such as a capacity, a function in an organisation, a professional qualification,...

– An entity can have several characteristics

5Frank Robben

User Management: Basic Concepts• Mandate

– A right granted by an identified entity to another identified entity to perform well-defined legal actions in her name and for her account

– Is essentially a relationship between two entities– An entity can grant several mandates to several entities

• Registration– The process of determining the identity, a characteristic of an

entity or a mandate of an entity with sufficient certainty, before putting at the disposal means by which the identity can be authenticated, or the characteristic or the mandate can be verified

6Frank Robben

User Management: Basic Concepts• Authentication of the Identity

– The process of checking whether the identity that an entity pretends to have in order to use an electronic service, corresponds to the real identity

– The authentication of the identity can be done based on the verification of

• Knowledge (e.g. a password)• Possession (e.g. a certificate on an electronically readable card)• Biometrical characteristics• A combination of those

7Frank Robben

User Management: Basic Concepts• Verification of a characteristic or a mandate

– The process of checking whether a characteristic or a mandate that an entity pretends to have in order to use an electronic service, corresponds to a real characteristic or mandate of that entity

– The verification of a characteristic or a mandate can be done by• The same kind of means as those used for the authentication of the identity• Or, after the authentication of the identity, by consulting a database (authentic

source) that contains information about characteristics of mandates related to identified entities

8Frank Robben

Access Management: Basic Concepts

• Authorization– A permission to an entity to perform a defined action or to use a

defined service

• Authorization Group– A group of authorizations

• Role– A group of authorizations or authorization groups related to a

specific service

• Role Based Access– A method of assigning authorizations to entities by means of

authorization groups and roles, in order to simplify the management of authorizations and their assignment to entities

Authorization(Group)

RoleEntity Service

9Frank Robben

Choices made in Belgium• Identification• Overall Information Security and Privacy Protection Policy• Policy Enforcement Model• User Management for

– Citizens– Professionals– Companies

• Access Management• Principle of “Circles of Trust“

10Frank Robben

Identification• Identification number for every citizen and every company

– Characteristics• Unique

– Every entity in principle only has one identification number– The same identification number is not assigned to several entities

• Exhaustive– Every entity to be identified has an identification number

• Stable over time– Identification number should not contain variable characterics of the

identified entity– Identification number should not contain references to the identification

number or characteristics of other entities– Identification number should not change when a quality or characteristic

of the identified entity changes

11Frank Robben

Identification• Art. 8, 7 Directive 95/46/EC: "Member States shall

determine the conditions under which a national identification number or any other identifier of general application may be processed"– Evolution towards meaningless identification numbers– Unique identification numbers of citizens can only be used by

instances authorized by a sectoral committee of the national privacy commission

– In some sensitive sectors (e.g. justice, health, …), the identification number can be a specific number derived from the unique number of the citizen

– Regulation on interconnection of personal data

• Registration of the identity of citizens by the municipalities• Registration of the identity of companies by company

counters

12Frank Robben

Overall Security and Privacy Protection Policy

• Overall policy on information security and privacy protection for eGovernment– Security, integrity and confidentiality of government information

are ensured by integrating ICT measures with structural, organizational, physical, personnel screening and other security measures according to agreed policies

– Every public institution has an information security and privacy protection department with an advising, documenting, stimulating and control mission

– Personal information is only used for purposes compatible with the purposes of the collection of the information

– Personal information is only accessible to authorized institutions and users according to business needs, legislative or policy requirements

13Frank Robben

Overall Security and Privacy Protection Policy• Overall policy on information security and privacy

protection for eGovernment– The communication of personal information by government

bodies to third parties has to be authorized by the competent sectoral committee of the privacy commission, designated by Parliament, after having checked whether the communication conditions (e.g. purpose limitation, proportionality) are met

– The authorizations to communicate personal information are public

– Every actual electronic communication of personal information by a government body is preventively checked on compliance with the existing authorizations by an independent institution managing the interoperability framework used for the communication (clearing house function)

– Every concrete electronic communication of personal information by a government body is logged by the clearing house, to be able to trace possible abuse afterwards

14Frank Robben

Overall Security and Privacy Protection Policy

• Overall policy on information security and privacy protection for eGovernment– Every time information is used to take a decision, the used

information is communicated to the concerned person together with the decision

– Every person has right to access and correct his own personal data

15Frank Robben

Policy Enforcement Model

InformationRequest/Reply

PolicyRetrieval

Authentic Source

InformationRequest/Reply

PolicyRepository

Manager

PolicyManagement

Authentic Source

PolicyEnforcement

(PEP)Action on

application

DecisionRequest

DecisionReply

Action onapplication

PERMITTED

Action onapplicationDENIED

UserApplication

Policy Decision(PDP)

