Consumers, citizens and employees increasingly expect anywhere-anytime experiences — whether they are making purchases, crossing borders, accessing E-gov services or logging onto corporate networks. Entrust Datacard offers the trusted identity and secure transaction technologies that make those experiences secure and reliable. Solutions range from the physical world of financial cards, passports and ID cards to the digital realm of authentication and certificates for secure communications.
"eIDAS stands for Electronic Identification, Authentication and Trust Services – and it provides a legal framework for organisations to move paper transactions to digital. This saves companies money and time, but it also allows them to come up with business models to increase opportunities with their customers. And that could make them millions," said Bailey.
TM: If digitally signed documents are going to have the same legal weight as paper documents, how do we ensure the integrity of the data in them?"
CB: "Whether a document is paper or digital, the security level is dependent on the levels of security that are put in place. Certain paper documents are kept under lock and key to ensure they are kept secure – and digital documents also need a level of standards to ensure they reach the same level of security. The eIDAS model has to find many of these specifications including the identification process of who signs what, how and when it’s signed, how the document is stored etc. And these standards allow us to have that similar legal framework to paper transactions. And that’s what’s unique about eIDAS."
TM: To what extent is this about simply meeting compliance objectives, rather than genuinely improving the security of our digital assets?
CB: "eIDAS is about compliance, but as it relates to standards it is an effective replacement for paper transactions, and in many ways, eIDAS improves the security of the paper transaction."
TM: How about securing digital assets, where do physical ID tokens fit in to this new world?
CB: "Physical ID tokens are being used, and will continue to be used, when the assurance level must be very high. In the future, the physical ID tokens will evolve. They will be embedded in smartwatches, smartphones, PCs with better biometrics and so on. Today, we have new-forms ID based on mobile that when combined with a centrally managed hardware security module (HSM) can be used to securely sign documents with the appropriate balance between trust and convenience."
TM: With open banking, interoperability between the various services is essential - what are the risks there?
CB: Under the new EU directive, Payment Service Directive (PSD2), banks are required to provide access of their information to financial institutions via a single portal. The legal framework of PSD2 defines regulations around access to this information and covers both encryption and identification standards such as the two-factor authentication process. And to do so, PSD2 relies on the eIDAS standards for identification and authentication. Non-compliance to these regulations can command huge penalties to the financial institutions as early as 31 December 2020.
TM: Will it impact organisations based in the UK if Brexit does happen and we are no longer bound by EU regulations?
CB: "I am not sure anyone can say what will happen with Brexit, but eIDAS is already an EU standard that non-EU organisations may need to comply with to conduct business with EU-based organisations. Additionally, eIDAS is beginning to gain wider acceptance in non-EU countries. Therefore, non-EU businesses will at least need to understand eIDAS and may need to actively implement eIDAS solutions."
TM: And what does the future hold with these types of regulations?
CB: "Just as banks have rules around ‘know your customer’, governments will implement regulations that their citizens have the ‘right to know’ who or what they are truly talking to online. There is so much fraud on the internet today that these technologies can help mitigate. I believe governments will implement these ‘right to know’ regulations that require individuals and organisations to proactively disclose their identities before they can request another person’s financial, personal or identifiable information.
"For example, eIDAS already has a process to strongly identify websites, this could easily be used to proactively display strongly verified identity information before this type of data is collected. Or better yet, prevent someone from even providing this type of data unless the website is strongly verified."
Chris Bailey, VP Strategy and Business Development at Entrust Datacard is an industry pioneer and global leader in identity-based digital information security and a co-creator of the Extended Validation Certificates and Domain Validated Certificates used in TLS/SSL connections, which is the primary method used to secure the web. Having served in the industry since 1998, Bailey is a current and founding member of industry standard groups the CA/B Forum and the CA Security Council where he continues to actively promote industry best practices and education.
Watch the full interview here: What is eIDAS and how does it differ from GDPR?