Title: e-ID and identity management aspects in the Belgian social sector
1e-ID and identity management aspectsin the
Belgian social sector
- Frank Robben
- General Manager Crossroads Bank for Social
Security - General Manager SmalS-MvM
- Sint-Pieterssteenweg 375
- B-1040 Brussels
- E-mail Frank.Robben_at_ksz.fgov.be
- CBSS website www.ksz.fgov.be
- Personal website www.law.kuleuven.ac.be/icri/frob
ben
2Structure of the presentation
- actual environment
- electronic user and access management
- eID functions and additional needs
- policy enforcement model
- SIS card and eID
- transnational aspects
- needs some use cases
- proposal of concrete objectives
3Actual environment
- a network between all 2,000 social sector actors
with a secure connection to the internet and
other public (e.g. FedMAN) and private (e.g.
Isabel) networks - a unique identification key
- for every citizen, electronically readable from
an electronic social security card (SIS card) and
an electronic identity card (eID) - for every company
- a task sharing between actors in the social
sector and other sectors with regard to
information management and information storage in
authentic sources
4Actual environment
- 185 electronic services for mutual information
exchange amongst all actors in the social sector,
defined after process optimization - nearly all direct or indirect (via citizens or
companies) paper-based information exchange
between actors in the social sector has been
abolished - in 2005 half a billion electronic messages were
exchanged amongst actors in the social sector,
which saved as many paper exchanges - an integrated portal site containing
- electronic transactions for employers and
citizens - information about the entire Belgian social
security system - harmonized instructions and information model
with regard to all electronic transactions - a personal page for each company
5Actual environment
- 36 electronic services for employers, either
based on the electronic exchange of structured
messages between software applications of the
employers and software applications of actors in
the social sector, or via the integrated portal
site - 50 social security declaration forms have been
abolished - in the remaining 30 declaration forms the number
of headings has on average been reduced to a
third of the previous number - declarations are limited to 3 events
- immediate declaration of recruitment and
discharge (only electronically) - quarterly declaration of salary and working times
(only electronically) - 21 types of declarations of social risks
(electronically or on paper) - in 2005 15,7 million electronic declarations were
made by all 220,000 employers, 98 of which from
application to application
6Actual environment
- 4 electronic services for citizens via the
integrated portal - 2 services to apply for social benefits
- 2 services for consultation of social benefits
- about 30 new services are foreseen
- an integrated multimodal contact centre supported
by a customer relationship management tool - an integrated e-workspace for professionals
involved in the social sector with - e-teams
- workflow throughout social sector actors (e.g.
e-Leg) - a datawarehouse with integrated information for
research and policy support, and policy evaluation
7Actual environment
- coordination by the Crossroads Bank for Social
Security - definition of the vision and the strategy on
E-government in the social sector and of the
common principles related to information
management - definition, implementation and management of an
interoperability framework - secure messaging of several types of information
(structured data, documents, images, metadata, )
with business logic and orchestration support - coordination of business process reengineering
- stimulation of service oriented applications
- management of a reference directory for
- preventive control on the legitimacy of the
information exchange - organisation of the routing of information
- automatic communication of changes of information
8Actual environment
- reference directory
- directory of available services/information
- which information/services are available at any
institution depending on the capacity in which a
person/company is registered at each institution - directory of authorisation policies
- which users/applications are authorized to access
which information/services depending on the
capacity in which a person/company is registered
at each institution - directory of data subjects
- which persons/companies have personal files in
which institutions for which periods of time, and
in which capacity they are registered - subscription table
- which users/applications want to automatically
receive what services in which situations for
which persons/companies in which capacity
9Electronic user access management
- eID
- electronic identification and authentication of
the identity of physical persons over the age of
12 who are registered in the Belgian population
registers - electronic signature of these persons
- additional needs
- electronic identification and authentication of
the identity of physical persons under the age of
12 or who are not registered in the Belgian
population registers - authentication of characteristics (e.g. a
capacity, a function, a professional
qualification) - authentication of mandates between a legal or
physical person to whom an electronic transaction
relates and the person carrying out that
transaction - authorisation management
- towards an eID based on biometrics ?