Policy Administration(PAP)

Policy Information(PIP)

Policy Information(PIP)

16Frank Robben

Policy Enforcement Point (PEP)• Intercepts the request for authorization with all available

information about the user, the requested action, the resources and the environment

• Passes on the request for authorization to the Policy Decision Point (PDP) and extracts a decision regarding authorization

• Grants access to the application and provides relevant credentials

PolicyEnforcement

(PEP)Action on

application

DecisionRequest

DecisionReply

Action onapplication

PERMITTED

Action onapplicationDENIED

UserApplication

Policy Decision(PDP)

17Frank Robben

Policy Decision Point (PDP)• Based on the request for authorization received, retrieves

the appropriate authorization policy from the Policy Administration Point(s) (PAP)

• Evaluates the policy and, if necessary, retrieves the relevant information from the Policy Information Point(s) (PIP)

• Takes the authorization decision (permit/deny/not applicable) and sends it to the PEP

Information Request/Reply

Policy Retrieval Information Request/Reply

Decision RequestDecision Reply

Policy Decision (PDP)

Policy Administration (PAP) Policy Information (PIP)Policy Information (PIP)

Policy Enforcement (PEP)

18Frank Robben

Policy Administration Point (PAP)• Environment to store and manage authorization policies

by authorised person(s) appointed by the application managers

• Puts authorization policies at the disposal of the PDP

PolicyRetrieval

PolicyRepository

Manager

AuthorizationManagement

Policy Decision(PDP)

Policy Administration(PAP)

19Frank Robben

Policy Information Point (PIP)

• Puts information at the disposal of the PDP in order to evaluate authorization policies (authentic sources with characteristics, mandates, etc.)

InformationRequest/Reply

Authentic Source

InformationRequest/Reply

Authentic Source

Policy Decision(PDP)

Policy Information(PIP)

Policy Information(PIP)

20Frank Robben

APPLICATIONS

AuthorisationAuthen-tication PEP

Role Mapper

USER

PAP‘’Kephas’’

RoleMapper

DB

PDPRole

Provider

PIPAttributeProvider

RoleProvider

DB

UMAF

PIPAttributeProvider

DBXYZ

WebAppXYZ

APPLICATIONS

AuthorisationAuthen -tication PEP

Role Mapper

USER

WebAppXYZ

PIPAttributeProvider

PAP‘’Kephas’’

RoleMapper

DB

PDPRole

Provider

RoleProvider

DB

ManagementVAS

PIPAttributeProvider

DBXYZ

PIPAttributeProvider

DBGerechts-deurwaar-

ders

PIPAttributeProvider

DBMandaten

Be-Health

APPLICATIONS

AuthorisationAuthen -tication PEP

Role Mapper

USER

PAP‘’Kephas’’

RoleMapper

DB

PDPRole

Provider

PIPAttributeProvider

RoleProvider

DB

RIZIV

PIPAttributeProvider

DBXYZ

WebAppXYZ

ManagementVAS

PIPAttributeProvider

DBMandaten

Social sector(CBSS)

Non social FPS(FedICT)

ManagementVAS

DBXYZ

Architecture

21Frank Robben

CitizensLevel Registration

Identity citizens

Authentication

Identity citizens

Services

0 None None Public information/services

1 Online by input national identification number, number of the identity card and number of the social security card

User number and password chosen by the user

Lowly sensitive information/services

2 Level 1 + e-mail with URL for activation sent to an e-mail address mentioned by the citizen and paper token sent to the residence of the citizen as registered in the national register

Level 1 + input of an arbitrarily asked string mentioned on the paper token (contains 24 strings)

Medium sensitive information/services

3 Physical visit at the municipality in order to get the eID

Authentication certificate of the EID + password per session

Highly sensitive information/services

4 Physical visit at the municipality in order to get the eID

Authentication certificate of the EID + signature certificate on the EID + password per transaction

Services requiring an electronic signature

22Frank Robben

eID

23Frank Robben

Citizen token

24Frank Robben

Citizens• At the moment, a citizen only has access to

– Public information and services– Non-public services regarding himself

• Thus, only need of– Registration of the identity– Authentication of the identity at a level adapted to the sensitivity

degree of the service

• (For the time being) no need for– Verification of characteristics– Verification of mandates

25Frank Robben

Professionals• Who?

