Embed Size (px)
Citation preview
Secure identity and electronic
signatures – essential for digital trust
Betalingsformidlingskonferansen, November 16th 2017
Eirik Dalen, Signicat
Signicat's vision is to be
the preferred provider of
identity services to
regulated industries across the world
Established2007 #Customers
>340
Revenue 135MNOK
Prognosis 2017
#Employees82
SLAUp to 99.9%
Y2Y growth39%
PresenceNorway - 2006
Sweden - 2008
Denmark - 2011
Finland - 2013
The Netherlands - 2015
Portugal - 2015
UK- 2016
Germany - 2017 - Planned
#Transactions>100M/year
CertificationISO27001
Signicat’s reputation
• Winner of Innovation Award in Smart Security Week– 2017 – France
• Nominated for the European Fintech Award – 2017 – The Netherlands
• Winner of the Norwegian Fintech Achievement Award– 2017 – Norway
• Nominated for European Fintech Award– 2016 – The Netherlands
• Winner of the Future Payments 2013 and Cards & Payments Europe “Best innovation” award
– 2013 - UK
• Winner of the International Identity Deployment of the Year Awards
– 2009 - Las Vegas
• Winner of the Security Award, IT-sikkerhetsprisen– 2009 - Norway
4
Some background
6
Internet is growing FASTER!!
Approximately 4 billion users
Internet of ThingseHealth Smart homes
Emerging markets Self-driving cars
Increasing exponentially
“Only” 51% of world population coverage
Some curiosities…
• If Facebook were a country, it would be the third largest in population after China and India
• Twitter is currently seeing about 50 million tweets – PR DAY (or about 600 tweets per second)
• Years to reach a market audience of 50 million:– Radio, 38
– TV, 13
– Internet, 4
– Apple iPod, 3
– Facebook, 2
– …..
7
Why is (digital) trust so important?
• Well, isn’t trust in general important to all of us?
– Whether it’s a computer, human or business relation
• The direct physical human-to-human trust aspect is “watered out”
– We rarely go into a bank branch anymore
– We rarely go into a public office anymore
– We do our shopping online with computers
• Digital or not; we need trust to do our errands with other parties
– Secure channels
– Knowledge of identity is essential. Person, organization or business.
– Knowledge of confidentiality for the information we share
8
A (simple) visualization of trusting a computer on
behalf of a trusted company
9
Another example
10
Some technological elements to establish digital trust
• Certificates issued from trusted third parties knows as CAs
– You can’t issue your own driver license
– Dedicated SSL/TLS certificates to establish trust between parties
• Security enabled communication protocols (encrypted)
– HTTPS, SSL/TLS, IPSec, etc..
• Security enabled communication lines
– VPN, dedicated lines
11
Digital- identity (eID) and signature (eSignature)
• Why?– Attractive services
– Compliance
– Identify and authenticate
– Security
– User experience
• Who?– Everyone operative in the digitalized world
• What?– Various strength and formats of eIDs and eSignature
13
“Identity will be the most valuable commodity for
citizens in the future, and it will exist primarily
online.”
Eric Schmidt, Executive Chairman GoogleCRASSH 2013, University of Cambridge
14
15
At the eIDAS stakeholder event,Signicat was invited to present eID from the Nordic perspective, and explain how we help international companies work cross-border
16
Det tilsvareri underkant
av éntredjedel avoljefondet!
It’s getting expensive not to comply with regulations
• £72M fine for a large UK-based bank
– Total fines since 2009 estimated to £500M in the UK
• £500M fine for a large Germany-based bank
• €3.3M fine for an Ireland-based bank
• £5.6M for Scotland-based bank group
• Many other examples…
• New EU GDPR (General Data Protection Regulation) sets fine «limits» to €20M or 4% of global turnover
– May 2018
17
18
In a digitalized world,
user friendly and secure eIDs are
essential for online regulated businesses.
19
20
So – what is an eID, and do you have
one?
Virtual eIDs are useful – don’t need another
username and password
22
"I suppose it is tempting, if the only tool
you have is a hammer...”
“... to treat everything as if it
were a nail.“- Abraham Maslow, 1966
Recognize these?
