1 / 19

www.oasis-open.org

www.oasis-open.org.

lucius
Download Presentation

www.oasis-open.org

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.oasis-open.org Challenges for Identity Management and Trust inData Privacy andGovernment-Private Sector Information Sharing Systems for Critical Infrastructure ProtectionJohn T. SaboDirector, Global Government RelationsCA, Inc.Member, OASIS IDtrust Member Section Steering CommitteePresident, Information Technology-Information Sharing and Analysis Center

  2. The Emerging Challenge • Identity management challenges emerging from two distinct, but converging areas: • the networked sharing of sensitive information for critical infrastructure protection • Information (or data) privacy

  3. Information SharingMandate from Government “The objective of the information sharing life cycle is to provide timely and relevant information that security partners can use to make decisions and take necessary actions to manage [critical infrastructure] risks.” (The U.S. National Infrastructure Protection Plan (NIPP) NIPP, pages 59-60)

  4. Satellite Homes Big Business Energy/Power Phone Fax People Governments Mom & Pop Candies Mom & Pop Candies Small Business Cross-sector Information Sharing Environment Securities. WALL ST. Transportation Wall Street/The City Banks/Finance

  5. What is Information Sharing? • Information - what • descriptions and definitions of information sharing products • Sharing Entities - who • entities and individuals who comprise the information sharing infrastructure and their responsibilities • Sharing Mechanisms - how • the business processes and technical communications mechanisms used by information sharing entities • Originator Control • operational information sharing policies and rules for cross- sector and sector-government sharing • Vetting and Trust • security and privacy policies, standards and controls needed to establish and maintain a trusted information sharing environment

  6. The Information Sharing “community”

  7. Information Sharing for Critical Infrastructure Protection • Involves many partners • Involves sensitive information • Crosses company, organization, sector and geo-political boundaries • Requires agreements about who, what, how, and attention to data protection components • Must add value to participants • Must be resilient • Must be available • Must be secure • Must be trusted

  8. Problems and Issues Growing • Data privacy tensions exist in the use of personally identifiable information and sensitive business information for ‘national security’ purposes • Use in cross-domain programs and applications • Crossing government and business boundaries • Assurances of basic information privacy and business confidentiality principles • Concerns over access and use of sensitive information • The implementation of information sharing systems is exposing threats to privacy • Data protection Commissioners • Advocacy organizations

  9. www.oasis-open.org Relationship to Personal Information • Society is increasingly driven by and dependent on personal information • personal information is continuously collected, processed, used, and shared • Information about finances, health, communications, behaviors and transportation -- increasingly integrated into virtual databases of varying data quality • Governments express interest in such information for national security purposes • The use of this data for government purposes increases concerns as the potential for harm to the individual increases • For example - deny access to flight or entry to a country based on multiple information sources

  10. Examples of Personal Information • Financial Consumers leave a trail every time they use credit and debit cards for purchases • Communications Services The increase in the use communications technology has created a vast amount of telecommunications traffic. Each call is logged, tracked, billed and stored, creating an unparalleled data set. • Location Data Telecommunications can yield even more information – the individual’s location. • Transactions Information and services purchased are recorded and mapped to individuals, creating an electronic web of money, communications, locations, and goods and services. • Interagency Exchanges Government agencies may acquire commercial data through a variety of processes, including their authority for taxing, licensing, or monitoring.

  11. Operations (LEO) FBI Tips Program Suspicious activity reported by public or member State Emergency Operation Center Information (JRIES) Terrorist Threat Integration Center Homeland Security Operations FBI National Joint Terrorism Task Force DHS Threat Analysis FBI Counter Terrorism Watch Criminal Justice Information System FEMA 56 FBI Field offices DHS Private Sector DHS State & Local Private Sector State & Local Example: the U.S. National Homeland Security Network”

  12. Complex and Imprecise Privacy Laws, Directives, Policies • US Privacy Act of 1974 • The OECD Guidelines – Principles • UN Guidelines Concerning Personalized Computer Files • EU Directive 95/46/EC Information Privacy Principles • Canadian Standards Association Model Code • International Labour Organization (ILO) Code of Practice on the Protection of Workers’ Personal Data • US-EU Safe Harbor Privacy Principles • Ontario Privacy Diagnostic Tool • Australian Privacy Act – National Privacy Principles • The AICPA/CICA Privacy Framework • Japan Personal Information Protection Act • APEC Privacy Framework • . . . .

  13. Privacy Context: Policies Are Trailing Technology and Practices Technology Evolving nature and concepts of Privacy Society Regulation National Security Standards Information Society Industry Digital Economy Pervasive Networked Devices Forces

  14. Accountability Notice Consent Collection Limitation Use Limitation Disclosure Access and Correction Data Quality Enforcement Openness Anonymity Data Flow Sensitivity Security/Safeguards Privacy Principles/Practices(many with clear Identity Management linkages) Source: www.istpa.org “Making Privacy Operational….”

  15. Relative State of Privacy and Security Standards • Privacy standards – essentially at very early state • Issues of definitions and taxonomy • Focus on ‘front-end’ data collection and Web (such as Platform for Privacy Preferences (P3P) • Today heavy focus on data minimization as a practice • Unclear policy and operational relationship between security and privacy • Privacy and security often conflated • data breach • Security – much more developed • frameworks, standards – ITU, ISO, OASIS, IETF, W3C, etc.) • mechanisms, products • ISTPA Privacy Framework potentially important – www.istpa.org

  16. Convergence of Information Sharing and Privacy • Business and personal information protection may require similar security controls • Despite different motivations • Separate policies and technologies • Not integrated, no common understandings • No single “ownership” or infrastructure architecture • Convergence being forced in information sharing systems • Data privacy concerns heightening awareness

  17. Starting Point: Identity and Trust Foundation • Trust is core component of operational information sharing and data privacy • Identity and access management foundation necessary • Need for interoperability across information sharing domains • federated or loosely-coupled, but trusted • Standards-based • Little attention to this in the information sharing community

  18. What Can Be Done? • Work must begin now - the information sharing infrastructures being implemented have serious security and privacy vulnerabilities • Need to take an overview of identity and trust standards in the context of loosely-connected systems and infrastructures • What is relationship of OASIS and other standards to a solution – SAML 2.0, Liberty, WS-Security, WS-Federation, XACML, others? • Is there a need for a new framework or meta standard? • Today’s workshop speakers discuss potentially important work underway that might be usable for identity management issues emerging in information sharing and privacy systems • How can the OASIS IDtrust Member Section play a role – EKMI, PKIA, DSS-X or other initiatives?

  19. Questions? john.t.sabo@ca.com

More Related