Tag Archives: levels of assurance

Demande de commentaires et d’examen des droits de propriété intellectuelle : ébauche de recommandations pour le modèle de maturité de l’assurance du CCP V1.0

Cette période d’examen est officiellement close. Merci.

Déclaration d’intention : Le CCIAN collabore pour développer et publier un modèle de maturité de l’assurance du Cadre de confiance pancanadienMC (CCIAN) afin d’établir une base d’interopérabilité des services et solutions d’identité dans les secteurs public et privé.

Pour en savoir davantage sur la vision du Cadre de confiance pancanadien et les avantages qu’il procure à tous, veuillez consulter l’Aperçu du Cadre de confiance pancanadien.

État des documents : Ces documents à examiner ont été approuvés en tant qu’ébauches de recommandations V1.0 par le Comité d’experts du cadre de confiance (TFEC) du CCIAN, qui est régi par les politiques qui contrôlent le CCIAN.

Résumé : Il est essentiel que les participants à un écosystème numérique aient une façon d’évaluer la robustesse et la fiabilité des transactions à l’intérieur de cet écosystème. Pour ce faire, les participants doivent avoir un vocabulaire commun qui décrit le degré de confiance qu’ils peuvent associer à une entité ou transaction, ainsi qu’une façon commune de déterminer de degré de confiance.

Dans le Cadre de confiance pancanadienMC (CCP), un niveau d’assurance (LoA) représente le degré de confiance qu’une entité peut avoir dans les processus et autres critères de conformité définis dans une composante donnée du CCP. Les niveaux d’assurance sont fondamentaux pour créer des réseaux de confiance. Les modèles de niveaux d’assurance ne fonctionnent que si tous les participants à un écosystème sont capables de les interpréter d’une manière uniforme. Il est donc essentiel que tous les participants à un écosystème s’entendent sur un ensemble minimum de critères pour chaque niveau d’assurance. C’est alors seulement qu’une partie dépendante à cet écosystème sera capable d’évaluer convenablement les risques inhérents dans une relation ou une transaction, et le niveau d’assurance qui peut être accordé aux participants, aux justificatifs et à ces transactions. Les composantes du CCP décrivent les critères de conformité détaillés qui devraient être utilisés pour évaluer de tels niveaux d’assurance dans le contexte d’une composante donnée du CCP. Ce document donne des conseils sur la façon d’utiliser ces critères afin de classer convenablement les niveaux d’assurance.

Invitation : Toutes les parties intéressées sont invitées à faire des commentaires.

Période : Début : 27 juin 2021 à 23 h 59 HP | Fin : 28 juillet 2021 à 23 h 59 HP

Document : Modèle de maturité de l’assurance du CCP

Droits de propriété intellectuelle : Les commentaires doivent être reçus pendant la période de 30 jours indiquée ci-dessus. Tous les commentaires sont assujettis à l’entente de contributeur du CCIAN; en soumettant un commentaire, vous acceptez d’être lié par les conditions qu’elle renferme. Les membres du CCIAN sont également assujettis à la politique sur les droits de propriété intellectuelle. Tout avis d’intention de ne pas octroyer une licence en vertu de l’entente de contributeur et/ou de la politique sur les droits de propriété intellectuelle relativement aux documents à examiner ou à des commentaires doit être donné dès que le contributeur et/ou le membre en ont la possibilité, et en toute circonstance, pendant la période de commentaires de 30 jours. Les revendications au titre des droits de propriété intellectuelle peuvent être adressées à review@diacc.ca. Veuillez indiquer « Revendication en matière de propriété intellectuelle » dans l’objet.

Processus

  • Tous les commentaires sont assujettis à l’entente de contributeur du CCIAN.
  • Veuillez utiliser le formulaire prévu à cet effet pour soumettre vos commentaires au CCIAN.
  • Assurez-vous d’indiquer le numéro d’ébauche et de ligne correspondant à chaque commentaire soumis.
  • Le formulaire de soumission de commentaires au CCIAN doit être envoyé par courriel, dûment rempli, à review@diacc.ca.
  • Questions : review@diacc.ca.

