standards contributing to the protection of citizen’s ... · iso/iec jtc 1/sc 27/wg 5 identity...
TRANSCRIPT
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
Standards contributing to the protection of citizen’s privacy and personal data
Work in ISO/IEC JTC 1/SC 27
ETSI Security weekSecurity Workshop
2015-06-23Sophia-Antipolis, France
Prof. Dr. Kai RannenbergConvenor ISO/IEC JTC 1/SC 27/WG 5
[email protected] Telekom Chair of Mobile Business & Multilateral Security
Goethe University Frankfurt
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
2
Agenda
SC 27 and WG 5 within ISO/IEC JTC 1 Privacy Standardisation A typical obstacle WG 5 projects (against the obstacles)Privacy-friendly Identity ManagementPrivacy Framework…
Next SC 27 and WG 5 meetings
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
3
SC 27 within ISO/IEC JTC/1
Joint Technical Committee 1 “Information Technology”
Subcommittee 27 „IT Security Techniques“
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
4
SC 27 Facts & Figures
Members: P-members: 51 O-members: 20
Projects Total no of projects: 230 No of active projects: 84 Current number of published standards: 146
Standing Documents SD6 Glossary of IT Security terminology
(http://www.jtc1sc27.din.de/sbe/SD6) SD7 Catalogue of SC 27 Projects and Standards
(http://www.jtc1sc27.din.de/sbe/SD7 SD11 Overview of SC 27
(http://www.jtc1sc27.din.de/sbe/SD11)
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
5
WGs within ISO/IEC JTC 1/SC 27 –IT Security Techniques
WG 5Identity Management
& Privacy Technologies
WG 1ISMS
WG 4Security Controls & Services
WG 2Cryptography &
Security Mechanisms
WG 3Security Evaluation
Product System Process Environment
Techniques
Guidelines
Assessment
6
SC27 Working Groups
SC27Chair: Walter Fumy (DE), Vice-chair: Marijke De Soete (BE),
Secretariat: Krystyna Passia (DIN)
WG1 (Information security management
systems)Convenor:
Edward Humphreys (UK)
Vice-convenor:Dale Johnstone (AU)
WG2 (Cryptography and security mechanisms)
Convenor:Takeshi
Chikazawa (JP) Vice-convenor:
Toshio Tatsuta (JP)
WG3 (Security Evaluation, Testing and Specification)
Convenor: Miguel Bañón (ES)
Vice-convenor:Naruki Kai (JP)
WG4 (Security controls and services)
Convenor: Johann Amsenga (ZA)
Vice-convenor:François Lorek (FR)
WG5 (Identity management and
privacy technologies) Convenor:
Kai Rannenberg (DE)Vice-convenor:
Jan Schallaböck (DE)
SWG-M (Management)
Convenor Faud Khan (CA)
Vice-convenor Anders Carlstedt (SE)
SWG-T (Transversal Items)
Convenor Andreas Fuchsberger (UK)
Vice-convenor Laura Lindsay (US)
© copyright ISO/IEC JTC 1/SC 27, 2015 This is an SC27 public document and is distributed as is for the sole purpose of awareness and promotion of SC 27 standards and so the text is not to be used for commercial purposes, gain or as a source of profit. Any changes to the slides or incorporation in other documents / presentations
requires prior permission of the ISO/IEC JTC 1 SC27 Secretariat ([email protected])
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
A legacy Information ManagementParadigm …
„Collect as much information as
possible – and check about a use for it
later“7
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
… which is NOT Best Practice …
„Collect as much information as
possible – and check about a use for it
later“8
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
… and not consumer friendly
„Collect as much information as
possible – and check about a use for it
later“9
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
10
Agenda
SC 27 and WG 5 within ISO/IEC JTC 1 Privacy Standardisation A typical obstacle WG 5 projects (against the obstacles)Privacy-friendly Identity ManagementPrivacy Framework…
Next SC 27 and WG 5 meetings
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
11
WG 5 Identity Management & Privacy TechnologiesProject Overview
Frameworks & Architectures A framework for identity management (ISO/IEC 24760 (Parts 1-3), IS:2011, IS:2015, DIS) Privacy framework (ISO/IEC 29100, IS:2011) Privacy architecture framework (ISO/IEC 29101, IS:2013) Entity authentication assurance framework (ISO/IEC 29115, IS:2013) A framework for access management (ISO/IEC 29146, DIS) Telebiometric authentication framework using biometric hardware security module (ITU-T X.1085 |
