Janine Wolff

Appli­cation areas of Digital Identities: Digitally repre­senting — and protecting — physical identities

Appli­cation areas of digital identities:

Digitally repre­senting — and protecting — physical identities

With the current devel­opment of the European Regulation on Electronic Identi­fi­cation and Trust Services (eIDAS), a recog­nised and secure digital identity can come about throughout Europe. Digital identities have been common­place for a long time — from email accounts to social media to digital official trans­ac­tions: The use of digital services requires proof of identity. The necessary identi­fi­cation and authen­ti­cation is linked to different levels of protection, depending on the service used. Companies that want to offer services for which digital identities are necessary — for employees, partners and customers — must know the requirements.

A digital identity is the digital repre­sen­tation of a physical identity. The latter can be a person, but also an insti­tution, a machine or a server. In the health sector, practices, hospitals or pharmacies, for example, can receive a digital identity. In this context, it repre­sents a collection of attributes in electronic form that charac­terise a natural or legal person — this can be name, address and date of birth, but also user name or email address. A digital ID must be unique, otherwise it cannot be assigned; the process of initial identi­fi­cation is trans­ferred to the digital — for initial identi­fi­cation it requires regis­tration; recog­nition is achieved through authen­ti­cation. From a social perspective, there are three forms of identities: real, self-constructed and anonymous, with the latter playing a sometimes contro­versial role on social media, for example.

Possible uses of digital identities

Digital identities are necessary as a basis or digital repre­sen­tation for digital services and processes. They are used wherever digital services are offered and are person­alised, which requires the collection, storage and processing of data. Digital services have various forms — from social media user accounts, to online accounts in e‑commerce, to online banking or digital official proce­dures via eGovernment offerings. As with the identity card, the scope of appli­cation of a digital identity can go beyond mere identi­fi­cation and, for example, an age check can be possible.

Increasing digital­i­sation is opening up further possible uses of a digital identity: The European eIDAS (Regulation on Electronic Identi­fi­cation and Trust Services) creates uniform framework condi­tions for the use of electronic means of identi­fi­cation and trust services across borders here. In 2020, the revision of the eIDAS Directive was launched, and it is currently not yet complete. The goal is to offer a secure EU identity wallet throughout Europe. The eID is thus the virtual equiv­alent of an identity card. It is supposed to enable identi­fi­cation and authen­ti­cation, verifi­cation of validity by third parties as well as secure storage and repre­sen­tation of identities. In addition, it should make it possible to generate qualified electronic signa­tures. This digital counterpart to the signature allows legally valid contracts to be concluded on a digital level.

The eIDAS also stipu­lates that EU member states must make the digital identity available to citizens; the envisaged accep­tance oblig­ation may also contribute to the elimi­nation of other digital identities. Shopping abroad or picking up a rental car could thus be simplified, as the digital identity makes processes more efficient. This is because digital services are associated with a reduction in costs compared to analogue processes; the user benefits greatly from simpler and more conve­nient handling, for example, when admin­is­trative proce­dures can be completed from home.

Unlike digital identities via Google or Facebook, the author­ities can ensure that data protection is complied with in accor­dance with the Data Protection Regulation (DSGVO). In the health sector, digital identities on the smart­phone are to replace the electronic health card in the future — but this cannot yet be realised.

Security and protection of the user

One possible attack scenario that partic­u­larly affects digital identities is theft in the form of imper­son­ation or identity theft. The potential for damage ranges from hate comments on social media to access to and misuse of personal data, such as banking trans­ac­tions or confi­dential health data. While the analogue identity card limits misuse by thieves because of the photo on it, the case is different online. The digital identity must therefore be specially protected. Protective measures can be, for example, secure passwords or a two-factor authen­ti­cation, as it already takes place in online banking, for example, with a password on the one hand and additional TAN gener­ation on an external device on the other. The hardware token in smart cards repre­sents the highest level of security as a certified version.