Valeur pour les Canadiens : Les composantes « Évaluation » et « Infrastructure (technologie et opérations) » du Cadre de confiance pancanadien procureront de la valeur à l’ensemble des Canadiens, entreprises et gouvernements en établissant une base d’interopérabilité commerciale, juridique et technique. Le CCIAN a pour mandat de collaborer au développement et à la prestation de ressources visant à aider les Canadiens à faire des transactions numériques qui sont sécuritaires et commodes, et qui respectent leur vie privée. Le Cadre de confiance pancanadien est une de ces ressources. Il représente un ensemble de normes de l’industrie, de pratiques exemplaires et autres ressources qui aident à établir l’interopérabilité d’un écosystème de services et solutions en matière d’identité. Le CCIAN est une coalition sans but lucratif de membres des secteurs public et privé qui effectuent un investissement important et soutenu pour accélérer l’écosystème de l’identité du Canada.

Contexte : L’examen de ces ébauches de recommandations a pour but d’assurer la transparence de l’élaboration et de la diversité d’un apport véritablement pancanadien et international. Conformément à nos principes pour un écosystème de l’identité, la priorité est accordée aux processus visant à respecter et à renforcer la vie privée à chaque étape du processus de développement du Cadre de confiance pancanadien.

Le CCIAN s’attend à modifier et à améliorer ces ébauches de recommandations en fonction des commentaires du public. Les commentaires faits pendant l’examen seront pris en compte pour être intégrés dans les prochaines ébauches et le CCIAN va préparer un document expliquant d’une façon transparente comment chaque commentaire a été traité.

Nous vous remercions pour votre soutien et votre participation pendant cette période d’examen.

Help Define and Design the Future of Canada’s Levels of Assurance with DIACC

Online transactions, interactions, and service delivery are no longer aspirational end-states. In the wake of COVID-19, digital has become the default for many Canadians and industries. Making that default work long-term means earning and maintaining trust for people and platforms. Levels of assurance (LOAs) create a clear roadmap for developing that confidence, both for teams offering and people accessing services. Learn more about LOAs in our recent post to understand why they matter to Canadians, where we’re at and where we go from here.

“Making sure we have a common way to evaluate and measure the integrity of that data is central to a common bar of acceptance,” DIACC President Joni Brennan explained. To get a better understanding of how LOAs are a core factor in the future and success of digital platforms, we spoke with Joni and George Watt, Partner, Strategy and Lean Innovation Practice at Becker-Carroll. George has extensive experience leading and developing innovation and security with global enterprises.

Why are Levels of Assurance so important right now? 

George Watt: The pandemic accelerated the pace of digital transformation to breakneck speed. Governments have responded with impressive resolve to deliver new digital services safely. The private sector faced similar challenges with lockdowns and restrictions, new customer needs and opportunities to better serve their customers. For some, these transformations are imperative just to remain viable.

These organizations, both public and private, need to be able to safely transact digitally with their customers, and to interact with one- another. They need to be certain the entities they’re dealing with are who they claim to be with a level of confidence commensurate with risk inherent in each transaction. 

Levels of Assurance are about specific agreements between participants in an ecosystem that enable them to understand the level of confidence they can place in those transactions.

When it’s done well it becomes an unambiguous contract that makes it safe for people to transact digitally. 

Joni Brennan: The LOA conversation is important because it is a piece of the conversation that focuses on the verification of information that would be part of a transaction is authentic. The technical conversation is an important part of the puzzle… but making sure we have good data that can be relied upon and have assurance around that data is ultimately critical. 

For example, if I were a bank, I want to know data is good no matter where it came from. 

LOAs are an important piece of the puzzle for making transactions possible. 

What’s a use case where Canadians interact with LOAs? 

George Watt: When citizens interact with these LOA schemes they aren’t aware it’s happening – but they are aware of its impact. Signing into social media is a low risk example that many people do every day – but those service providers don’t truly know who their customers are. Any of the other services Canadians access with those social media digital credentials would also be considered low level of assurance because nothing is done to ensure the account holder is who they claim to be. 

Online banking is a high risk example. Compromise of that information could be devastating and could lead to bankruptcy or worse. That’s why the Canadian banking industry has a very high LOA standard that helps ensure customers are who they say they are, and helps customers protect themselves. 

The consumer doesn’t see these LOAs in explicit ways but sees their impact implicitly. For example, you don’t need to visit Facebook HQ to get an account – it has a low level of assurance – but you do need to visit your financial institution or go through a more rigorous process to prove who you are to get a bank account. They require a higher level of confidence that they know who you are. 

