CIS13: FCCX and IDESG: An Industry Perspectives
-
Upload
cloudidsummit -
Category
Technology
-
view
706 -
download
1
Transcript of CIS13: FCCX and IDESG: An Industry Perspectives
1 Na%onal Strategy for Trusted Iden%%es in Cyberspace
NSTIC in Mo+on Pilots, Policy and Progress Jeremy Grant Senior Execu+ve Advisor, Iden+ty Management Na+onal Ins+tute of Standards and Technology (NIST)
2 Na%onal Strategy for Trusted Iden%%es in Cyberspace
NSTIC Workshop Agenda
Sessions
1pm Part 1 • “The State of the NSTIC” – Jeremy Grant
• Pilot Report #1: MFA in the Commercial Sector – Cathy Tilton, Daon
2pm Part 2 • Pilot Report #2: AKribute Exchange Network – Dave Coxe, Criterion Systems
• Pilot Report #3: Scalable Privacy and MFA – Ken Klingenstein, Internet2
3pm Part 3 • Iden%ty Ecosystem Steering Group (IDESG) – Bob Blakely, Ci%group
• Federal Cloud Creden%al Exchange (FCCX) – Jeremy Grant (NIST) and Doug Glair (USPS)
• NSTIC and the Na%onal Cybersecurity Center of Excellence (NCCoE) – Nate Lesser (NIST)
• Discussion and Perspec%ves
3 Na%onal Strategy for Trusted Iden%%es in Cyberspace
State of the NSTIC
4 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Imagine if…
Four years from now, 80% of your customers arrived at your website already holding a secure creden+al for iden+fica+on and authen+ca+on – and you could
trust this creden+al in lieu of your exis+ng username/password system.
Interoperable with your
login system (you don’t
have to issue creden%als)
Mul%-‐factor authen%ca%on
(no more password
management)
Tied to a robust iden%ty proofing mechanism (you know if they are who they claim
to be)
With baked-‐in rules to limit liability and protect privacy
5 Na%onal Strategy for Trusted Iden%%es in Cyberspace
What would this mean… For Security and Loss Preven+on? • 5 of the top 6 vectors of aKack in 2011 data breaches %ed to passwords; 76% of all 2012 records breached %ed to passwords.
• The number of Americans impacted by data breaches rose 67% from 2010 to 2011
• Weak iden%ty systems fuel online fraud, make it impossible to know who is a “dog on the Internet”
For Reducing Fric+on in Online Commerce? • Today, 75% of customers will avoid crea%ng new accounts. 54% leave the site or do not return
• Today, 45% of consumers will abandon a site rather than aKempt to reset their passwords or answer security ques%ons
6 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Two years, two months and 24 days ago…
An Iden+ty Ecosystem…with 4 Guiding Principles • Privacy-‐Enhancing and Voluntary • Secure and Resilient • Interoperable • Cost-‐Effec%ve and Easy To Use
7 Na%onal Strategy for Trusted Iden%%es in Cyberspace
There is a marketplace today – but there are barriers the market has not yet addressed on its own
Why NSTIC?
8 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Barriers: Security is a big issue
Source: 2012 Data Breach Inves%ga%ons Report, Verizon and USSS
2011: 5 of the top 6 aKack vectors are %ed to passwords 2010: 4 of the top 10
9 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Business Models
But – it’s not all about security
Usability
Liability
Interoperability Privacy
Source: xkcd
10 Na%onal Strategy for Trusted Iden%%es in Cyberspace
There is a marketplace today – but there are barriers the market has not yet addressed on its own.
Government can serve as a convener and facilitator, and a catalyst.
Why NSTIC?
11 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Our Implementa+on Strategy
12 Na%onal Strategy for Trusted Iden%%es in Cyberspace
We don’t want to boil the ocean.