Standardised trust levels

The level of security depends on the purpose of the digital identity and is regulated in the Imple­menting Regulation (EU) 2015/1502. For example, in online banking or in the health sector, there are partic­u­larly sensitive, personal data that require a high level of protection. The regulation defines three standardised trust levels: low, substantial and high. A low level of protection corre­sponds to a one-factor authen­ti­cation, as is common in social networks or forums. Substantial protection is provided by the afore­men­tioned two-factor authen­ti­cation. However, a high level of protection, for example when health data is involved, must be even more strongly secured, for example with a passport including a photo and biometric features. For example, identi­fi­cation can take place via video-identi­fi­cation or post-identi­fi­cation procedures.

However, the higher the security level, the more compli­cated its technical imple­men­tation. High-priced smart­phones, for example, come with certified security compo­nents — while lower-priced devices are equipped with inferior biometric sensors that can be easily manip­u­lated or bypassed. They therefore do not have protected memory areas. Smart cards in health cards, on the other hand, can use and store crypto­graphic key material with their chip processors. In this way, the infra­struc­tures behind them ensure authenticity.

The future potential of digital identities

Digiti­sation is on the rise, all its services require a digital identity and these are already widespread: On average, every citizen has 90 digital identities. The digital and analogue worlds can merge, for example when access controls in companies are digitalised and require proof of a digital identity, or when the health card is read in as an ID in doctors’ surgeries. Here, media disrup­tions are perceived as an obstacle, for example when paper documents are to be submitted as scans to health insurance companies. Digital identities and the assignment they allow make the digiti­sation of such processes possible in the first place. In the area of eHealth, doctors can digitally sign and send invoices and prescrip­tions, for example.

Companies, in turn, can use digital identities widely for customers and employees, end customers or partners. This means, for example, that holiday appli­ca­tions can be made via a portal. Not to be neglected are also conceivable appli­cation possi­bil­ities for customer loyalty: After all, digital services that customers use can be used to gain infor­mation about their behaviour, which can be used to better tailor and optimise one’s own offer. However, companies must be aware of the different levels of security. User-friend­liness is important, but so is digital protection against identity and data theft. If this is not guaranteed, serious conse­quences can be the result. A consulting firm like SRC GmbH can help here to shed light on solutions — both paid and open source — to check certi­fi­ca­tions and to ensure conformity and thus legal certainty.

Conclusion

Nothing works on the internet without digital identities — digital services require initial identi­fi­cation of the user and authen­ti­cation for further use, for example, via passwords with additional TAN gener­ation within the framework of multi­factor proce­dures. The security require­ments depend on the type of service and the data used, which is ensured via three levels. Companies that want to use digital services must therefore know the require­ments in order to use the appli­cation potential for customers, partners or suppliers.

___________________________________________________

Author: Nico Martens, Consultant SRC Security Research & Consulting GmbH

Further infor­mation: https://src-gmbh.de/

Press contact:

Patrick Schulze

WORDFINDER GmbH & CO. KG

Lornsen­strasse 128–130

22869 Schenefeld

Phone +49 (0) 40 840 55 92–18

ps@wordfinderpr.com

www.wordfinderpr.com

Homepage Admin

SRC goes GEAR (Global Executive Assessor Roundtable)!

PCI SSC and SRC

The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that develops and promotes the use of infor­mation security standards for secure payments. It is respon­sible for 15 globally recog­nized and widely used standards for securing electronic payment processes — from payment card production and issuance to payment at the point of interest or in web & app, to the processing of payments in the background.

SRC has been assessing the use of those infor­mation security standards since PCI SSC was founded by means of corre­sponding assess­ments and product evalu­a­tions. The PCI SSC attaches great impor­tance to the exchange between different stake­holders and uses various committees and activ­ities for this purpose. SRC has so far partic­i­pated in Special Interest Groups and Task Forces as well as in Community Meetings and Request for Comment phases.

