Digital Identity Risk in the Era of Information Explosion

www.emiratesid.ae © 2013 Emirates Identity Authority. All rights reserved

P a r t n e r s i n B u i l d i n g U A E ' s S e c u r i t y & E c o n o m y

Our Vision: Provide an integrated and advanced personal identity management system that contribute to the transformation of the government and the economy and promotes security and global competitiveness of the UAE.

Digital Identity Risk in the era of Information Explosion

I-SAFE 2013 Conference Organised by: Information Systems Audit & Control Association (ISACA) 30 – 31 October 2013 |Atlantis The Palm| Dubai | UAE.

Presented by Dr. Ali M. Al-Khouri


• Introduction

• Big Data and Privacy Concerns

• Modern Identity Management Infrastructure

• Concluding Remarks

Agenda


Agenda • Introduction





The BIG BANG era!

• Everything around us today seems to follow the BIG BANG approach.

• Pace of technological development & data explosion is faster than ever..

• Opportunities & Challenges

MIT Center for Digital Business,

data-driven practices,

and use big data to guide decision

making, will have output and

productivity that is 5 to 6 percent higher

than what would be expected given their

other investments and information

technology uses.

http://www.microsof-t.com/en

20us/news/features/-02/13/feb13

bigdata.aspx11

http://www.microsoft.com/en-us/news/features/2013/feb13/02-11bigdata.aspx














Content Generation - Every Minute?

Visualization of Twitter social connections. Image courtesy Marc Smith, via Flickr (CC:BY)

571 new websites

2 million search queries

100,000 tweets

200,000,000 email messages

48 hours of uploaded video


Digital Universe 2005 - 2020

Digital universe will about double every two years..


IDC Report 2007

IDC Report 2012

Information Chaos

• information burst is no less than being chaotic!

• gazillions of data, only 10% is structured.


Value Creation in Information Chaos Interesting Facts

1. 75% of data generated by individuals.

2. Persons create content 3 times more than what others do about him/her.


Value Creation in Information Chaos Interesting Facts

1. 75% of data generated by individuals.

2. Persons create content 3 times more than what others do about him/her.

Quantum of static data: 1 Gigabyte of data generates 10E7 (ten million)

Gigabyte; viewership information is transient in nature..

10E7 which means 10×10 to the power7


Opportunities …

• Data-driven practices and guided-decisions, have significant potential.. (MIT Centre for Digital Business)

• Hold the key to breakthroughs and a completely new world..

• Change the way governments, organizations, and academic institutions conduct business and make discoveries, and its likely to change how everyone lives their day-to-day lives!







Market is Eager to Exploit Big Data but what about individuals privacy rights?

Big Data is “[L]ike the explosive thrust blowing out of a rocket nozzle,” and “how to maximize its value remains a mystery to most of us.”

John Thielens

Article Source: http://www.forbes.com/sites/ciocentral/2012/02/23/big-data-wizardry-pay-attention-to-whats-behind-the-curtain/

In: Big Data Wizardry: Pay Attention To What’s Behind The Curtain

http://www.forbes.com/sites/ciocentral/2012/02/23/big-data-wizardry-pay-attention-to-whats-behind-the-curtain/




























The Real Challenge?

• among zillions of data, less than a third of this is protected or has some minimal protection

• Alarmingly, less than 50% of information that needs to be protected is protected!

Quantity of global digital data based on the International Data Corporation (IDC) Digital

Universe Study,, Dec 2012


Growing Connectivity


Connected Devices and Data Generated Risks? Sources? Do we know them?


Risk in the Digital Universe - IDC Study: classifies

unstructured information security into five categories

such as emails that might be discoverable in litigation or subject to retention rules.

information requiring the highest security, such as financial transactions, personnel files, medical records, military intelligence, etc.

“information the originator wants to protect, such

as trade secrets, customer lists,

confidential memos, etc”

account information, a breach of which

could lead to or aid in identity theft

such as an email address on a

YouTube upload

Privacy only — such as an email address on a YouTube upload

Compliance driven — such as emails that might be discoverable in litigation or subject

to retention rules Custodial — account information, a breach of

which could lead to or aid in identity theft Confidential — information the originator

wants to protect, such as trade secrets, customer lists, confidential memos, etc.