Joni Brennan: The ability to access city plans and interface on a decision like [changing traffic flow to create active streets] would be a lower risk interaction. Learning that there will be some barriers set up for bicycles would be low risk for other citizens or the municipal government. 
Accessing your pension or tax refund would be an example with higher risk. Something that we haven’t solved yet (but relates to digital ID) is access to digital medical records. Ideally, it will be in a way that the patient can access their own records and make those records transferable or portable between doctors, between patients and across different devices. Access to health records in a ubiquitous way is high risk. It’s something we don’t have today that identity and LOA would help with.

What’s the biggest advantage of a strong LOA scheme? 

Joni Brennan: Part of the ‘why’ behind why we’re talking about this is because we have different LOA schemes in Canada today. Those different schemes have created room for challenges and adoption delays, across different regions and different stakeholders. Different parties might be using the same assurance number – but the way they’re calculating it isn’t consistent, leading to variable outcomes. 

A level of consistency and transparency in terms of assurance – that relates to individual capability in a transaction – makes acceptance and confidence in an interaction clearer and helps the economy as a whole. It’s important for banks, governments, telecommunications providers, and users. Strength in a common acceptance and transparency would help and that’s what we’re missing right now in Canada. 

George Watt: It’s important that we develop a common understanding of these risks and establish a shared vocabulary that ensures we all evaluate risks the same way. Strong LOA schemes will enable positive economic and social impact through more robust delivery of services across domains. 
If we don’t understand those risks collectively, we either won’t deliver the services necessary to live up to our potential — or we will deliver them without understanding the risks, which could be even worse and potentially set us back. Trust is speed. A strong scheme means faster delivery of more robust and trustworthy services. Participation in these digital ecosystems will drive better seamless services for all Canadians.

Why is DIACC advocating for stronger and consistent LOAs?

Joni Brennan: We need commonality in terms of how information is verified. For that measure of assurance of information, we need a common scheme that works across the different schemes that exist in Canada today. It will create visibility and a common approach so that no matter the industry, teams can work from the same starting point for validation and verification of information. That is so important, whether it’s health or AI or smart cities. 

The current scheme and current state of the art doesn’t provide the level of dynamism required in a hyperconnected ecosystem. The current ‘1 through 4’ scheme applied on top of a complicated transaction involving many partners with different capabilities – that singular number is actually insufficient. It’s much better to have transparency, visibility, and a ‘score card’, if you will, that measures assurance that is verified. That’s the kind of dynamism and transparency we need in a hyperconnected ecosystem, that provides scalability in an LOA scheme. 
George Watt: What we had was good – but it needs to evolve to keep up with what we’re dealing with now. We need to solve tomorrow’s challenges today, not yesterday’s problems. A more modern approach to LOAs is necessary to make that happen.

What will be the biggest factor for success? 

George Watt: Bringing the public and private sector together and bridging the many international standards groups… I think the defining factor for success will be collaboration. There are lots of smart people who’ve been thinking about this. More importantly this assurance scheme will work best when private and public sector, NGO and standards orgs work together to create a more trustworthy, more robust ecosystem that allows Canada to live up to its potential. Collaboration will be key. 

Joni Brennan: Collaboration will also represent a diversity of stakeholder needs and values – which is important to ensure the way forward is as inclusive as it can be. Success requires communication and education around the why – why we’re doing this work, the value, as well as how this work will be adopted. 

As George said, for people participating in a transaction these LOAs are meant to be invisible. They’re not always the most exciting or technical part of the work – but they provide that layer of integrity underneath the technology and user experience. To succeed, we’ll need education and communication.

George Watt: Diversity is the rocket fuel of innovation. Working with DIACC, I’ve always been impressed by the diversity of membership and those who participate. It’s a diverse group of smart people who are willing to come together to work on important and complex problems.

Bring your voice to the DIACC and share your perspective on how we can solve these pressing, complex challenges. Together, through our Five Year Strategy, we’re aiming to identify key policy and regulatory enablers and barriers to digital identity growth, including creating a unified approach to LOAs. Join us and subscribe for more on LOAs in Canada.