– Employees of public services and social security institutions– Specific professions: health care providers (medical doctors,

pharmacists,…), notaries, bailiffs, accountants,…– ...

• Registration and authentication of the identity– In principle same system as the citizens system– For employees of public services and social security institutions,

the paper token at level 2 is sent to the information security officer of the public service or the social security institution that employs the employee and is delivered to the employee by this information security officer

26Frank Robben

Professionals• Registration of characteristics and mandates

– Designation by the government, for every (type of) characteristic(s) or mandate(s), of an appropriate body (called the registration authority) that has the responsibility to register the characteristic or the mandate with sufficient certainty

– Storage of the characteristic or the mandate by the registration authority into an authentic source (PIP) accessible to all interested parties

• Verification of characteristics and mandates– Consultation of the relevant authentic sources (PIP) accessible to

all interested parties– In case of use of the paper token, also arbitrarily requested string

mentioned on the paper token

27Frank Robben

CompaniesLevel Identity Registration

of mandataries

of companies

Identity Authentication of mandataries

of companies

Services

0 None None Public information/services

1 Local administrator: signed (electronic) form to the National Office for Social Security by the company for whom the person acts as a local administrator

other mandataries: registration by the local administrator

User number and password chosen by the user

Lowly or medium sensitive information/services

2 Physical visit at the municipality in order to get the eID

Authentication certificate on the eID + password per session

Highly sensitive information/services

3 Physical visit at the municipality in order to get the eID

Authentication certificate on the eID + signature certificate on the eID + password per transaction

Services requiring an electronic signature

28Frank Robben

Registration of Mandates for Companies• Authentic source (PIP) at the National Office for Social

Security accessible to all interested parties containing – For every company, the mandate of his local administrator to use

certain information/services in the name of the company– For every company, any mandates of external service providers

(social secretariats, accountants, …) to use certain information/services in the name of the company

– For every service provider, the mandate of his local administrator to use certain information/services in the name of the service provider

– Possibility for the local administrator to designate sub-local administrators for clusters of information/services

– Possibility for the (sub-)local administrators of companies/service providers to grant mandates to other employees of the company/service provider to use certain information/services in the name of the company/service provider

29Frank Robben

Authorizations• Registration

– Storage in an authentic source of authorization rules (PAP) by the provider of the electronic service, specifying which types of processing may be executed related to the service under which conditions (e.g. characteristics, mandates, …) during which periods of time

• Verification– Consultation of the relevant authentic sources of authorizations

(PAP) accessible to all interested parties

30Frank Robben

How to Choose a Security Level?• Responsibility of the provider of an electronic service

under supervision of the Privacy Commission• Based on a risk assessment and dependent from a.o.

– The type of processing: communication, consultation, alteration,…

– The scope of the service: does the processing only concern the user or also concern other persons ?

– The degree of sensitivity of the data processed– The possible impact of the processing

• On top of the security level, the use of an electronic signature might be needed in order to preserve the provider of the service against disputes

• In the social sector and the federal government: decision of the Board of Directors of the Crossroads Bank for Social Security set down in a user regulation

31Frank Robben

Principle of “Circles of Trust"• Aim

– To avoid unnecessary centralization

– To avoid unnecessary threats to the protection of the privacy

– To avoid multiple similar controls and registration of loggings

• Method: division of tasks between the entities associated with the electronic service, including clear agreements on– Who is in charge of which authentications, verifications and controls by

which means

– How the results of the authentications, verifications and controls can be safely exchanged electronically between the entities concerned

– Who keeps which log files

– How to ensure that in case of an investigation, on one’s own initiative or in response to a complaint, a complete tracing can be realized in order to know which physical person has used which service or transaction concerning which citizen or company, when, through which channel and for which purposes

32Frank Robben

Transnational Aspects

• Huge need to be able to electronically– Identify and authenticate the identity of all relevant foreign entities

(physical persons, companies, …)– Verify the relevant characteristics of the foreign entities– Verify that an entity has been mandated by another foreign entity

to perform a legal action

• Need to implement the objective and related actions from the inter-ministerial statement about eGovernment in the EU issued on 24th November 2005

33Frank Robben

Inter-ministerial statement

“By 2010 European citizens and business shall be able to benefit from secure means of electronic identification that maximise user convenience while respecting data protection regulations. Such means shall be made available under the responsibility of the Member States, but recognised across the EU.”

34Frank Robben

Inter-ministerial Statement: Actions

• “Member States will, during 2006, agree a process and roadmap for achieving the electronic identity objectives and address the national and European legal barriers to the achievement of the electronic identity objectives; work in this area is essential for public administrations to deliver personalised electronic services with no ambiguity as to the user’s identity.”

