IRMA app infrastructure ready for large-scale use

Privacy by Design and SIDN

IRMA is the prize-winning brainchild of Bart Jacobs, Professor of Security, Privacy and Identity at Nijmegen's Radboud University. Management and ongoing development of the software underpinning the service are handled by a not-for-profit foundation called Privacy by Design.

With ties going back a long way, Privacy by Design and SIDN formed a strategic partnership for IRMA at the end of 2018. Under the arrangement, we're responsible for the operational side of the IRMA service. That involves both running the backbone and stepping up IRMA's professionalisation and marketing. Meanwhile, Privacy by Design handles management and ongoing development of the software that supports the service.

Why IRMA is so secure

All IRMA's source code is available in open-source form. So anyone can see how the program works and verify the security arrangements. The software's accessibility encourages its use, meaning that it has more impact. Research has recently shown that the quality and security of popular open-source software is ahead of what proprietary software generally provides *1. We're responsible for IRMA's technical infrastructure, known in the IT world as the system's 'backbone'. And, with a view to maximising quality and security, we've had IRMA's backbone tested by the same firm that handled penetration testing of the infrastructure supporting the .nl zone. No vulnerabilities were detected. *1) Why the quality and security of popular open-source software is ahead of proprietary software:

• Coverity Scan Report Finds Open Source Software Quality Outpaces Proprietary Code for the First Time

• Reliability Issues in Open Source Software

• Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities

What makes IRMA the secure choice

IRMA's backbone consists of three core processes running in SIDN's high-availability environment.

• Extra protection against DDoS attacks

IRMA services therefore run behind a firewall that protects against DDoS attacks. What's more, SIDN is a member of the National Anti-DDoS Coalition. Meaning that we have extensive knowledge and experience, which we can draw on to ensure that the IRMA backbone has the best possible protection. We're also certified to ISO 27001, the international information security standard.

• Guaranteed availability and scalability

In order to assure the availability and scalability of the IRMA service, we have carried out a series of load and performance tests modelling various scenarios. From the findings, we know that response times remain short and predictable even under increasingly high loads. What's more, the current infrastructure can easily be scaled up to handle as many as 2.5 million transactions an hour. By way of comparison: 4.7 billion debit card transactions were performed in the Netherlands last year, which works out at 536,000 per hour *2. Across the whole of Europe, VISA and Mastercard processed about 100 billion transactions in 2019, which is 11.4 million per hour *3. In other words, IRMA's backbone is already capable of handling volumes similar to the biggest commercial payment processing companies. And the predictable response times ensure a consistent user experience. *2) https://factsheet.betaalvereniging.nl/ *3) https://nilsonreport.com/publication_chart_and_graphs_archive.php?1=1&year=2020

• Publication of all source code

Alongside our commitment to the availability and reliability of the infrastructure, full source code publication provides the ultimate continuity guarantee for the IRMA software. In the unlikely event of the organisations now running IRMA being unable to continue, the code will always be in the public domain, enabling a new service provider or another interested party to take up the reins. So, even though the IRMA partners are not 'big fish', large-scale IRMA deployment entails very little risk.

IRMAconnect makes life easy

To ensure that IRMA is easy to integrate with customers' online portals, we've developed the IRMAconnect service. IRMAconnect makes integration a breeze by translating the IRMA protocol into the SAML 2.0 OAuth. So you can easily make IRMA part of your web environment and use it for verification on the basis of attributes such as Municipal Register number or e-mail address.

IRMA users

• Various Dutch city authorities, including Amsterdam and Nijmegen

• Health insurers, including VGZ

• Personal health environment providers, including Ivido

IRMA is suitable for both public-sector and private-sector services. As such, it's an eID with great potential value that's easily rolled out using IRMAconnect.

New partner

Now on board as an IRMAconnect partner is Connectis, the Rotterdam-based online ID infrastructure vendor and former SIDN subsidiary. Using IRMAconnect, Connectis offers customers IRMA as an IdP. All the user has to do to enable IRMA is tick a box.

Powered by SIDN

The backbone of the IRMA service is managed and run entirely by SIDN. For anyone who doesn't know us: we're the not-for-profit organisation that (amongst other things) operates the Netherlands' top-level internet domain, .nl. As operator of the .nl zone, we maintain the critical DNS infrastructure for six million-plus domain names and process 2.5 billion DNS queries a day. By doing so, we make a vital contribution to the security, stability and continuity of the Dutch internet infrastructure and all the social and economic activity that depends on it. We have many years' experience managing one of the Dutch internet's most essential components. What's more, our research team SIDN Labs plays a global pioneering role, leading on the development and standardisation of security technology for the internet infrastructure.

• Read more about IRMAconnect

• Read more about IRMA powered by SIDN