Structure of the Thesis 2
support the use of pseudonymous credentials on digital citizen cards. Conceptual
issues related to the extended digital identity are explored.
ƒ Chapter 5 presents the architecture and the design for a prototypical
implementation. An Identity management model is introduced and it is
schematized into an identity management framework. Further research areas on
the Identity management are explored.
ƒ Chapter 6 presents a regional project about digital citizenship diffusion trough
the NSC Raffaello. We have analyzed the smart card emission and distribution
phases.
ƒ Chapter 7 introduces the smart campus scenario. The role of the Smart Campus
is limited to providing an infrastructure at the user’s discretion. In this chapter
has been analyzed some “Smart Services” for the Students accessible by
Raffaello’s card that could be achievable in the University of Camerino,
especially at the Computer Science.
ƒ Chapter 8 analyzes a practical case study at the Unicam Smart Campus, that is
the Smart Thesis procedure.
ƒ Chapter 9 provides keynote findings and the final conclusions.
Chapter 2
European State of the Art
The migration of sociability, business, entertainment, and other activities from the
physical world to the virtual world of the Internet has dramatic implications on many
fronts. The societal mores, legal structures, and commonly accepted business
practices that govern everyday life in the physical world have evolved over
thousands of years, and that evolution continues every day. But now we're in the
process of translating those structures to the Internet, creating a new place where
people can interact. That “place” is radically different from the physical world, one
where networked applications combine with ubiquitous connectivity to free
transactions, communications, and other activities from physical constraints, thus,
creating an entirely new set of requirements.
When it comes to enabling a truly virtual world that can accommodate the breadth
and depth of human endeavour, nothing is more important than identity. On the
Internet, movement is instantaneous. People, applications, transactions, and data can
cross many types of borders via many different paths. At the same time, the security
issues associated with a very public and virtual space have become painfully clear as
spam, phishing attacks, fraud, and identity theft have become all too common.
Digital identity is the keystone that will ensure that the Internet infrastructure is
strong enough to meet basic expectations for not just service and functionality, but
European State of the Art 4
security, privacy, and reliability. That fact is becoming more and more obvious to
more and more people every day. But as the Zen master once said, knowing the path
and walking the path are two very different things.
How we create, use, store, and verify identity in the Internet context is a complex
question, one that transcends both the public and private sectors, and every
conceivable business. It raises a large number of thorny issues for society and
individuals (not the least of which is privacy), corporations (including the regulation
of core operations), and governments (laws, regulations, international treaties). The
manner in which these issues are resolved will have a long-term impact on all
segments of society and will determine what forms of digital identity will first
augment, and then (at least potentially) replace the “official” and “trusted”
manifestations of identity on which the physical world relies today. That change will
take years, extending past the end of the current decade, involving societal, cultural,
business, and political efforts.
How much control individuals will be able to take or will want to takeover their
digital identity is the subject of intense debate, for example. Pessimists predict that
the intersection of government and commerce will create a surveillance state, one
that will make privacy an artifact of the past. Optimists predict the liberation of the
individual from both corporate and government control through the use of identity
technologies that will put the individual in charge, inverting the traditional
relationship between “consumers” and “service providers”. That debate will continue
for the foreseeable future as unfolding events pull us in both directions.
Today, much of the activity around digital identity is business-focused. The pressure
to compete in a networked world while simultaneously reducing costs is driving
companies to integrate business processes and information technology on an
increasing scale. Many enterprises are creating inward- and outward-facing systems
that tie employees, customers, partners, suppliers, contractors, and other constituents
into their business processes, for example. Instead of thinking about individual
applications, enterprise IT architects must consider end-to-end business processes
that span many boundaries, and how they can integrate the components of IT to
support them. These trends are causing wholesale change in IT architectures, moving
them to what we at Burton Group call “the virtual enterprise”.
European State of the Art 5
The move to the virtual enterprise brings with it new security risks. These risks,
along with the rapidly increasing number of regulations, both in North America and
the European Union, are driving the need for new security models. Simply put, the
traditional exclusionary security model perimeter-based systems focused on keeping
bad people out of the network are not sufficient to protect the virtual enterprise.
