e-ID and identity management aspects in the Belgian social sector

1
e-ID and identity management aspectsin the
Belgian social sector

• Frank Robben
• General Manager Crossroads Bank for Social
  Security
• General Manager SmalS-MvM
• Sint-Pieterssteenweg 375
• B-1040 Brussels
• E-mail Frank.Robben_at_ksz.fgov.be
• CBSS website www.ksz.fgov.be
• Personal website www.law.kuleuven.ac.be/icri/frob
  ben

2
Structure of the presentation

• actual environment
• electronic user and access management
• eID functions and additional needs
• policy enforcement model
• SIS card and eID
• transnational aspects
• needs some use cases
• proposal of concrete objectives

3
Actual environment

• a network between all 2,000 social sector actors
  with a secure connection to the internet and
  other public (e.g. FedMAN) and private (e.g.
  Isabel) networks
• a unique identification key
• for every citizen, electronically readable from
  an electronic social security card (SIS card) and
  an electronic identity card (eID)
• for every company
• a task sharing between actors in the social
  sector and other sectors with regard to
  information management and information storage in
  authentic sources

4
Actual environment

• 185 electronic services for mutual information
  exchange amongst all actors in the social sector,
  defined after process optimization
• nearly all direct or indirect (via citizens or
  companies) paper-based information exchange
  between actors in the social sector has been
  abolished
• in 2005 half a billion electronic messages were
  exchanged amongst actors in the social sector,
  which saved as many paper exchanges
• an integrated portal site containing
• electronic transactions for employers and
  citizens
• information about the entire Belgian social
  security system
• harmonized instructions and information model
  with regard to all electronic transactions
• a personal page for each company

5
Actual environment

• 36 electronic services for employers, either
  based on the electronic exchange of structured
  messages between software applications of the
  employers and software applications of actors in
  the social sector, or via the integrated portal
  site
• 50 social security declaration forms have been
  abolished
• in the remaining 30 declaration forms the number
  of headings has on average been reduced to a
  third of the previous number
• declarations are limited to 3 events
• immediate declaration of recruitment and
  discharge (only electronically)
• quarterly declaration of salary and working times
  (only electronically)
• 21 types of declarations of social risks
  (electronically or on paper)
• in 2005 15,7 million electronic declarations were
  made by all 220,000 employers, 98 of which from
  application to application

6
Actual environment

• 4 electronic services for citizens via the
  integrated portal
• 2 services to apply for social benefits
• 2 services for consultation of social benefits
• about 30 new services are foreseen
• an integrated multimodal contact centre supported
  by a customer relationship management tool
• an integrated e-workspace for professionals
  involved in the social sector with
• e-teams
• workflow throughout social sector actors (e.g.
  e-Leg)
• a datawarehouse with integrated information for
  research and policy support, and policy evaluation

7
Actual environment

• coordination by the Crossroads Bank for Social
  Security
• definition of the vision and the strategy on
  E-government in the social sector and of the
  common principles related to information
  management
• definition, implementation and management of an
  interoperability framework
• secure messaging of several types of information
  (structured data, documents, images, metadata, )
  with business logic and orchestration support
• coordination of business process reengineering
• stimulation of service oriented applications
• management of a reference directory for
• preventive control on the legitimacy of the
  information exchange
• organisation of the routing of information
• automatic communication of changes of information

8
Actual environment

• reference directory
• directory of available services/information
• which information/services are available at any
  institution depending on the capacity in which a
  person/company is registered at each institution
• directory of authorisation policies
• which users/applications are authorized to access
  which information/services depending on the
  capacity in which a person/company is registered
  at each institution
• directory of data subjects
• which persons/companies have personal files in
  which institutions for which periods of time, and
  in which capacity they are registered
• subscription table
• which users/applications want to automatically
  receive what services in which situations for
  which persons/companies in which capacity

9
Electronic user access management

• eID
• electronic identification and authentication of
  the identity of physical persons over the age of
  12 who are registered in the Belgian population
  registers
• electronic signature of these persons
• additional needs
• electronic identification and authentication of
  the identity of physical persons under the age of
  12 or who are not registered in the Belgian
  population registers
• authentication of characteristics (e.g. a
  capacity, a function, a professional
  qualification)
• authentication of mandates between a legal or
  physical person to whom an electronic transaction
  relates and the person carrying out that
  transaction
• authorisation management
• towards an eID based on biometrics ?