ISO/IEC 17922, CD) (formerly X.bhsm)
Protection Concepts Biometric information protection (ISO/IEC 24745, IS:2011) Requirements for partially anonymous, partially unlinkable authentication (ISO/IEC 29191, IS:2012)
Guidance on Context and Assessment Authentication context for biometrics (ISO/IEC 24761, IS:2009/Cor 1:2013) Privacy capability assessment model (ISO/IEC 29190, FDIS) Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII
processors (ISO/IEC 27018, IS:2014) Identity proofing (ISO/IEC 29003, CD) Privacy impact assessment – methodology (ISO/IEC 29134, CD) Code of practice for PII protection (ITU-T X.gpim | ISO/IEC 29151, CD)
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
12
WG 5 Identity Management & Privacy TechnologiesSelected Projects
Frameworks & Architectures A framework for identity management (ISO/IEC 24760 (Parts 1-3), IS:2011,
IS:2015, DIS) Privacy framework (ISO/IEC 29100, IS:2011)
Protection Concepts Biometric information protection (ISO/IEC 24745, IS:2011) Requirements for partially anonymous, partially unlinkable authentication
(ISO/IEC 29191, IS:2012)
Guidance on Context and Assessment Code of practice for protection of personally identifiable information (PII) in
public clouds acting as PII processors (ISO/IEC 27018, IS:2014) Privacy impact assessment – methodology (ISO/IEC 29134, CD) Privacy capability assessment model (ISO/IEC 29190, FDIS) Code of practice for PII protection (ITU-T X.gpim | ISO/IEC 29151, CD)
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
13
WG 5 Identity Management & Privacy TechnologiesProgramme of Work
Frameworks & ArchitecturesA framework for identity management
(ISO/IEC 24760)Part 1: Terminology and concepts (IS:2011, freely
available)Part 2: Reference framework and requirements
(IS:2015)Part 3: Practice (DIS)
Privacy framework (ISO/IEC 29100, IS:2011, freely available)Privacy architecture framework (ISO/IEC 29101, IS:2013)
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
14
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional,
private, volunteer) using different identities
(pseudonyms): email accounts, SIM cards, eBay trade names, chat names, Facebook names, …)
Differentiated identitieshelp to protect
privacy, especially anonymity personal security/safety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the “right” identity
in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
15
Identity Management (IdM)2 sides of a medal with enormous economic potential
People live their life in different roles (professional,
private, volunteer) using different identities
(pseudonyms): email accounts, SIM cards, eBay trade names, chat names, Facebook names, …)
Differentiated identitieshelp to protect
privacy, especially anonymity personal security/safety
enable reputation building at the same time
Identity management systems support users using role based
identities help to present the “right”
identity in the right context
Organisations aim to sort out User Accounts in different IT
systems Authentication Rights management Access control
Unified identitieshelp to ease administration manage customer relations
Identity management systems ease single-sign-on by unify
accounts solve the problems of multiple
passwords
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
Partial Identities in ISO/IEC 24760
16 Based on [Clauß, Köhntopp 2001]
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
17
WG 5 Identity Management & Privacy TechnologiesProgramme of Work
Frameworks & ArchitecturesA framework for identity management
(ISO/IEC 24760)Part 1: Terminology and concepts (IS:2011, freely
available)Part 2: Reference framework and requirements
(IS:2015)Part 3: Practice (DIS)
Privacy framework (ISO/IEC 29100, IS:2011, freely available)Privacy architecture framework (ISO/IEC 29101, IS:2013)
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
18
ISO/IEC 29100:2011Privacy framework
For the protection of personally identifiable information within ICT systems:Specifies a common privacy terminology;Defines the actors and their roles in processing personally identifiable information;Describes privacy safeguarding considerations;Provides references to known privacy principlesfor ICT.