Today, businesses must augment exclusionary security with an inclusive security
model, one capable of explicitly determining, through policy, who can access the
applications and data that support core business processes.
Such inclusive models are unattainable without identity management. Identity must
become persistent through the continuum of any given business process, spanning
not just multiple applications, but also multiple organizations. Only then can identity
provide the predicates for corporate governance, security, regulatory compliance,
risk and liability management, and other core business functions.
For most enterprises, identity management is not easy. In fact, most enterprises'
identity management processes are poor, a fact that internal and external audits make
painfully clear. Historically, enterprises have treated the symptoms of the identity
management problem with point solutions. But Internet-scale identity management
requires an integrated set of infrastructure services that enable a holistic approach to
defining and managing identity. This sophisticated array of tools includes directory
services, rules-based user provisioning, delegated administration, and self-service
administration for passwords or other attributes. General-purpose, strong
authentication systems, along with good credential management, are also core
components of better identity management. Beyond authentication, enterprises must
link applications to access management systems across a variety of operating
systems, applications, and web-based single sign-on (SSO) products, making policy
management yet another important part of the system.
Effective identity management also requires a new approach to systems integration
and interoperability. Previous efforts to solve the identity problem (such as X.509-
based, public-key infrastructure) attempted to achieve interoperability through
symmetry and homogeneity. But federation has recently emerged as a new and more
effective approach to enabling interoperability between security domains. Emerging
federation standards rely heavily on the loosely coupled web services architecture,
European State of the Art 6
which in turn relies heavily on the eXtensible Markup Language (XML). Both the
web services framework and interoperable identity are evolving along similar
architectural lines for obvious reasons. While the web services framework enables
the virtual enterprise, identity management secures it. So it's quite necessary for them
to share architectural underpinnings.
The web services framework has, in essence, begun to create a standard software
“communications bus” in support of service-oriented architecture. Applications and
services can “plug in” to the bus and begin communicating using standard tools. The
emergence of this “bus” has profound implications for identity exchange. Just as
application and transactional data will flow across that bus, identity data will flow
over that bus. And within service-oriented architectures, identity will become a core
service.
The combination of web services and federated identity management has enormous
potential; however, we have only just begun a long but inevitable transition to such a
full-scale identity management infrastructure. And technology alone will not enable
it. Regulations, laws, policies, and other mechanisms must evolve both nationally
and internationally to create the context and boundaries for the acceptable use and
management of identity. Likewise, business models for federating identity including
liability, risk management, and workable governance models must evolve.
The evolution will be painful at times, occurring in fits and starts. Today, we're
several years and many breakthroughs away from the combination of standards,
technologies, legal frameworks, and business models necessary to create a fully
interoperable identity framework. While we’re in the early days, however, it's clear
that the era of digital identity management has arrived, and tools and techniques are
emerging that will help companies address the issue. There are clear and strong links
between identity management and enterprise business objectives in many industries.
The market forces that will drive us inexorably forward to resolve these complex
problems are active, causing real and significant movement.
Given these realities, today’s IT managers must start creating an identity
management infrastructure that meets their business objectives. And that makes
books such as this one all the more important.
European State of the Art 7
As an increasing number of enterprises take that path, digital identity management
will emerge as a pervasive infrastructure, within, between, and across organizational
structures. The technologies and standards, as well as the law and policy that evolve
to regulate corporate use of identity information will both influence and be
influenced by the larger personal identity infrastructure to come. Enterprise identity
management and the larger societal moves toward digital identity for customer,
governmental, and other activities will inevitably intersect, changing the way we live
and work in the process.
2.1 The vision of a Smart World
In September 1991, Mark Weiser, a researcher at XEROX’s Palo Alto Research
Center (PARC), published an article titled “The Computer for the 21st Century”. His
paper attracted a lot of attention and paved the way for various research projects in
the field of ubiquitous computing. It was Weiser’s vision that in the future,
computers would serve ubiquitously. He questioned the traditional personal
computer as a general information technology tool. According to him, such systems
are far too complex and difficult to understand. Unfortunately, they require the user
to deal with much more than just the task at hand.
