Challenges for Identity Management and Trust in Data Privacy and Government-Private Sector Information Sharing Systems for Critical Infrastructure Protection John T. Sabo Director, Global Government Relations CA, Inc. Member, OASIS IDtrust Member

1
Challenges for Identity Management and Trust
in Data Privacy andGovernment-Private Sector
Information Sharing Systems for Critical
Infrastructure ProtectionJohn T.
SaboDirector, Global Government RelationsCA,
Inc.Member, OASIS IDtrust Member Section
Steering CommitteePresident, Information
Technology-Information Sharing and Analysis Center
www.oasis-open.org
2
The Emerging Challenge

• Identity management challenges emerging from two
  distinct, but converging areas
• the networked sharing of sensitive information
  for critical infrastructure protection
• Information (or data) privacy

3
Information Sharing Mandate from Government

• The objective of the information sharing life
  cycle is to provide timely and relevant
  information that security partners can use to
  make decisions and take necessary actions to
  manage critical infrastructure risks.
• (The U.S. National Infrastructure Protection
  Plan (NIPP) NIPP, pages 59-60)

4
Cross-sector Information Sharing Environment

Securities.
WALL ST.
Transportation
Wall Street/The City
Banks/Finance
5
What is Information Sharing?

• Information - what
• descriptions and definitions of information
  sharing products
• Sharing Entities - who
• entities and individuals who comprise the
  information sharing infrastructure and their
  responsibilities
• Sharing Mechanisms - how
• the business processes and technical
  communications mechanisms used by information
  sharing entities
• Originator Control
• operational information sharing policies and
  rules for cross- sector and sector-government
  sharing
• Vetting and Trust
• security and privacy policies, standards and
  controls needed to establish and maintain a
  trusted information sharing environment

6
The Information Sharing community
7
Information Sharing for Critical Infrastructure
Protection

• Involves many partners
• Involves sensitive information
• Crosses company, organization, sector and
  geo-political boundaries
• Requires agreements about who, what, how, and
  attention to data protection components
• Must add value to participants
• Must be resilient
• Must be available
• Must be secure
• Must be trusted

8
Problems and Issues Growing

• Data privacy tensions exist in the use of
  personally identifiable information and sensitive
  business information for national security
  purposes
• Use in cross-domain programs and applications
• Crossing government and business boundaries
• Assurances of basic information privacy and
  business confidentiality principles
• Concerns over access and use of sensitive
  information
• The implementation of information sharing systems
  is exposing threats to privacy
• Data protection Commissioners
• Advocacy organizations

9
Relationship to Personal Information
www.oasis-open.org

• Society is increasingly driven by and dependent
  on personal information
• personal information is continuously collected,
  processed, used, and shared
• Information about finances, health,
  communications, behaviors and transportation --
  increasingly integrated into virtual databases of
  varying data quality
• Governments express interest in such information
  for national security purposes
• The use of this data for government purposes
  increases concerns as the potential for harm to
  the individual increases
• For example - deny access to flight or entry to a
  country based on multiple information sources

10
Examples of Personal Information

• Financial
• Consumers leave a trail every time they use
  credit and debit cards for purchases
• Communications Services
• The increase in the use communications
  technology has created a vast amount of
  telecommunications traffic. Each call is logged,
  tracked, billed and stored, creating an
  unparalleled data set.
• Location Data
• Telecommunications can yield even more
  information the individuals location.
• Transactions
• Information and services purchased are recorded
  and mapped to individuals, creating an electronic
  web of money, communications, locations, and
  goods and services.
• Interagency Exchanges
• Government agencies may acquire commercial data
  through a variety of processes, including their
  authority for taxing, licensing, or monitoring.

11
Example the U.S. National Homeland Security
Network
12
Complex and Imprecise Privacy Laws, Directives,
Policies

• US Privacy Act of 1974
• The OECD Guidelines Principles
• UN Guidelines Concerning Personalized Computer
  Files
• EU Directive 95/46/EC Information Privacy
  Principles
• Canadian Standards Association Model Code
• International Labour Organization (ILO) Code of
  Practice on the Protection of Workers Personal
  Data
• US-EU Safe Harbor Privacy Principles
• Ontario Privacy Diagnostic Tool
• Australian Privacy Act National Privacy
  Principles
• The AICPA/CICA Privacy Framework
• Japan Personal Information Protection Act
• APEC Privacy Framework
• . . . .

13
Privacy Context Policies Are Trailing Technology
and Practices
Technology
Evolving nature and concepts of Privacy
Society
Regulation
National Security
Standards
Information Society
Industry
Digital Economy
Pervasive Networked Devices
Forces
14
Privacy Principles/Practices (many with clear
Identity Management linkages)

• Accountability
• Notice
• Consent
• Collection Limitation
• Use Limitation
• Disclosure
• Access and Correction

• Data Quality
• Enforcement
• Openness
• Anonymity
• Data Flow
• Sensitivity
• Security/Safeguards

Source www.istpa.org Making Privacy
Operational.
15
Relative State of Privacy and Security Standards

• Privacy standards essentially at very early
  state
• Issues of definitions and taxonomy
• Focus on front-end data collection and Web
  (such as Platform for Privacy Preferences (P3P)
• Today heavy focus on data minimization as a
  practice
• Unclear policy and operational relationship
  between security and privacy
• Privacy and security often conflated
• data breach
• Security much more developed
• frameworks, standards ITU, ISO, OASIS, IETF,
  W3C, etc.)
• mechanisms, products
• ISTPA Privacy Framework potentially important
  www.istpa.org

16
Convergence of Information Sharing and Privacy

• Business and personal information protection may
  require similar security controls
• Despite different motivations
• Separate policies and technologies
• Not integrated, no common understandings
• No single ownership or infrastructure
  architecture
• Convergence being forced in information sharing
  systems
• Data privacy concerns heightening awareness

17
Starting Point Identity and Trust Foundation

• Trust is core component of operational
  information sharing and data privacy
• Identity and access management foundation
  necessary
• Need for interoperability across information
  sharing domains
• federated or loosely-coupled, but trusted
• Standards-based
• Little attention to this in the information
  sharing community

18
What Can Be Done?

• Work must begin now - the information sharing
  infrastructures being implemented have serious
  security and privacy vulnerabilities
• Need to take an overview of identity and trust
  standards in the context of loosely-connected
  systems and infrastructures
• What is relationship of OASIS and other standards
  to a solution SAML 2.0, Liberty, WS-Security,
  WS-Federation, XACML, others?
• Is there a need for a new framework or meta
  standard?
• Todays workshop speakers discuss potentially
  important work underway that might be usable for
  identity management issues emerging in
  information sharing and privacy systems
• How can the OASIS IDtrust Member Section play a
  role EKMI, PKIA, DSS-X or other initiatives?

19
Questions? john.t.sabo_at_ca.com