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
19
ISO/IEC 29100:2011 Privacy framework11 Privacy principles
(1) Consent and choice (2) Purpose legitimacy and specification (3) Collection limitation (4) Data minimization (5) Use, retention and disclosure limitation (6) Accuracy and quality (7) Openness, transparency and notice (8) Individual participation and access (9) Accountability (10) Information security (11) Privacy compliance
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
20
WG 5 Identity Management & Privacy TechnologiesPrivacy/PII standards in SC 27/WG 5 and elsewhere
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
21
WG 5 Identity Management & Privacy TechnologiesProgramme of Work
Study PeriodsUser friendly online privacy notices and consent Anonymous attribute assurancePrivacy engineering frameworkA privacy-respecting identity management scheme using attribute-based credentials(together with WG 2)On the adoption and usage of ISO/IEC 29115 and its interaction with ISO/IEC 29003
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
22
WG 5 Identity Management & Privacy TechnologiesSP User friendly online privacy notices and consent
From the terms of referenceHow could a project in this area contribute toUser friendliness andUser experience?
When are notices sufficient?When is an explicit consent is required?Rather a guideline or use of normative languages?
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
23
WG 5 Identity Management & Privacy TechnologiesProgramme of Work
New Work Item ProposalPrivacy enhancing data de-identification
techniques
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
24
WG 5 Identity Management & Privacy TechnologiesLiaisons and collaboration
With organizations and committees dealing with specific requirements and guidelines for services and applications, e.g.:
ISO/IEC JTC 1ISO
CENETSIITU-T
Further organisations with specific application needs and/or expertise
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
25
WG 5 Identity Management & Privacy TechnologiesExample Liaisons and collaboration – within ISO and IEC
JTC 1/SC 17/WG 4 Integrated circuit card with contacts
JTC 1/SC 37Biometrics
JTC 1/SC 38Distributed application platforms and services (DAPS)
ISO TC 215/WG 4Health Informatics Security
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
26
WG 5 Identity Management & Privacy TechnologiesLiaisons and collaboration – with ITU-T
ITU-T SG 13Future networks including mobile and NGN
ITU-T SG 17Security
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
27
WG 5 Identity Management & Privacy TechnologiesExample Liaisons and collaboration
(ISC)2 - International Information Systems Security Certification Consortium
ABC4Trust Article 29 Working Party of Data Protection Authorities in the
European Union CSA (Cloud Security Alliance) ENISA (European Network and Information Security Agency) FIDIS (Future of Identity in the Information Society) ISF (Information Security Forum) Kantara Initiative (succeeding Liberty Alliance) OpenID Foundation PRACTICE PRIPARE The International Conference of Data Protection and Privacy
Commissioners
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
28
Next meetings
2015-10-26 – 2013-10-30 Jaipur (India): WG 5 Meeting
2016-04-11 – 2016-04-15 Tampa, Florida (USA): WG 5 Meeting
2016-04-18 – 2016-04-19 Tampa, Florida (USA): SC 27 Plenary
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
29
www.jtc1sc27.din.de/enSD6 Glossary of IT Security TerminologySD7 Catalogue of SC 27 Standards & ProjectsWG 5/SD2 Privacy Documents References ListWG 5/SD4 Standard Privacy Assessment (SPA)
www.iso.org/obp/ui ISO Online Browsing Platform (OBP)
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.htmlFreely available standards, e.g. ISO/IEC 24760-1:2011
“A framework for identity management -- Part 1: Terminology and concepts”
WG 5 Identity Management & Privacy TechnologiesFurther Reading
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
30
Thank you very much for yourattention and interest
WG 5 Identity Management & Privacy Technologies
31
JTC 1/SC 27 Mission
SC 27 is an internationally recognised centre of information and IT security standards expertise serving the needs of business sectors as well as governments. Their work covers the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:
Information Security Management Systems (ISMS), requirements, controls and conformance assessment, accreditation and auditing requirements in the area of information security;
Cryptographic mechanisms; Security evaluation criteria and methodology; Security services; Security aspects of identity management, biometrics and privacy.
ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies
32
ISO/IEC 29100:2011 Privacy framework11 Privacy principles
(1) Consent and choice (2) Purpose legitimacy and specification (3) Collection limitation (4) Data minimization (5) Use, retention and disclosure limitation (6) Accuracy and quality (7) Openness, transparency and notice (8) Individual participation and access (9) Accountability (10) Information security (11) Privacy compliance