10
Policy Enforcement Model
Action
on
Action
application
Policy
on
DENIED
application
User
Enforcement
Application
PERMITTED
(
PEP
)
Action
on
application
Decision
Decision
request
reply
Information
request/
Policy Decision
Policy
reply
retrieval
(PDP)
Information
request/
reply
Policy
Policy Administration
Policy Information
Policy Information
management
(
PIP
)
(
PAP
)
(
PIP
)
Manager
Policy
repository
Authentic source
Authentic source
11
Policy Enforcement Point (PEP)

• intercepts the request for authorisation with all
  available information about the user, the action
  being requested, the resources and the
  environment
• passes on the request for authorisation to the
  Policy Decision Point (PDP) and extracts a
  decision regarding authorisation
• grants access to the application and provides
  relevant credentials

Action
on
Action
application
Policy
on
DENIED
application
User
Enforcement
Application
PERMITTED
(
PEP
)
Action
on
application
Decision
Decision
request
reply
Policy Decision
(PDP)
12
Policy Decision Point (PDP)

• based on the request for authorisation received,
  retrieves the appropriate authorisation policy
  from the Policy Administration Point(s) (PAP)
• evaluates the policy and, if necessary, retrieves
  the relevant information from the Policy
  Information Point(s) (PIP)
• takes the authorisation decision (permit/deny/not
  applicable) and sends it to the PEP

Policy
Enforcement
(
PEP
)
Decision
Decision
request
reply
Information
request/
Policy
Policy Decision
reply
retrieval
(PDP)
Information
request/
reply
Policy Information
Policy Administration
Policy Information
(
PIP
)
(
PAP
)
(
PIP
)
13
Policy Administration Point (PAP)

• environment to store and manage authorisation
  policies by authorised person(s) appointed by the
  application managers
• puts authorisation policies at the disposal of
  the PDP

Policy
Policy
management
retrieval
PDP
PAP
Manager
Policy
repository
14
Policy Information Point (PIP)

• puts information at the disposal of the PDP in
  order to evaluate authorisation policies
  (authentic sources with characteristics,
  mandates, etc.)

Information
request/
reply
PDP
Information
request/
reply
PIP
1
PIP
2
Authentic source
Authentic source
15
eID and social security portal

• all end-user applications are divided into
  categories based on the required level of
  security
• all applications can be used with the eID as a
  means of electronic identification and
  authentication of identity
• some applications can also be used (temporarily)
  on the basis of a user-id, password and, where
  appropriate, a citizen token or a public servant
  token
• electronic signatures can be put with the eID
• the policy enforcement model is being implemented
  for the authentication of characteristics and
  mandates and for authorisation management

16
SIS card and eID

• gradual replacement of the functions of the SIS
  card once the following conditions have been
  fulfilled
• function of electronic identification overall
  availability of the eID
• function of proof of the insurability in the
  health care sector
• secure on line access by the health care
  providers to the insurability information
  available at the sickness funds
• electronic identification and authentication of
  the identity, characteristics and mandates of the
  health care providers
• preservation of the SIS card or a similar
  solution for persons who do not possess an eID
  (persons not residing in Belgium, children under
  the age of 12, etc.)
• availability of readers that can read both the
  SIS-card and the eID

17
Transnational aspects

• need to be able to electonically
• identify and authenticate the identity of all
  relevant entities (physical persons, companies,
  )
• authenticate the relevant characteristics of the
  entities
• authenticate that an entity has been mandated by
  another entity to perform a legal action
• need to implement the objective and related
  actions from the interministerial statement about
  E-government in the EU issued on 24th November
  2005

18
Interministerial statement

• By 2010 European citizens and business shall be
  able to benefit from secure means of electronic
  identification that maximise user convenience
  while respecting data protection regulations.
  Such means shall be made available under the
  responsibility of the Member States, but
  recognised across the EU.

19
Interministerial statement actions

• Member States will, during 2006, agree a process
  and roadmap for achieving the electronic identity
  objectives and address the national and European
  legal barriers to the achievement of the
  electronic identity objectives work in this area
  is essential for public administrations to
  deliver personalised electronic services with no
  ambiguity as to the users identity.
• Member States will, over the period 2006-2010,
  work towards the mutual recognition of national
  electronic identities by testing, piloting and
  implementing suitable technologies and methods.

