Software Defined Perimeter

Expand all | Collapse all

ISO/IEC 27551:2021 Information security, cybersecurity and privacy protection - Requirements for attribute-based unlinkable entity authentication

  • 1.  ISO/IEC 27551:2021 Information security, cybersecurity and privacy protection - Requirements for attribute-based unlinkable entity authentication

    Posted Sep 19, 2021 01:30:00 AM
    Hi All,

    ISO/IEC just published: ISO/IEC 27551:2021 Information security, cybersecurity, and privacy protection - Requirements for attribute-based unlinkable entity authentication

    ISO/IEC 29100 sets forth eleven privacy principles which apply to all actors that can be involved in the processing of PII. The second principle is the collection limitation. Despite this recommendation, the current state of the art is that internet sites collect more than necessary information during the PII principal's access to the service. For example, if the site only requires verification that the PII principal is over a certain age, only that information should be necessary for the consumption of the service. However, it is often the case that other information such as the user's persistent identifier is supplied, making it possible to link visits from the same PII principal to different sites or to link two or more visits from the same PII principal to the same site.
    To adhere to the principle of the collection limitation, the site in the above case should instead use a type of entity identifier that does not allow the site to link two or more visits by the PII principal. This means that, when two transactions are performed, it is difficult to distinguish whether the transactions were performed by the same user or by two different users. This is one type of unlinkability. Several other types of unlinkability can also be considered and desired in applications.
    Attribute-based unlinkable entity authentication (ABUEA) provides a means for PII principals to establish the authenticity of a selected subset of their identity attributes without revealing a larger subset. Special focus is put on unlinkability and a metric that measures the strength of this property in implementations of ABUEA is introduced. This document focuses on cases where at least one attribute is attested by a third party. This document also identifies security properties to be met to achieve various protections as well as unlinkable properties.
    The methodology developed by this document may be tailored and applied to other privacy principles. The requirements identified in this document apply at the application communication layer. However, some properties met at the application layer protocol can be ruined by a lower layer protocol, such as the network layer, which means that the lower layers' privacy and security properties should also be taken into consideration to ensure that the properties met at the application communication layer are still valid when considering the privacy and security characteristics of the lower communication layers.

    You can preview this standard at: https://www.iso.org/obp/ui/#iso:std:iso-iec:27551:ed-1:v1:en

    You can purchase this standard at: https://www.iso.org/standard/72018.html






    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: ISO/IEC 27551:2021 Information security, cybersecurity and privacy protection - Requirements for attribute-based unlinkable entity authentication

    Posted Sep 20, 2021 11:04:00 AM

    The concept of collection limitation and PII is very interesting. However, I wonder how we can incentivize/ enforce ​​a site to adhere to the principle of collection limitation? So much data is being collected with every keystroke! XD I also wonder how we can "protect" ourselves from unnecessary PII collection?

    Thank you for sharing, @Michael Roza. I have added this announcement to the ZTA meeting agenda for tomorrow.



    ------------------------------
    Anna Campbell Schorr
    Training Content Development
    Cloud Security Alliance
    [email protected]
    ------------------------------