The Next Evolution of Levels of Assurance in Canada

Levels of Assurance (LOA) play a foundational role in the world of standards, digital identity, and digital transactions. Put simply, LOA is the degree of confidence in the validity of a claim, process, or authentication. In the sphere of digital identity, it is a necessary model to verify that the person or entity claiming an identity is the entity to which that identity was assigned. 

Most Canadians don’t think too deeply about LOAs, and yet most Canadians interact with these models, unknowingly, at some point in their lives. For example, Canadian experience LOAs when opening a bank account, demonstrating qualifications for a government service or benefit, making an insurance claim, or wiring money to a client or family member. 

Organizations that use LOAs to inform their policies and processes often have dedicated strategies and teams, working out contingencies and approaches to maximize security in Canada and internationally. These teams often face challenges interacting with other service providers, meeting different standards across jurisdictions, and minimizing friction for clients accessing their services.

How the Current LOA Model Works

Imagine two people, Samir and Aiya, are trying to apply for a small business loan. Both women have very strong credentials, a passport, driver’s license and the requisite business records. Samir and her credentials are linked through a knowledge-based authentication (KBA), and are accepted after answering a security question she previously populated about her father’s middle name. Aiko and her credential are linked with an in-person ceremony, as she went to her local bank branch with two pieces of identification and her business records to complete the loan application. Aiya’s scenario offers a stronger LOA and Samir’s a weaker LOA. Despite these differences, Canada’s federal LOAs currently dictate that Samir and Aiya both have the same assurance. 

In Canada and many places around the world, it is common for LOA structures to combine a number of factors into a single score. The result is an obscured view of the risk factors and authentication. This lack of granularity into the LOAs of specific capabilities is a challenge present in the construct of LOA models around the world. The deciding factor regarding acceptance of an identity comes down to Relying Parties (parties who rely on the validity of identities) who determine their own risk profiles. 

In this case, the relying party is the bank. The banker helping Samir and Aiya also benefits from a stronger LOA as they sign off on the business loan. In addition to building a stronger relationship with the client, they are able to manage their portfolio with confidence.

There is widespread agreement the current LOA model in Canada is inadequate. While LOAs serve a purpose, they are not transparent and dynamic enough to address the myriad digital solutions and scenarios of today. Internationally, single LOA schemes are no longer state of the art and today’s requirements necessitate separate evaluation for specific capabilities. In the DIACC community, there is consensus that there must be separate schemes for credentials and identity, at a minimum, in order to be useful in the widest possible range of scenarios and contexts. An improved assurance model should be capable of asserting identity and credentials at different levels.

Envisioning a New Risk-based Model for Assurance

A risk-based model offers a more enduring, user- and industry-friendly path forward that enables existing LOA schemes to participate while building for a more dynamic and scalable digital ecosystem. The notion of leveraging a risk-based model is highly applicable as the application of LOAs  today are best determined by performing a threat or risk analysis. The risk-based model must address the likelihood and impact of something happening, and the appropriate mitigation approach. 

LOA is essential in determining liability and risk; offering a clear understanding how a Subject (customer or citizen) and a Relying Party (company or government service) can validate that they are who they say they are. It is a central component in being able to determine whether a transaction should proceed. 

The risk-based starts by assessing risk first and then the approach drives more value for organizations, as they confront the baseline of their current systems and assess risk realistically. It also helps adopters improve their systems through motivation to  reduce or remove risks through various types of mitigation.

DIACC is on a mission to rapidly deliver a modern, risk-based LOA model that is…

  • Risk-based
  • Directive and illustrative
  • Non-prescriptive in execution
  • Evergreen
  • Deterministic in implementation and assessment
  • Congruent with existing state of the art and best practices
  • Inclusive in support of both the private and public sector
  • Supportive of evolving needs on credentials and bindings

The impact of this evolution is far-reaching, and will ensure that the  Pan-Canadian Trust FrameworkTM is strong and resilient over time. This evolution takes a framework-wide approach to address interdependencies, independencies, and support communication across platforms. This new approach ensures scalability over time as technologies and their uses evolve.


DIACC has engaged a small, representative team to rapidly deliver a new model to support the PCTF, which launched September 15, 2020. The model will benefit from the DIACC’s well-documented peer and public review process. Members can contact info@diacc.ca to contribute. Non-members can get in touch to learn more.