10Policy Enforcement Model
Action
on
Action
application
Policy
on
DENIED
application
User
Enforcement
Application
PERMITTED
(
PEP
)
Action
on
application
Decision
Decision
request
reply
Information
request/
Policy Decision
Policy
reply
retrieval
(PDP)
Information
request/
reply
Policy
Policy Administration
Policy Information
Policy Information
management
(
PIP
)
(
PAP
)
(
PIP
)
Manager
Policy
repository
Authentic source
Authentic source
11Policy Enforcement Point (PEP)
- intercepts the request for authorisation with all
available information about the user, the action
being requested, the resources and the
environment - passes on the request for authorisation to the
Policy Decision Point (PDP) and extracts a
decision regarding authorisation - grants access to the application and provides
relevant credentials
Action
on
Action
application
Policy
on
DENIED
application
User
Enforcement
Application
PERMITTED
(
PEP
)
Action
on
application
Decision
Decision
request
reply
Policy Decision
(PDP)
12Policy Decision Point (PDP)
- based on the request for authorisation received,
retrieves the appropriate authorisation policy
from the Policy Administration Point(s) (PAP) - evaluates the policy and, if necessary, retrieves
the relevant information from the Policy
Information Point(s) (PIP) - takes the authorisation decision (permit/deny/not
applicable) and sends it to the PEP
Policy
Enforcement
(
PEP
)
Decision
Decision
request
reply
Information
request/
Policy
Policy Decision
reply
retrieval
(PDP)
Information
request/
reply
Policy Information
Policy Administration
Policy Information
(
PIP
)
(
PAP
)
(
PIP
)
13Policy Administration Point (PAP)
- environment to store and manage authorisation
policies by authorised person(s) appointed by the
application managers - puts authorisation policies at the disposal of
the PDP
Policy
Policy
management
retrieval
PDP
PAP
Manager
Policy
repository
14Policy Information Point (PIP)
- puts information at the disposal of the PDP in
order to evaluate authorisation policies
(authentic sources with characteristics,
mandates, etc.)
Information
request/
reply
PDP
Information
request/
reply
PIP
1
PIP
2
Authentic source
Authentic source
15eID and social security portal
- all end-user applications are divided into
categories based on the required level of
security - all applications can be used with the eID as a
means of electronic identification and
authentication of identity - some applications can also be used (temporarily)
on the basis of a user-id, password and, where
appropriate, a citizen token or a public servant
token - electronic signatures can be put with the eID
- the policy enforcement model is being implemented
for the authentication of characteristics and
mandates and for authorisation management
16SIS card and eID
- gradual replacement of the functions of the SIS
card once the following conditions have been
fulfilled - function of electronic identification overall
availability of the eID - function of proof of the insurability in the
health care sector - secure on line access by the health care
providers to the insurability information
available at the sickness funds - electronic identification and authentication of
the identity, characteristics and mandates of the
health care providers - preservation of the SIS card or a similar
solution for persons who do not possess an eID
(persons not residing in Belgium, children under
the age of 12, etc.) - availability of readers that can read both the
SIS-card and the eID
17Transnational aspects
- need to be able to electonically
- identify and authenticate the identity of all
relevant entities (physical persons, companies,
) - authenticate the relevant characteristics of the
entities - authenticate that an entity has been mandated by
another entity to perform a legal action - need to implement the objective and related
actions from the interministerial statement about
E-government in the EU issued on 24th November
2005
18Interministerial statement
- By 2010 European citizens and business shall be
able to benefit from secure means of electronic
identification that maximise user convenience
while respecting data protection regulations.
Such means shall be made available under the
responsibility of the Member States, but
recognised across the EU.
19Interministerial statement actions
- Member States will, during 2006, agree a process
and roadmap for achieving the electronic identity
objectives and address the national and European
legal barriers to the achievement of the
electronic identity objectives work in this area
is essential for public administrations to
deliver personalised electronic services with no
ambiguity as to the users identity. - Member States will, over the period 2006-2010,
work towards the mutual recognition of national
electronic identities by testing, piloting and
implementing suitable technologies and methods.