Global Executive Assessor Roundtable

The PCI SSC has been giving experi­enced assessor companies the oppor­tunity to advise its senior management since 2018 through the Global Executive Assessor Round­table (GEAR). We are excited that our company has been selected this year to be part of the inter­faces between leadership of the PCI SSC itself and leadership of the assessment companies by this respon­sible membership. This will enable us to contribute our years of experience in a direct way. The nomination is valid for the next two years and gives us the oppor­tunity to play an influ­ential role in the further devel­opment of speci­fi­ca­tions for assessment proce­dures, new training programs and quali­fi­cation require­ments for future assessors. Other GEAR respon­si­bil­ities include finding ways to promote assessors’ engagement in emerging and new markets, and optimizing assessors’ skills to add value for payments companies

We are proud to be included in this circle and see it as a recog­nition of our past perfor­mance and relevance in the payments security market. At the same time, we are aware of our respon­si­bility to act as a repre­sen­tative for a large community of assessment companies and take this as an additional incentive for the future.

Link to GEAR: https://www.pcisecuritystandards.org/about_us/global_executive_assessor_roundtable/

SRC TeleTrusT
Homepage Admin

SRC joins the German IT Security Associ­ation (TeleTrusT)

SRC joined the German IT Security Associ­ation (TeleTrusT) at the beginning of the year.

The Bundesverband IT-Sicherheit e.V. (TeleTrusT) is a compe­tence network comprising domestic and foreign members from industry, admin­is­tration, consulting and science as well as themat­i­cally related partner organisations.

Due to the perma­nently changing require­ments in the field of IT security, it is important for SRC that its experts regularly inform themselves about and exchange infor­mation on new neces­sities, techniques, processes and regulations.

TeleTrusT offers partic­u­larly good condi­tions for this, since in addition to the exchange of experts from the business world, contact is also estab­lished with politics and science.

SRC will contribute its wide-ranging expertise to the various working groups of TeleTrusT and thus give further signif­i­cance to the status of IT security in Germany and Europe.

Homepage Admin

SRC supports people with a handicap as part of hardware delivery

SRC has been cooper­ating with alster­arbeit in Hamburg for more than two months now. People with handicaps are working on orders for the individual assembly of computer hardware. As a result, they are able to partic­ipate in working life and experience personal profes­sional realization.

The alster­arbeit gGmbH in Hamburg

In 2000, alster­arbeit gGmbH merged from the Alsterdorf workshops and the daycare facil­ities to form the employment agency alster­arbeit. In 2005 the company was trans­formed into today’s alster­arbeit gemein­nützige GmbH. Its aim: to offer people with disabil­ities employment in line with their wishes, abilities and skills. In this way, these fellow human beings can partic­ipate fully in profes­sional life.

IT manufac­turing at alsterarbeit-it

alsterkontec is the production site for packaging, assembly and technology of alster­arbeit in Hamburg. Besides a wide range of different services, alsterkontec also offers the area of IT manufac­turing, the alsterarbeit-it.
It is a manufac­turer of high-quality and reliable IT hardware. In addition to the production of PAOLA computers, which are certified according to DIN ISO 9001:2008, the IT teams also handle the finishing and individual config­u­ration of notebooks from well-known manufac­turers such as DELL and LENOVO.

SRC employee recom­mends alster­arbeit gGmbH

The cooper­ation with alster­arbeit gGmbH resulted from a private recom­men­dation from the SRC staff. When the SRC management was made aware of the impec­cable work of the people employed at alster­arbeit gGmbH, they decided without hesitation to order and receive notebooks via alster­arbeit-it in the future in order to support the chari­table work of the gGmbH and of course to support the people with handicaps working there.
There is no quality deviation from classic suppliers and dealers, whether in hardware or delivery processing — quite the contrary. The hardware supplied to SRC by alster­arbeit-it is charac­terized by relia­bility and high quality. This is due to the fact that the IT teams of alster­arbeit-it not only have highly motivated and excel­lently super­vised employees but also specialists for sales and project management and that they support their customers with know-how and flexi­bility in the planning and imple­men­tation of their projects. Should there be any problems with the hardware, the alster­arbeit-it tech center in Bad Oldesloe, 30 minutes by car from Hamburg, quickly provides profes­sional help through the experi­enced service team.

For more infor­mation about the work of alster­arbeit gGmbH, please visit the website of alster­arbeit gGmbH and its IT manufac­turing division.