Beruflich Dokumente
Kultur Dokumente
Week 2
Dr Peter White
Digital Identity
Privacy and Identity
© P White 2017 2
What is a Digital Identity?
Sullivan defines it as
“Digital identity is all the information digitally
recorded about an individual. i.e. a natural person
that is accessible under the particular scheme”
© P White 2017 3
Digital identity is now emerging as an important
concept for government
◦ Services for citizens are being moved online to provide:
Better transactional efficiency
Reduction in operating costs
24x7 access to a range of different services
But, the move online has created challenges
◦ Legislative issues & requirements
◦ Identity assurance issues
People have more than one identity
◦ Fraud issues, including identity theft
Government identity systems require uniqueness
& exclusivity:
◦ one person = one identity
© P White 2017 4
Sullivan sees a digital identity as having two
components:
1. A set of defined, static information that is
presented for a transaction, such as name,
address, DoB, and other identifying
information, such as numerical identifier,
signature, etc.
◦ What other information do you think should be
included here to ensure proper identification?
For a private use digital identity?
For a government use digital identity?
◦ Should it include biometric information?
Sullivan, C. (2015). Protecting digital identity in the cloud. In Ko, R., & Choo, K.(Eds.). (2015).
The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues. Waltham, MA:
Syngress.
© P White 2017 5
2. Transactional data.
◦ This is a larger collection of “other” information that
is tied to the transaction identity.
Note her use of terminology here – transaction
identity.
What do you think this means?
◦ Transactional data is dynamic & augmented on a
on-going basis
◦ This data is generally considered personal
information & not available in the public domain
◦ This data is often protected by privacy laws and
regulations
© P White 2017 6
Digital identification has two phases:
1. Authentication of identity
2. Verification of identity
© P White 2017 7
Authentication
◦ An identity claim is authenticated by the claimant
providing identifying information, such as:
User name and password,
Identity number and password
Biometrics and password
◦ Identifying information is regarded as being
associated inseparably with the individual
© P White 2017 8
Verification
◦ The authenticated digital identity can now be used
to verify transactions, such as renew licences, claim
Medicare rebates, complete tax returns, etc.
© P White 2017 9
Note that a human is not absolutely essential
to the identification process.
Identification can be on a computer to
computer basis using previously stored, and
verified identity claims
◦ Think about Medicare rebates – the Doctor’s
surgery handles the complete claim for you,
including identifying the patient to Medicare
© P White 2017 10
Identity Management has been defined as “the administration of
an entity’s digital identity so as to provide secure and controlled
access to the resources that the entity is entitled to use” (White,
2009, p. 5)
◦ The ‘administration of an entity’s digital identity’ implies that all aspects
of that administration, including identification of the entity and the issuing
of credentials, are part of the identity management process.
◦ It also implies the continued maintenance of the identity and its
credentials throughout their life-cycles.
◦ The need to provide ‘secure and controlled access’ entails not only the use
of a system of authentication to ensure that only the correct identities are
allowed access, but it also includes access control of the enterprises
resources. This ensures that the authenticated identity only has access to
those resources that it is entitled to use.
◦ The use of the phrase ‘entitled to use’ further implies that there must be a
system of provisioning to ensure that an identity is granted access only to
the resources that it is entitled to access.
◦ This leads to the implication that a system of governance must be in place
to monitor the entire process of identity management.
© P White 2017 11
© P White 2017 12
• The process of authentication
takes a user to an
authentication module
• There the user’s credentials are
compared with the stored set
• If the credentials match,
authentication then occurs
• The user is the passed to an
authorisation module
• Authorisation is the process of
granting the suer access to
resources that they are entitled
to access
© P White 2017 13
Question:
◦ Is having less data about an individual equal to better
privacy?
Answer:
◦ It depends.
A single fingerprint stored may be more invasive than a full
credit history
A small amount of identity information that is shared with
numerous parties may be more invasive
A small amount of identity information that is not secured
may be catastrophic for the individual
A small amount of identity information may be used to
profile an individual that can have consequences ranging
from reputational damage to criminal charges
© P White 2017 14
Privacy guidelines
◦ Openness.
The existence of systems containing personal data should be publicly known, along with
a description of the system's main purposes and uses of the personal data in the system.
◦ Individual participation.
Individuals should have a right to view all information that's collected about them. They
should also be able to correct or remove data that isn't timely, accurate, relevant, or
complete.
◦ Collection limitation.
Limits to the collection of personal data should exist. Personal data should be collected
by lawful and fair means and, where appropriate, with the individual's knowledge or
consent.
◦ Data quality.
Personal data should be relevant to the purposes for which it's collected and used. It
should be accurate, complete, and timely.
◦ Finality.
The use and disclosure of personal data should be limited. Personal data should be used
only for the purposes specified at the time of collection and shouldn't be otherwise
disclosed without the consent of the individual or other legal authority.
◦ Security.
Personal data should be protected by reasonable security safeguards against such risks
as loss, unauthorized access, destruction, use, modification, and disclosure.
◦ Accountability.
The keepers of personal data should be accountable for complying with fair information
practices.
© P White 2017 15
Additional principles:
Diversity and decentralization.
◦ Enrolment and authentication options should let
individuals choose the appropriate key for a specific
need. Designers should resist centralising identity
information or using a single credential for multiple
purposes.
Proportionality.
◦ The amount, type, and sensitivity of identity information
collected and stored should be consistent with and
proportional to the system's purpose.
Privacy by design.
◦ Privacy considerations should be incorporated into the
identity management system from the outset of the
design process. Considerations include safeguards for
the physical system components as well as policies and
procedures that guide the system's implementation.
© P White 2017 16
© P White 2017 17
Privacy considerations:
◦ Lack of user control
◦ Unauthorised secondary use
◦ Data proliferation and cross border data flows
◦ Dynamic provisioning
© P White 2017 18
Security considerations:
◦ Access – legal right to access data held
◦ Control over the data lifecycle
◦ Availability & backup
◦ Lack of interoperability standards
◦ Multi-Tenancy
◦ Audit
© P White 2017 19
Trust issues:
◦ Trust boundaries
◦ Shared responsibility boundaries
◦ Non-transitive trust issues with use of
subcontractors or other cloud providers
◦ Customer trust issues – usually from lack of
visibility or control
◦ Legal issues between jurisdictions
© P White 2017 20
Data handling mechanisms
◦ Classifying data
◦ Data location policies
Data security mitigation
◦ Encryption?
◦ Data classifications
Privacy design
Standardisation
Accountability
◦ Auditing & reviews
Increase trust
◦ Governance frameworks, privacy rules, etc.
© P White 2017 21
Read:
◦ Sullivan, C. (2015). Protecting digital identity in the cloud. In Ko, R., &
Choo, K.(Eds.). (2015). The Cloud Security Ecosystem: Technical, Legal,
Business and Management Issues. Waltham, MA: Syngress
◦ Hansen, M., Schwartz, A., & Cooper, A. (2008). Privacy and Identity
Management. IEEE Security & Privacy, (2), 38-45.
http://ieeexplore.ieee.org.ezproxy.csu.edu.au/document/4489848/
© P White 2017 22