20Some use cases
- individual residing in Member State A is
temporarily employed (posted) in Member State B - the employer or his representative has to ask for
authorization from the competent social security
institution of Member State A - the competent social security institution of
Member State A (electronically) sends an
E101-form to the competent social security
institution of Member State B - gt need for (interrelated) identification of the
employer, his representative and the employee in
both Member States, need for authentication of
the characteristic "employer" and need for
authentication of the mandate of the
representative
21Some use cases
- individual residing in Member State A works,
studies or looks for work in Member State B gt
need for (interrelated) identification of the
individual in both Member States - individual residing in Member State A
simultaneously works in various other Member
States gt need for (interrelated) identification
of the individual in all Member States - individual residing in Member State A needs
health care in member State B (form E111,
(e)EHIC) gt need for (interrelated)
identification of the individual in both Member
States
22Some use cases
- individual residing in Member State A has to
exchange (in an electronic way) data with public
authorities in Member State B gt need for
(interrelated) identification of the individual
in both Member States - employer or his representative residing in Member
State A has to exchange (in an electronic way)
data about his employees with public authorities
in Member State B gt need for (interrelated)
identification in both Member States of the
employer, his representative and the employees,
need for authentication of the characteristic of
"employer" and need for authentication of the
mandate of the representative
23User awareness and acceptance
Identify user benefits, awareness,
promotion formulate vision
Wide awareness campaign
Use Cases (eProcurement,, migrant workers)
Validation and key applications
Testbeds / pilots, e.g. in CIP e-procurement,
health info networks
CEC as lead user
eTEN, IDABC testbeds specifications
European inter-operability
Semantic
IST RD for federated, multi-level, secure eIDM
Common eIDM Framework
Federated eID Management
Organisational
CEN eIDM standardisation link to ECC
Technical
IDABC business attestations study
eID management at national level
IDABC e-sign studies
eIDM at national level
Explain role of e-sign Directive
Legal certainty
Authentication Model Levels
Equal Treatment of national eIDs
EU provisions Recognition of national eIDs
Modinis study
Common principles, minimal norms
eID Terminology Objectives
Definition of eID
Personal Data Ownership Model
eID Role Management
2006
2007
2008
2009
2010
country inputs
Network and IT security
Authentication levels overview (ENISA)
24Proposal of concrete objectives
- internationally, authentication levels are
established in relation to identity,
characteristics and mandates - each country has registration procedures for
establishing the identity of individuals residing
in their own country, according to the
internationally established authentication levels - each country has registration procedures for
establishing the identity of legal entities and
actual associations that are established in their
own country, according to the internationally
established authentication levels
25Proposal of concrete objectives
- each country makes available to each individual,
each legal entity and each actual association for
whom/which the identity is established in
accordance with the registration procedures, the
means by which the concerned entity can produce
and prove its identity (whether or not in a
particular context) locally or remotely,
verbally, visually and electronically on the
territory of the country in question, without
that entitys identity being confused with the
identity of another individual person, legal
entity or actual association in that country
26Proposal of concrete objectives
- each country has registration procedures for
establishing the type of characteristics
indicated by an internationally accredited body,
according to the internationally established
authentication levels - each country has registration procedures for
establishing the mandate of an individual to
represent a legal entity or actual association,
and the other types of mandates that are
indicated by an internationally accredited body,
according to the internationally established
authentication levels
27Proposal of concrete objectives
- each country has the necessary systems to produce
and prove the characteristics and mandates of
individuals, legal entities and actual
associations that have been established according
to the registration procedures (whether or not in
a particular context), locally or remotely,
verbally, visually and electronically on the
territory of the country in question, either with
the permission of the concerned entity or in
accordance with a statutory or legal provision
28Proposal of concrete objectives
- under the coordination of the European
Commission, the Member States of the EU develop
EU standards and specifications to ensure the
semantic and technical interoperability of
resources for producing and proving
electronically the identity, characteristics and
mandates through or in relation to individuals,
legal entities and actual associations on the
territory of other Member States
29More information
- social security portal
- www.socialsecurity.be
- website Crossroads Bank for Social Security
- www.ksz.fgov.be
- personal website of the speaker
- www.law.kuleuven.ac.be/icri/frobben