13 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Let’s go surfing where the waves are…
NSTIC
14 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Private sector will lead the
effort
Federal government will provide support
• Not a government-‐run iden%ty program • Private sector is in the best posi%on to drive technologies and solu%ons…
• …and ensure the Iden%ty Ecosystem offers improved online trust and beKer customer experiences
• Support development of a private-‐sector led governance model
• Facilitate and lead development of interoperable standards
• Provide clarity on na%onal policy and legal issues (i.e., liability and privacy)
• Fund pilots to s%mulate the marketplace • Act as an early adopter to s%mulate demand
What does NSTIC call for?
15 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Where do we stand?
16 Na%onal Strategy for Trusted Iden%%es in Cyberspace
The marketplace has started to respond
17 Na%onal Strategy for Trusted Iden%%es in Cyberspace
But instead of this…
18 Na%onal Strategy for Trusted Iden%%es in Cyberspace
…I now am managing one-‐off 2FA solu+ons for
19 Na%onal Strategy for Trusted Iden%%es in Cyberspace
NSTIC has funded 5 pilots…with more coming
AAMVA
• Focus: Develop public-‐private partnership to strengthen private-‐sector creden%als with aKributes from a state DMV
• Virginia DMV, Microsom, CA, AT&T are key partners
• Coming soon: an important health care RP
Daon
• Focus: deploy smartphone based, mul%-‐factor authen%ca%on to consumers
• AARP, PayPal, Purdue are key relying par%es
• A major bank (not yet publicly named) will also be an RP
Criterion
• Focus: develop a viable business model for Iden%ty Ecosystem and aKribute exchange
• Broadridge Financial, eBay, Wal-‐Mart, AOL, Verizon, GE, Experian, Lexis Nexis, Ping, CA, PacificEast are key partners
Internet2
• Focus: deploy smartphone based, mul%-‐factor authen%ca%on across 3 major universi%es, integrate it with a privacy-‐protec%ng infrastructure.
• MIT, University of Texas, University of Utah are deployment sites
Resilient
• Focus: test “privacy enhancing” infrastructure in health care and K-‐12 environments.
• AMA, American College of Cardiology, LexisNexis, Neustar, Knowledgefactor are key partners
20 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Pilots lessons learned
Each pilot has run into the same challenges – underscoring the need for a robust Iden%ty Ecosystem Framework.
Common considera%ons:
o No standard way to bring on new RP’s (technical/policy/legal) o Exis%ng trust frameworks only go so far
o RP’s struggle to sort out how to apply risk assessment to determine creden%al strength/LOA (800-‐63 aside, no great alterna%ves)
o Trust frameworks do not extend to aKribute providers/verifiers
o How to ensure “data minimiza%on” in aKribute exchange, when some APs offer “data promiscuity”
o How to flow down consent requirements to end-‐users in a logical fashion
21 Na%onal Strategy for Trusted Iden%%es in Cyberspace
The Iden+ty Ecosystem Steering Group
Source: Phil Wolff, hKp://www.flickr.com/photos/philwolff/7789263898/in/photostream
First plenary, August 2012
22 Na%onal Strategy for Trusted Iden%%es in Cyberspace
The Iden+ty Ecosystem Steering Group: Bringing together many types of stakeholders
23 Na%onal Strategy for Trusted Iden%%es in Cyberspace
• 200+ firms/organiza%ons; 60+ individuals
• Elected Plenary Chair (Bob Blakley/Ci%) and Management Council Chair (Peter Brown); Elected 16 delegates to Management Council
• Member firms include: Verizon, Visa, PayPal, Fidelity, Ci%group, Mass Mutual, IBM, Bank of America, Microsom, Oracle, 3M, CA, Symantec, Lexis Nexis, Experian, Equifax, Neiman Marcus, Aetna, Merck, United Health, Intel.
• Also: AARP, ACLU, EPIC, EFF, and more than 65 universi%es. Par%cipants from 12+ countries.
• CommiKees include:
The Iden+ty Ecosystem Steering Group
o Standards o Policy o Privacy o User Experience o Security
o Trust Frameworks & Trustmarks o Health Care o Financial Sector o Interna%onal Coordina%on
24 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Linking Strategy to Execu+on
• Voluntary, mul%-‐stakeholder collabora%ve efforts are hard.