20
Some use cases

• individual residing in Member State A is
  temporarily employed (posted) in Member State B
• the employer or his representative has to ask for
  authorization from the competent social security
  institution of Member State A
• the competent social security institution of
  Member State A (electronically) sends an
  E101-form to the competent social security
  institution of Member State B
• gt need for (interrelated) identification of the
  employer, his representative and the employee in
  both Member States, need for authentication of
  the characteristic "employer" and need for
  authentication of the mandate of the
  representative

21
Some use cases

• individual residing in Member State A works,
  studies or looks for work in Member State B gt
  need for (interrelated) identification of the
  individual in both Member States
• individual residing in Member State A
  simultaneously works in various other Member
  States gt need for (interrelated) identification
  of the individual in all Member States
• individual residing in Member State A needs
  health care in member State B (form E111,
  (e)EHIC) gt need for (interrelated)
  identification of the individual in both Member
  States

22
Some use cases

• individual residing in Member State A has to
  exchange (in an electronic way) data with public
  authorities in Member State B gt need for
  (interrelated) identification of the individual
  in both Member States
• employer or his representative residing in Member
  State A has to exchange (in an electronic way)
  data about his employees with public authorities
  in Member State B gt need for (interrelated)
  identification in both Member States of the
  employer, his representative and the employees,
  need for authentication of the characteristic of
  "employer" and need for authentication of the
  mandate of the representative

23
User awareness and acceptance
Identify user benefits, awareness,
promotion formulate vision
Wide awareness campaign
Use Cases (eProcurement,, migrant workers)
Validation and key applications
Testbeds / pilots, e.g. in CIP e-procurement,
health info networks
CEC as lead user
eTEN, IDABC testbeds specifications
European inter-operability
Semantic
IST RD for federated, multi-level, secure eIDM
Common eIDM Framework
Federated eID Management
Organisational
CEN eIDM standardisation link to ECC
Technical
IDABC business attestations study
eID management at national level
IDABC e-sign studies
eIDM at national level
Explain role of e-sign Directive
Legal certainty
Authentication Model Levels
Equal Treatment of national eIDs
EU provisions Recognition of national eIDs
Modinis study
Common principles, minimal norms
eID Terminology Objectives
Definition of eID
Personal Data Ownership Model
eID Role Management
2006
2007
2008
2009
2010
country inputs
Network and IT security
Authentication levels overview (ENISA)
24
Proposal of concrete objectives

• internationally, authentication levels are
  established in relation to identity,
  characteristics and mandates
• each country has registration procedures for
  establishing the identity of individuals residing
  in their own country, according to the
  internationally established authentication levels
• each country has registration procedures for
  establishing the identity of legal entities and
  actual associations that are established in their
  own country, according to the internationally
  established authentication levels

25
Proposal of concrete objectives

• each country makes available to each individual,
  each legal entity and each actual association for
  whom/which the identity is established in
  accordance with the registration procedures, the
  means by which the concerned entity can produce
  and prove its identity (whether or not in a
  particular context) locally or remotely,
  verbally, visually and electronically on the
  territory of the country in question, without
  that entitys identity being confused with the
  identity of another individual person, legal
  entity or actual association in that country

26
Proposal of concrete objectives

• each country has registration procedures for
  establishing the type of characteristics
  indicated by an internationally accredited body,
  according to the internationally established
  authentication levels
• each country has registration procedures for
  establishing the mandate of an individual to
  represent a legal entity or actual association,
  and the other types of mandates that are
  indicated by an internationally accredited body,
  according to the internationally established
  authentication levels

27
Proposal of concrete objectives

• each country has the necessary systems to produce
  and prove the characteristics and mandates of
  individuals, legal entities and actual
  associations that have been established according
  to the registration procedures (whether or not in
  a particular context), locally or remotely,
  verbally, visually and electronically on the
  territory of the country in question, either with
  the permission of the concerned entity or in
  accordance with a statutory or legal provision

28
Proposal of concrete objectives

• under the coordination of the European
  Commission, the Member States of the EU develop
  EU standards and specifications to ensure the
  semantic and technical interoperability of
  resources for producing and proving
  electronically the identity, characteristics and
  mandates through or in relation to individuals,
  legal entities and actual associations on the
  territory of other Member States

29
More information

• social security portal
• www.socialsecurity.be
• website Crossroads Bank for Social Security
• www.ksz.fgov.be
• personal website of the speaker
• www.law.kuleuven.ac.be/icri/frobben