24
25
26
27
28
29
Digital identity is online identification!Essential:- Regulatives and directives – national
and global:- GDPR- PSD2- AML4
- Processes and quality insurance - Infrastructure- Required and user friendly services- Compliant with industry standards
- ETSI- W3C- ISO
Bank Insurance Government
Signicat Digital Identity Service Provider (DISP)
Identity
assuranceAuthentication
Electronic
signatures/seals
Docs & IDs
Timestamping
Service providers
Etc
Cross border
value-added services
Consumer
identities
Compliance
PSD2
AMLD4
eIDAS
GDPR
Cloud
99.9% availability
MobileID
PSD2/SCA
Fingerprint
Hosted in Europe
eID providers Lookup services
Consumers
Public registers (address)ProcurationCreditPEPSanctions
32
Why electronic signatures?
• Advantages
– Reduce the turn-around time for a contract
• Avoid manual steps and paper
• Simpler for the user
• Simpler for the organization
– Reduce cost
– More business faster
– Better security
33
Signed by
Signicat
Intent
IdentificationEvidence
A signature should
34
Indicate signers’ approval
Do so in a reliable way Identify the signer(s)
Digital Signature – level one
• Any means of replacing a
handwritten signature with a
digital one
– Email reply
– SMS reply
– Sign on paper, scan and
– «Scribble» on screen
35
«I accept the offer»
Digital signature – level two
• Uses cryptography
• User is identified
• Guarantees
– Authentication
– Integrity
– Non-repudiation
36
Sign
Digital seal
• Digital signature added by an
organization
• No human interaction
• Guarantees
– Authentication
– Integrity
– Non-repudiation
37
Seal
Forgeries detected by Adobe Acrobat
38
Invalid
originator
Modified
document
Organization
identifier
The long term validation challenge
The need to verify the signature in 5, 50 or 500 years
Regulations and directives
AMLD4, PSD2, eIDAS, GDPR
What is AMLD4?
41
EU directive 2015/849
4th Anti-Money Laundering Directive
Entered into force
2015-06-26
Applicable as of
2017-06-26
Periodically
AMLD4 Customer Due Diligence (CDD)
42
Identification
and
verification
Reliable
sources
Documents
Data
Information
Purpose and
nature of business
No specifics given
Getting the balance
right
43
Cost
Regulatory
compliance
Abandonment
rates
€€€
§§§
What is PSD2?
44
EU directive 2015/2366
Payment services in the internal market
Entered into force
2016-01-12
Applicable as of
2018-01-13
Based on two factors
Something you: know, have, is
Strong Customer Authentication (SCA)
What does this mean for identity?
45
Applies to any payment transaction with
both legs in the EU/EEA
Increased requirements for
strong authentication
And remember SMS is
«broken»...
Finextra 2017-05-05
PSD2 and identity data?
• Will the AIS and PIS expose identity data?
• A couple of indications from PSD2
Don’t expose personal data if not needed
46
PSD2: Item 94
“When developing regulatory technical standards on authentication and
communication, EBA should systematically assess and take into
account the privacy dimension, in order to identify the risks
associated with each of the technical options available and the remedies
that could be put in place to minimise threats to data protection.”
GDPRRegulation (EU) 2016/679
PSD Article 67e:
“not request sensitive payment
data linked to the payment accounts“
What is eIDAS? (electronic IDentification, Authentication and
trust Services)
• Part of the «Digital Agenda» program by the European
Commission
47
To boost TRUST and CONVENIENCE in secure and seamless
cross-border electronic transactions by promoting the
widespread use and uptake of electronic identification and trust
services (eIDAS services).
https://ec.europa.eu/digital-agenda/en/trust-services-and-eid
eIDAS is a regulation
Which means that it is mandatory for the member
states
eID and eTS
48
Key enablers for secure cross-border electronic
transactions and central building blocks of the
Digital Single Market
eID
Electronic Identification
eTS
Electronic Trust Services
GDPR (General Data Protection Regulation)
• Strengthen and unify data protection for all individuals in the EU (EØS)’
• Explicit consent from users to share information (a “click” is not sufficient)
• Strict requirements to keep evidence that the user has consented
• More than heavy fines for breaches (€20M or 4% of global turnover)
• Strict routines for reporting
• Applicable May 1st 2018.
49
Thank you so much for your time!
And questions are most welcome
