Christopher Brown’s Blog

I recently attended the above conference (http://www.revolutionevents.plus.com/eema/index.htm) at the impressive Microsoft’s London offices in Victoria. Described as “Europe’s leading forum for this critical security application - tackling the key issues surrounding e-identity as a core enabler of today’s personal, business and government processes”, it was organised by eema (the European association for e-identity and security). Judging by the dominance of men in suits, the conference is aimed towards the business community where identity management is perceived to be an important issue. The following blog entry summarises some of the presentations from this event.

The morning session kicked off with some keynote presentations. One of these was from Kim Cameron (“eIdentity comes of age”), who believes we are at a tipping point where we have moved beyond the phase of initial adoption and now need to build on our initial successes. Identity management in the Cloud drew a lot of interest over the two days and Kim mentioned how cloud providers are adopting the same technologies (SAML, WS-Federation, WS-Trust) as a way of exchanging information. He believes that the real barriers are legal and governance not technological. There are also a number of “self-evident fallacies” that need to be corrected:

• Privacy is not opposed to security it’s a precondition of multilateral security.
• Identifying the masses is not likely to identify professional criminals
• We can prove we are not on a list without revealing who we are
• We can audit without creating a privacy and security vulnerability

Howard Schmidt’s keynote was an eID State of the Nation address. He looked at how eID is defined in different countries across Europe. Although some of these definitions might make uncomfortable reading to UK residents, as they involve a lot of government control over a citizen’s identity, he stated that in the UK who can argue with “an easy and secure way for legal UK residents to prove who they are?” I’m sure when put that simply people will tend to agree, but it’s more about how this information might be used and who controls it that is the issue. He talked about a “cradle to grave digital identity” but a digital identity will exist beyond a citizen’s life and needs to be preserved.

This was a truly European event with speakers from across Europe dealing with eID authentication, cross border eSignatures, the STORK project looking at providing online access to public services across EU borders, ID cards in the UK, etc. From further afield Bill Young from New Zealand gave an interesting presentation on the lessons they had learned implementing a shared government authentication service.

Day 2 started with a presentation on how IAM (Identity and Access Management) projects can be delivered on time and to budget despite a feeling that they are hard and complex. With the usual PowerPoint bullet point summary he listed four reasons as to why IAM projects fail to deliver:

• projects are often too big and take too long to deliver
• business speed and flexibility are sacrificed whilst pursuing improved security
• products are acquired rather than solutions
• lack of consultation with line of business

A roadmap to success should follow these rules:

• select a solution not a product
• consult with the business at all stages
• prioritise activities based on your strategic needs
• deliver quickly and develop incrementally over time

These rules could equally be applied to any IT project and not just one focussed on Identity and Access Management.

The importance of using Privacy Impact Assessments (PIA) to manage risk and reputation was the theme of Aaron Martin’s (LSE) talk. He believes that this isn’t done enough in IAM projects and because of this causes privacy problems. The assessment needs to be done early on and it’s well timed sound PIAs that result in privacy-friendly systems. The lessons learned from his research are that:

• Privacy by design is not something to fear
• PIAs when done properly can help manage risk and reputation
• Can be used to communicate the importance of privacy both internally and externally
• Build organisational trust
• There is a business case for privacy
• When in doubt, seek external advice to facilitate the process

Securing identity was the theme of the first session of the afternoon and the final presentation in this session was entitled “European Large Scale Action (ELSA) on future eID infrastructure – a new EU initiative”. When a presentation starts with the speaker telling us that ELSA will be dealing with things that are going to change the world we live in, it does grab your attention whether you believe it or not. The Commission is exploring ways to consider the demand and implementation of an eID infrastructure, which could be the basis for trustworthy services in e-government and e-commerce. It will take the digital identity beyond the STORK programme and address the needs of citizens, business and government. With digital identity at the focus of the EU commission ELSA will be a large programme (with an equally large budget) looking at a common trust policy and digital ID.

What struck me by the identity in the cloud session was that there is no unique definition or general consensus of Cloud Computing. It means different things to different people. What is clear though is that identity and identity management has a key role to play in the cloud.

The final session of the conference was the 2nd STORK Industry Group Meeting. “STORK is a large scale pilot in the ICT-PSP (ICT Policy Support Programme), under the CIP (Competitiveness and Innovation Programme), and co-funded by the EU. It aims at implementing an EU wide interoperable system for recognition of eID and authentication that will enable businesses, citizens and government employees to use their national electronic identities in any Member State. It will also pilot trans-border eGovernment identity services and learn from practice on how to roll out such services, and to experience what benefits and challenges an EU wide interoperability system for recognition of eID will bring.” - http://www.eid-stork.eu/ A lot of challenging questions were put to the presenters during this session. The minutes of this meeting will be available soon and will be worth reading for anyone interested in this programme.

This entry was posted on Monday, June 29th, 2009 at 3:29 pm and is filed under EU, eID, Conference. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.