European e-ID Services: future trends and Nordic experiences

During the last three years, we have seen a spurt in the use of public key infrastructure (PKI) based electronic-IDs for online identification and signing services. These have been deployed in numerous national ID-schemes, European projects and enterprises. In the last year alone, national ID projects were established in Portugal, Iceland and Luxemburg.

Continued growth in investments

Studies from PKI product vendors and experiences in operating full PKI-services show that in 2006 alone, €600million was spent in Europe on e-ID services. The total cost of full PKI-service is four to six times more than the direct software and hardware costs. Indirect costs come from the need to establish security routines, operational environments and customer support systems, obtaining certifications and professional services. In 2006, the investments in identity management products (as PKI, encryption, access-control etc.) were in excess of €2.2billion. In Europe, e-ID investments in Nordics and East Europe grew, nine percent and 17 percent, respectively in 2006. This was well reflected in the continued increase in the volume of e-IDs issued and used towards financial and public services.

These e-ID services have been driven by various e-government initiatives (for example tax returns, commune services, healthcare, citizen ID cards and electronic passports). Financial institutions are using PKI to secure online banking and payment services. Telecom operators are offering mobile identity services to attract high value contents for financial services and reduce customer churn. Enterprises in energy, transport and manufacturing sectors have established PKIs for securing applications and workflow systems such as supply chains or vendor-extranets. The increase in the number of online attacks has also pushed many businesses to use stronger identity management systems for protecting their e-business.

Growth in managed security services

The year 2007 Frost-Sullivan report notes that managed secuirity services (MSS) is growing at least three times faster than in-house PKI solutions. Key reasons why more customers prefer MSS are:

• Low total cost of ownership as customers do not invest in a dedicated PKI environment, in-house.
• Customers need to make just one agreement with the MSS for their e-ID services, compared to separate agreements needed otherwise (for certificates, validation and customisation services).
• Customers can start using PKI at significantly low entry costs with the option of in-housing it in future.

The following MSS suppliers have traditionally been the key players:

• PKI technology vendors (for example Verizon, Verisign).
• Financial infrastructure vendors (for example BBS, PBS, ACTALIS, BGC, Clearstream).
• IT companies (for example Fujitsu, IBM).
• Mobile operators (for example TDC, TeliaSonera).
  
• Postal services (for example LatvianPost).

The most successful MSS providers arguably are the suppliers of financial infrastructure services. Key reasons for their success are: their extensive experiences in offering high-end services (as payments, banking, invoice, archive); know-how of delivering services to key segments as public, private, financial sectors; strong in-house security competencies (certifications, routines etc); and knowledge of key online services that need PKI.

Nordics retain leadership

With some of the world’s most advanced online public and financial services, Nordics are at the forefront of using e-ID services. The financial, government and telecom sectors in most Nordic markets have set up well-defined frameworks of co-operation and interoperability. All the Nordic countries have their own nation-wide e-ID schemes and numerous other enterprise PKI solutions.

Since 1972, Banking and Business Solutions has operated national critical financial infrastructures in Norway. With three decades of successful experience in high-end services used by all key market segments, in the mid 1990s, BBS found itself extremely well positioned to offer e-ID services.

BBS started using PKI in 1997. In 2003, it delivered its BankID scheme, which is used by over 150 banks. In 2005, BBS extended its offerings by delivering value-added services, such as wireless PKI, multi-ID identification portal and signing solutions. BBS’s MSS are today used by the leading telecom operators, financial institutions, public sector and private businesses. Such a cross-sector expertise in the delivery of e-ID services has won BBS not just uniqueness in Europe, but trust from the industry. In 2006, BBS and the BankID scheme in Norway won the eema award of Excellence for secure e-business in Europe. In 2007, BBS established the world’s first international mobile signature roaming test in partnership with Valimo.

BBS has learnt the following key lessons from its experience in the Nordic region.

• Take your own medicine. As the supplier of PKI, you should explore using PKI for your in-house applications. This will help you to understand practical implementation issues yourself, before reaching out to customers. Such in-house applications will add to your in-house deployment expertise and bring some scale economies to your eventual PKI offerings as well. It will most certainly also help you win your customers’ trust. BBS used PKI with its in-house applications such as corporate payments and trained its staff on practical issues, well before offering its first commercial service, Norwegian BankID.
• Understand markets. While ID schemes operate in heterogeneous citizen-merchant markets, enterprise PKI solutions operate in closed environments. BBS has been successful in both these segments. First the ID-scheme: in consultation with industry stakeholders, BBS offered Norwegian BankID scheme assuring easy enrolment and consistent user-experience across key channels (mobile, internet and chip-card) and services (banking, payments, shopping, etc). Its modular design also offers flexibility to issuers to deploy different services, channels and pursue different business models. Today, BankID is used over 300.000 times a day and usage is growing. For the enterprise markets, BBS offers complete ID-service that comes ready with PKI-ready applications and integration modules. Use cases are secure email, mobile PKI, work-flow automation with signing solutions and one-time-password based access-control.
• Offer a complete range of PKI services. Like any technology, the success of PKI depends on the volume of mass-market services using it. The two key user-segments are the issuers of e-IDs and relying parties (typically merchants of web-services). BBS offers a complete e-ID issuing service (including PKI-setup, ID production-ordering-distribution-administration, user-registration and validation) and integration modules towards customer databases. For the relying parties, BBS’s value-added services include portal solutions for multi-ID authentication of web-services, signing solutions for different document formats and long-term archive service for signed documents.

While there is no one-size-fits-all recipe for success, the trends discussed in this article and particular lessons from BBS should be relevant to other players as well.

The wide range of BBS e-ID services

Please click on the following link to review a recent press release from BBS:
http://www.dnv.com/press/BBSandDNVenterstrategicpartnership.asp