Lockdown — information requiring the highest security, such as financial

transactions, personnel files, medical records, military intelligence, etc.


Trust in Digital Universe

The frightening realization is that the amount of

information that needs to be secured is growing faster

than our ability to secure.. So ….?


Growth in Storage Capacity: Analog and Digital Data


Identity Management

Digital explosion that has brought in a paradigm shift to

Information and Knowledge is in a State of Paradox.

• only 5% of the zillions of bytes of data is considered useful constituting Information.

• expected to grow to a staggering 33% by 2020.

• 33% of 40,000 Exabytes as compared to 5% of the current mere 988 Exabytes.

• As more and more data gets converted to information, it is by default on account of the association with Identities.

• challenge that needs to be tackled and managed


Identity Management

• As more and more data gets converted to information, it is by default on account of the association with Identities.

• Challenge that needs to be tackled and managed.

of the zillions of bytes of data is considered

useful constituting Information

33% expected growth of useful data by 2020.

5% of current 988 Exabytes

data is considered useful

of the zillions of bytes of


Personal and Digital Behaviour

• Datasets in digital data left in transactions..

• Interactions sought to be analysed..

• Issues governing privacy..

patterns of digital interactions and individual

behavior constructed







UAE National Identity Management Infrastructure

• Role of Government Issued Personal Identity

• Secure ID encourage users to be engaged

• Reduce uncertainty


Security Management


Multi-factor Authentication Capabilities

Digital Identity Profile consisting

of Biometric Data- Fingerprints and ICAO compliant

photograph, and Digital Certificates

issued for Identification and Signatures issued as a Secure Smart

Card.

UAE National ID Card is designed to provide multi factor authentication.


Citizen on Cloud

Multi-factor credentials

Service Provider

Citizen Request for service

Authorization

E-government, e-Commerce, e-Business

Use of Zero-knowledge proofing for user authentication without disclosing its identifier.

Anonymous Identification

Validation Request

National Validation

Gateway

Validation & Authenticated


Trusted Digital Operations

The Emirates ID Authority provides the necessary

. Service Providers are accorded with

Verification and Authentication Services enabling secure remote transactions

Technical and Technology Solutions are employed to enforce

Authentication without

disclosing identifying information

(digital credentials

on web transactions).

Ability to securely use online

service while on an

untrusted host

Minimal disclosure

and minimized

risk of disclosure

during communication between

user and service provider

(Man in the Middle, Side Channel and Correlation

Attacks) (credential verification

on web, without

sharing data)

Service Seekers remain

anonymous on the web since only

Digital Certificates or Biometrics

would be used to establish

credential verification.

All data treated as personally identifiable

and subjected to regulatory framework to ensure identity

protection.


Digital Identity Profile Components Ability to verify users and further authenticated for access

OTP as per OATH Standards.

NFC enabled authentication methods

using the GSM mobile phones


Federated Identity Management







Government-owned Modern Identity Management systems: Significant Potentials

• Higher value services enabled by stronger authentication

• Enabling innovation and fostering new business and service models

• Cost reduction for public services

• Enhanced public participation & engagement

• Enhanced trust in Internet economy

Higher value services enabled by stronger authentication

Enabling innovation and fostering new business and service models

Cost reduction for public services

Enhanced public participation & engagement

Enhanced trust in Internet economy


Conclusion

Modern identity management infrastructures have a considerable potential to address the challenges of today’s digital world.


Identity Management and ISACA

• Identity Management seems to be addressed in an obscure manner- hidden among the different control layers of COBIT.

• Identity Management is addressed as a mere control objective – DS 5.3 in COBIT 5 !

• More holistic approach is needed.

DS5.3 - Identity

Management

COBIT Control

Objective DS5.3 –

Identity Management

is contained within

Process Ensure

Systems Security.


UAE Validation Gateway: Your opportunity to explore http://vg.emiratesid.ae


Thank you Dr. Ali M. Al-Khouri

Director General | Emirates Identity Authority | UAE www.emiratesid.ae | [email protected] |

Read our recent research from: http://www.emiratesid.gov.ae/ar/media-center/publications.aspx

@DrAliAlKhouri