Because of these deficiencies, he suggested to augment simple everyday objects with
information processing capabilities. Tiny electronic devices could be built into all
kinds of things such as pens, clothing, furniture, or even paper. They would operate
invisibly and silently in the background, supporting people in carrying out their work
and removing the burden of repetitive tasks. Everyday objects equipped with such
technology could sense parameters about their environment (such as temperature,
brightness, position etc.), communicate among themselves, and assist their owners by
taking appropriate action.
Unlike with today’s desktop computers, a major advantage would be that users could
benefit from information processing technology without actually being aware of
using a computer. Services would be offered by simple everyday objects familiar to
people. This would make technology accessible in a much more natural and intuitive
European State of the Art 8
way. An other improvement would be that these devices could be easily embedded in
our everyday life. A smart pen could be carried in the pocket of a shirt. Other things
such as a smart watch or smart clothing could even be worn.
Because these smart objects would be so closely tied to people’s lives, they could
sense environmental parameters and offer context sensitive services. The things
surrounding us would thus appear to be smart without actually being intelligent.
2.2 The European policies and strategies
Before starting to analyze the problem of a Digital Identity Management from a
technical point of view it could be useful to have a look at Privacy and Identity
European Union (EU) policies.
The e-Europe 2005 Action Plan [EU05] stressed that e-Government identity
management in the EU should be advanced by addressing interoperability issues as
well as future needs, without ignoring differences in legal and cultural practices and
the EU framework for data protection. Public services can be offered only within an
environment where trust and confidence flourish. Such environment should always
guarantee secure interaction and access for citizens and businesses.
Protection of personal data, authentication, and identity management are primary
issues where no public service should ever fail. Public institutions should always
ensure that digital transactions and communications are secure and that personal data
will remain protected.
Citizens should always be able to control access to their personal data, and how these
data have been stored, used, and accessed. Failure to ensure this may, in addition to
breaching the law, entail significant social and economic costs. Only data that are
necessary for the fulfilment of the respective purpose may be collected [EU95]. To
this end, the use of privacy enhancing technologies should be favoured.
Privacy enhancing technologies in e-Government should be promoted through the
relevant EU programmes.
Data protection, network and information security, the fight against cyber crime and
dependability are prerequisites for a properly-functioning information society, and
European State of the Art 9
consequently core policy issues within the EU. The Commission together with the
Member States has launched a comprehensive strategy for these issues.
A range of R&D projects, supported by the EU Fifth Framework Information Society
Technologies (IST) programme and the Sixth Framework programme address these
issues.
For network and information security the rapid adoption of the European Network
and Information Security Agency, now on the table of Council and European
Parliament, will be an important step forward.
The e-Europe 2005 Action Plan also calls for the development of a “culture of
security”. This is as relevant for the public sector as it is for the private sector. This
will also include the availability of a secure communications environment for the
exchange of classified information between the Commission and Member States, a
task being carried out by IDABC [IDABC06]. e-Government strategies at all levels
should advance trust and confidence in public services and online democratic
participation. Significant developments in electronic identity and authentication
systems have taken place over the past few years. Access to citizen data must be in
full compliance with the European and national data protection legislation, where the
choice of technology should empower citizens as much as possible to retain control
of their personal data. However, realising efficient and personalised services based
on citizen data is often hampered by rigid administrative practices, competency
considerations and competing systems. In most countries their take-up and
deployment are still in a relatively early stage and experience is being built up. This
is therefore the right time to enhance cooperation in this area and prepare jointly for
the future, given also the scope and scale of the challenge.
Identity management in the EU should be advanced by addressing interoperability
issues as well as future needs while taking into account differences in legal and
cultural practices and the EU framework for data protection. EU programmes for
research & development, deployment and implementation should contribute
coherently (i.e. FP7/IST [FP07], eTEN [ETEN06], and IDABC [IDABC06]. Council
conclusions on e-Government, invite the Commission and the Member States to
comply to the following action guideline: “By 2010 there will be seamless online
access to major public services for citizens and business across Europe with the help
Ricevi informazioni sui nostri servizi, sulle offerte e non perdere news e consigli su università e lavoro.