• “Member States will, over the period 2006-2010, work towards the mutual recognition of national electronic identities by testing, piloting and implementing suitable technologies and methods.”

35Frank Robben

Some Use Cases• Individual residing in Member State A is temporarily

employed (posted) in Member State B– The employer or his representative has to ask for authorization

from the competent social security institution of Member State A– The competent social security institution of Member State A

(electronically) sends an E101-form to the competent social security institution of Member State B

=> Need for (interrelated) identification of the employer, his representative and the employee in both Member States, need for authentication of the characteristic "employer" and need for authentication of the mandate of the representative

36Frank Robben

Some Use Cases• Individual residing in Member State A works, studies or

looks for work in Member State B => need for (interrelated) identification of the individual in both Member States

• Individual residing in Member State A simultaneously works in various other Member States => need for (interrelated) identification of the individual in all Member States

• Individual residing in Member State A needs health care in member State B (form E111, (e)EHIC) => need for (interrelated) identification of the individual in both Member States

37Frank Robben

Some Use Cases• Individual residing in Member State A has to exchange (in

an electronic way) data with public authorities in Member State B => need for (interrelated) identification of the individual in both Member States

• Employer or his representative residing in Member State A has to exchange (in an electronic way) data about his employees with public authorities in Member State B => need for (interrelated) identification in both Member States of the employer, his representative and the employees, need for authentication of the characteristic of "employer" and need for authentication of the mandate of the representative

38Frank Robben

Proposal of a Method• Method of Open Coordination

– The Member States and the European Commission define common objectives and a common timing to meet the objectives

– Each Member State makes a national action plan in order to meet the objectives within the agreed time frame

– Each Member State periodically reports to the European Commission about the national status questionis in meeting the objectives and about the execution of the national action plan

– The European Commission makes a sound synthesis of the national reports

– If needed, the European Commission proposes, based on the recommendations of the Member States, amendments to adjust the objectives

– The European Commission organises the exchange of best practices between Member States

39Frank Robben

Proposal of Concrete Objectives• Internationally, authentication levels are established in

relation to identity, characteristics and mandates• Each country has registration procedures for establishing

the identity of individuals residing in their own country, according to the internationally established authentication levels

• Each country has registration procedures for establishing the identity of legal entities and actual associations that are established in their own country, according to the internationally established authentication levels

40Frank Robben

Proposal of Concrete Objectives• Each country makes available to each individual, each

legal entity and each actual association for whom/which the identity is established in accordance with the registration procedures, the means by which the concerned entity can produce and prove its identity (whether or not in a particular context) locally or remotely, verbally, visually and electronically on the territory of the country in question, without that entity’s identity being confused with the identity of another individual person, legal entity or actual association in that country

41Frank Robben

Proposal of Concrete Objectives• Each country has registration procedures for establishing

the type of characteristics indicated by an internationally accredited body, according to the internationally established authentication levels

• Each country has registration procedures for establishing the mandate of an individual to represent a legal entity or actual association, and the other types of mandates that are indicated by an internationally accredited body, according to the internationally established authentication levels

42Frank Robben

Proposal of Concrete Objectives• Each country has the necessary systems to produce and

prove the characteristics and mandates of individuals, legal entities and actual associations that have been established according to the registration procedures (whether or not in a particular context), locally or remotely, verbally, visually and electronically on the territory of the country in question, either with the permission of the concerned entity or in accordance with a statutory or legal provision

43Frank Robben

Proposal of Concrete Objectives• Under the coordination of the European Commission, the

Member States of the EU develop EU standards and specifications to ensure the semantic and technical interoperability of resources for producing and proving electronically the identity, characteristics and mandates through or in relation to individuals, legal entities and actual associations on the territory of other Member States

44Frank Robben

Conclusion• An integrated system for user and access management

for citizens, professionals and companies exists in Belgium

• Based on a well coordinated assignment of tasks to the most appropriate bodies

• Accessible via open standards• The system permits the use of common basic services

without loss of autonomy• The system permanently evolves according to ever

changing user requirements

45Frank Robben

More information• Personal website Frank Robben

– http://www.law.kuleuven.ac.be/icri/frobben

• Website Crossroads Bank for Social Security– http://www.ksz.fgov.be

• Website Smals– http://smals.be

• Website Federal Public Service for Information and Communication Technology (FedICT)– http://www.fedict.be

• Electronic identity card– http://eid.belgium.be/nl/navigation/12000/index.html

Th@nk you!

Any questions?