-
Technical guideline for Incident Reporting
-
This document describes a framework for security incident reporting based on the requirements set by article 19 of the eIDAS regulation. It is being developed on a consensus basis between the experts of the working group formed by ENISA and it is reviewed by various relevant stakeholders from both the private and the public sector. The final report includes the consensual contributions and modifications of all stakeholders involved in its development and as such it is not a binding guideline.
Located in
Publications
-
Managing multiple identities
-
Nowadays each person has the opportunity of living multiple lives in parallel, in the real as well as in the virtual world. A trend observed over the last years, first in the research community, but now also in commercial offerings is the increase of interactions between these two worlds, making real-world information accessible to services on the Internet.
An area of particular interest is the management of multiple identities, where “identity” is being considered in a broad sense. Issues related with this area include anonymity, pseudonymity, unlinkability and unobservability. The
increasingly digital nature of relationships between people is central to dealing with those issues. It is not a question simply of hardware or software, but more importantly of enabling people to enjoy and benefit from their online experiences, while dealing with potential issues. The problems might include a lack of knowledge or training, difficult personal circumstances or simply irritation at the diversity and unpredictability of online privacy and identity mechanisms. It is therefore vital that we should have strong, reliable mechanisms, which can be easily understood and
relied upon across the course of a lifetime.
This paper introduces the key concepts of electronic identity and presents available methods of managing multiple identities.
Located in
Publications
-
Mapping security services to authentication levels
-
This report reviews the authentication levels and their mapping to public electronic services in the eGovernment programme framework, which require an authentication of the user (security services). It gives a general overview of European efforts and particularly the activities of STORK (Secure idenTity acrOss boRders linKed) in relation to the levels and the mapping. Essential concepts in IT security are explained and the mappings are illustrated by everyday life examples.
Located in
Publications
-
Auditing Framework for TSPs
-
This report provides an overview of the dedicated means of auditing for TSPs. It discusses specifically the following areas: standards applicable to TSPs and Conformity Assessment Bodies (auditors), methodology of auditing TSPs (off- and on-site), TSPs documentation (plans, policies and procedures) and implementation of TSPs services. This set of good practices can be used as reference for both, Trust Service Providers (preparing for audits), and Conformity Assessment Bodies (performing audits), in the field of external audits (internal assessments are part of company’s risk management procedures, therefore this topic is not covered here). It focuses on measures that can be taken at organizational level, drawing to norms and standards for technical details.
Located in
Publications
-
Analysis of standards related to Trust Service Providers - Mapping of requirements of eIDAS to existing standards
-
This report on one hand analyses the eIDAS requirements with regard to the standards, on the other analyses currently available standards and compares the results of both analyses. Such a mapping is oriented at the requirements specified in the various eIDAS articles. Pursuant to this mapping it can be concluded that usually the analysed standards usually cover some requirements in part or whole. Existing standards can be endorsed for being used within the frames of eIDAS Regulation, to the extent as presented in the previous sections. The analysis presented in this report led, however, to a shortlist of gaps, where specific eIDAS requirements have yet to be addressed in EU standards (ETSI/CEN/CENELEC) or international ones.
Located in
Publications
-
Privacy Features of European eID Card Specifications
-
A national eID card is a gateway to personal information. Any unwanted disclosure of personal information constitutes a violation of the citizen’s privacy rights. Apart from considerations of fundamental rights, this is also a serious obstacle to the adoption of eID card schemes and to their cross-border interoperability. The aim of this paper is to allow easy comparison between privacy features offered by European eID card specifications and thereby to facilitate identification of best practice.
Located in
Publications
-
Security Issues in the Context of Authentication Using Mobile Devices (Mobile eID)
-
Mobile devices, like smart phones and PDAs, will play an increasingly important role in the digital environment. However, the pervasive use of mobile devices also brings new security and privacy risks. Persons who make extensive use of mobile devices continuously leave traces of their identities and transactions, sometimes even by just carrying the devices around in their pockets. Throughout this paper we will look at different use-cases for electronic authentication using mobile devices. We will identify the security risks which need to be overcome, give an opinion about their relevance, and present mechanisms that help mitigate these risks.
Located in
Publications
-
Privacy and Security Risks when Authenticating on the Internet with European eID Cards
-
Whenever we use internet services, the first steps we take are usually identification (we input our names) and authentication (we prove that it is us). How we actually identify and authenticate ourselves depends on the security level of the application. The means used can vary from a simple combination of username and password, through a secret PIN, to a PIN generated by some external device or a smart card using cryptography.
Smart cards are being used increasingly for authentication purposes. Many European identity cards now contain a smart-card chip, equipped with functionalities for online authentication. They are usually called 'electronic identity cards' (eID cards). This report focuses on authentication using smart cards and compares this approach with other common means of authentication.
Located in
Publications
-
Security Issues in Cross-border Electronic Authentication
-
Improving the interoperability of electronic identification and authentication systems is a European task and a task for all Member States. Considerable efforts have been made in several projects to face the challenges of pan-European interoperability of electronic authentication and to assess the feasibility of differing approaches.
ENISA analysed the current situation and assessed the security risks of electronic authentication in cross-border solutions. To visualize these risks, two different projects offering cross-border authentication have been exemplarily examined and evaluated, NETC@RDS and STORK.
Located in
Publications
-
Mobile Identity Management
-
This paper reports on information security risks and best-practice in the area of Mobile Identity Management (Mobile IDM). It also provides recommendations of systems, protocols and/or approaches to address these challenges.
Located in
Publications