• What is the art of the possible?
• What incen%ves might be needed to fully realize the NSTIC vision?
25 Na%onal Strategy for Trusted Iden%%es in Cyberspace
NSTIC envisions the poten+al need for new policies
“The Federal Government may need to establish or amend both policies and laws to address" concerns such as "the uncertainty and fear of unbounded liability that
have limited the market's growth.” -‐NSTIC, page 31
• The IDESG Policy CommiKee is reviewing this topic
• A unique window of opportunity
26 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Ensuring the U.S. Government can be an early Adopter
27 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Making progress in government is tough…
28 Na%onal Strategy for Trusted Iden%%es in Cyberspace
…but not impossible
29 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Where we started FICAM (TFPAP)
TFP
MoUs
Cer+fica+on Agreements
IdP IdP
IdP
TFP
Integra%on
???
$$$!!!
RP RP
RP RP
Agencies
Current Agency Environment Ci%zens Government
A befer way Ci%zens Government
FCCX
32 Na%onal Strategy for Trusted Iden%%es in Cyberspace
New study shows real USG cost savings from NSTIC • Funded by NIST Economic Analysis Office , conducted in partnership with the IRS
• Focus: cost-‐benefit analysis comparing federa%on (NSTIC) approach vs. one-‐off proprietary authen%ca%on system
• Looked at 3 scenarios: 20%, 50%, 70% adop%on
33 Na%onal Strategy for Trusted Iden%%es in Cyberspace
New study shows real USG cost savings from NSTIC Key Findings
• Over a 10-‐year period, IRS would save $63 million to $298 million by aligning its ci%zen-‐facing iden%ty and authen%ca%on efforts with NSTIC (vs. building a stovepiped, IRS-‐only system)
• Up-‐front adop%on savings would be $40 million to $111 million
• Savings driven both by avoidance of duplica%ve iden%ty proofing and authen%ca%on costs, as well as increased customer uptake of online offerings
• Opportunity: IRS spent over $1 billion communica%ng with taxpayers on paper and by telephone in 2012
34 Na%onal Strategy for Trusted Iden%%es in Cyberspace
A final thought
35 Na%onal Strategy for Trusted Iden%%es in Cyberspace
$2 Trillion
The total projected online retail sales across the G20 na%ons in 2016
$2.5 trillion What this number can grow to if consumers believe the Internet is
more worthy of their trust
$1.5 Trillion
What this number will fall to if Trust is eroded
Trust mafers to online business
Source: Rethinking Personal Data: Strengthening Trust. World Economic Forum, May 2012.
36 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Ques+ons?
Jeremy Grant [email protected] 202.482.3050 Iden+ty Ecosystem Steering Group www.idecosytem.org [email protected]
37 Na%onal Strategy for Trusted Iden%%es in Cyberspace
NSTIC Workshop Agenda
Sessions
1pm Part 1 • “The State of the NSTIC” – Jeremy Grant
• Pilot Report #1: MFA in the Commercial Sector – Cathy Tilton, Daon
2pm Part 2 • Pilot Report #2: AKribute Exchange Network – Dave Coxe, Criterion Systems
• Pilot Report #3: Scalable Privacy and MFA – Ken Klingenstein, Internet2
3pm Part 3 • Iden%ty Ecosystem Steering Group (IDESG) – Bob Blakely, Ci%group
• Federal Cloud Creden%al Exchange (FCCX) – Jeremy Grant (NIST) and Doug Glair (USPS)
• NSTIC and the Na%onal Cybersecurity Center of Excellence (NCCoE) – Nate Lesser (NIST)
• Discussion and Perspec%ves
38 Na%onal Strategy for Trusted Iden%%es in Cyberspace
39 Na%onal Strategy for Trusted Iden%%es in Cyberspace
Created to administer the development of policies, standards, and accreditaHon processes for the Iden&ty Ecosystem
Framework.
www.idecosystem.org
The Iden+ty Ecosystem Steering Group